Bug 2420632 - mod_auth_token does not work properly with ProxyPass and RewriteRule directives
Summary: mod_auth_token does not work properly with ProxyPass and RewriteRule directives
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: mod_auth_token
Version: epel9
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Björn Esser (besser82)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-09 15:38 UTC by Leo
Modified: 2025-12-09 15:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
patch to correct the module order (432 bytes, patch)
2025-12-09 15:38 UTC, Leo 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Github rolero mod-auth-token issues 16 0 None open mod_auth_token fails to work properly with ProxyPass and RewriteRule directives 2025-12-09 15:38:09 UTC

Description Leo 2025-12-09 15:38:10 UTC 
Created attachment 2118155 [details]
patch to correct the module order

Description of problem:
mod_auth_token fails to work properly with ProxyPass and RewriteRule directives. The issue is, that mod_auth_token currently asks to be slotted before mod_alias, 
but not before other modules. If you for example use a RewriteRule on the same path, it will be applied before mod_auth_token comes into play.

Version-Release number of selected component (if applicable):
1.0.5-27.el9

How reproducible:
always

Steps to Reproduce:
1. Here are 2 configuration snippets that currently fail to work with 
mod_auth_token:

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    ProxyPass              http://127.0.0.1:8000/
</Location>

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    RewriteRule            ^(.*)$ http://127.0.0.1:8000/$1 [P,F]
</Location>

Actual results:
The whole path (including the token and the timestamp hash part) is being forwarded

Expected results:
Only the "real" path is being forwarded (i.e. mod_auth_token does its job beforehand)

Additional info:
This is a known problem and an open issue at GitHub for more than 10 years: 
https://github.com/rolero/mod-auth-token/issues/16
There is also a fix provided by the original reporter. I will add the patch file for the module itself as an attachment.

The SPEC file can be patched as follows:

--- mod_auth_token.spec_orig    2025-12-09 16:26:02.220800790 +0100
+++ mod_auth_token.spec 2025-12-09 16:26:44.778609575 +0100
@@ -1,6 +1,6 @@
 Name:           mod_auth_token
 Version:        1.0.5
-Release:        27%{?dist}
+Release:        28%{?dist}
 Summary:        Token based URI access module for Apache
 
 License:        ASL 2.0
@@ -11,6 +11,7 @@
 Patch1:         mod_auth_token-1.0.5-fix-Wformat.patch
 Patch2:         mod_auth_token-1.0.5-apache24.patch
 Patch3:         mod_auth_token-1.0.5-add_ip_limitation_config.patch
+Patch4:         mod_auth_token-1.0.5-correct-module-order.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake


Would be great if you could apply the patch and build a new release.
Thanks!
Note You need to log in before you can comment on or make changes to this bug.