Seeking Guidenace on UUID Verification in the URL

1. The problem I’m having:

I need some ideas and guidance on basic user authentication. We use URLs like the one below

https://demo.example.com/login?secure-sign-in=7b0a5d94-840f-4e3f-a6b6-c2769e4ebf28

We want do the following:

1- Strip the secure-sign-in uuid token from the query string
2- Add the uuid to the header as x-secure-sign-in
3- Verify that the x-secure-sign-in meets the following regex (regex has been tested to be accurate and working)

^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$

4- Serve a react project to the authenticated user
5- Serve an error to users who don’t have a proper uuid

When a user is authenticated, we track the x-secure-sign-in header and pass it along to track user interactions with elements of the page.

I’ve set up a small test, see the Caddyfile below, but it doesn’t seem to be working. Even when I pass a proper secure-sign-in uuid token in the URL, I still get 401 Unauthorized. I have doubled checked the regex, so we can confirm that isn’t causing it.

We are happy to use a different approach which can accomplish the same end goal.

Thank you in advance for your help!

2. Error messages and/or full log output:

3. Caddy version:

v2.7.5

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04 LTS on Linode

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

demo.example.com {
        # Match requests to /login with a query parameter
        @captureQuery path /login

        #rewrite @captureQuery /login
        rewrite @captureQuery /login{uri}

        # Set the captured query parameter as a header
        header @captureQuery x-secure-sign-in {http.request.uri.query.secure-sign-in}

        @uuid header_regexp x-secure-sign-in ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$

        # Check the header for the UUID
        handle @uuid {
                # If the UUID matches
                respond "YAY! Authorized"
        }

        # If the UUID doesn't match, respond with an error
        handle {
                # If the UUID doesn't matches
                respond "Unauthorized access!" 401
        }
}

5. Links to relevant resources:

I’m not sure this does what you want. It’ll make the path /login/login.

I think you should use canonical header names. And you can shorten the placeholder:

header @captureQuery X-Secure-Sign-In {query.secure-sign-in}

But really, your problem is that header sets a response header, but you’re wanting to change the request headers.

Use the request_header directive instead (or use header_up in reverse_proxy which does the same thing except only scoped to the copy of the request used by the proxy).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.