Seeking Guidenace on UUID Verification in the URL

1. The problem I’m having:

I need some ideas and guidance on basic user authentication. We use URLs like the one below

https://demo.example.com/login?secure-sign-in=7b0a5d94-840f-4e3f-a6b6-c2769e4ebf28

We want do the following:

1- Strip the secure-sign-in uuid token from the query string
2- Add the uuid to the header as x-secure-sign-in
3- Verify that the x-secure-sign-in meets the following regex (regex has been tested to be accurate and working)

^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$

4- Serve a react project to the authenticated user
5- Serve an error to users who don’t have a proper uuid

When a user is authenticated, we track the x-secure-sign-in header and pass it along to track user interactions with elements of the page.

I’ve set up a small test, see the Caddyfile below, but it doesn’t seem to be working. Even when I pass a proper secure-sign-in uuid token in the URL, I still get 401 Unauthorized. I have doubled checked the regex, so we can confirm that isn’t causing it.

We are happy to use a different approach which can accomplish the same end goal.

Thank you in advance for your help!

2. Error messages and/or full log output:

3. Caddy version:

v2.7.5

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04 LTS on Linode

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

demo.example.com {
        # Match requests to /login with a query parameter
        @captureQuery path /login

        #rewrite @captureQuery /login
        rewrite @captureQuery /login{uri}

        # Set the captured query parameter as a header
        header @captureQuery x-secure-sign-in {http.request.uri.query.secure-sign-in}

        @uuid header_regexp x-secure-sign-in ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$

        # Check the header for the UUID
        handle @uuid {
                # If the UUID matches
                respond "YAY! Authorized"
        }

        # If the UUID doesn't match, respond with an error
        handle {
                # If the UUID doesn't matches
                respond "Unauthorized access!" 401
        }
}

5. Links to relevant resources:

I’m not sure this does what you want. It’ll make the path /login/login.

I think you should use canonical header names. And you can shorten the placeholder:

header @captureQuery X-Secure-Sign-In {query.secure-sign-in}

But really, your problem is that header sets a response header, but you’re wanting to change the request headers.

Use the request_header directive instead (or use header_up in reverse_proxy which does the same thing except only scoped to the copy of the request used by the proxy).