3

I am working on a system that needs to send Bearer token keys (JWT) for all URLs from an app our company is developing, the problem occurs when there is an attachment that needs to be downloaded, when clicking the link it fires the browser on the mobile device.

As you know this will not allow the headers to be set, so am working on a solution to add the header if it is emtpy.

Now I can get the env variable populated from the query string.

But I need a way to set the requestheader early along with the env= value, is this possible?

This is what I have:

RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "env=JW_TOKEN"

What I need to do is something like:

RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "env=JW_TOKEN early"

But this does not work.

Rich J
  • 31
  • 4

1 Answers1

0

I had a similar issue with HSTS. The most elegant way to conditionally set the header is (as described here: https://stackoverflow.com/a/24145033/3433306):

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

But this cannot be combined with the early flag. However, we can set the header early and remove it later, if the environment variable is not set as required.

Header set   Strict-Transport-Security "max-age=31536000" early
Header unset Strict-Transport-Security env=!HTTPS

In your case, this would make something like the following (not tested):

RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "early"
RequestHeader unset      Authorization "env=!JW_TOKEN"
studersi
  • 1,345
  • 1
  • 12
  • 14