Rewrite directory path based on authentication data

Question

I'm trying to provide my users a unique directory under one common URL (https://example.com/sync). Previously I managed this with a rewrite rule which just appended the remote users name to the root directory for "sync". Now, the users login ID differs from the directory name. As per apache documentation, authn_dbd provides additionally returned columns in extra variables with the prefix AUTHENTICATE_.

<Directory "/srv/www/sync/">

  AuthDBDUserPWQuery "SELECT passphrase, identifier FROM webserver.fn_authenticate_context('SYNC') where login_id = %s"

  RewriteEngine On
  RewriteCond %{AUTHENTICATE_IDENTIFIER} ^(.+)$
  RewriteRule ^\/(.*)$ /%{AUTHENTICATE_IDENTIFIER}/$1 [NS,L]
</Directory>

This should provide the required identifier for my rewrite rule. However, the identifier seems not to be available when rewriting occurs. Adding a header with the content to the response works and provides the content.

Activating logs up to trace8 shows that authentication is processed first and afterwards the rewrite conditions are processed but the value is still empty.

Answer 1

After searching around for quite a while, I found no reliable way to use the different "features" of Apache dbd. It produces variables for additionally returned columns - or not. The variables are available in CGI but not before or even not there. Errors are only logged during startup phase and later silently discarded. So if you don't get successful authentication at all, the root cause may be a permission problem. The only way to verify this is by executing the request with the credentials that dbd uses for access to the database.

The solution to my original issue is to forget about the documented option of additional columns from the authentication request and running an additional, separate request to the database. The working snippet:

### Cloud Synchronization (Web DAV service)

Define _SYNC_CLOUD_PREFIX /sync

# We need the rewrite engine here...
RewriteEngine On

# define a rewrite map which looks up the home directory for the user...
RewriteMap dbd_sync_home "dbd:SELECT dir_home FROM webserver.authorize_for_context('SYNC', %s);"

# redirect /sync to /sync/
RedirectMatch permanent ^${_SYNC_CLOUD_PREFIX}$ ${_SYNC_CLOUD_PREFIX}/

# Rewrite /sync/xxx to /srv/www/sync/<domain>/<user>/xxx
RewriteCond %{LA-U:REMOTE_USER} ^(.+)$
RewriteCond %{REQUEST_URI} ^${_SYNC_CLOUD_PREFIX}
RewriteRule ^${_SYNC_CLOUD_PREFIX}/(.*)$  /srv/www/sync/${dbd_sync_home:%{LA-U:REMOTE_USER}}/$1 [L]

# Authorize when hitting the location /sync/
<Location "${_SYNC_CLOUD_PREFIX}/">
    DAV On
    SSLRequireSSL
    Options +FollowSymLinks

    AuthType Basic
    AuthName "Sync Heaven"

    # To cache credentials, put socache ahead of dbd here
    AuthBasicProvider socache dbd
    AuthnCacheContext www-sync
    AuthnCacheProvideFor dbd

    # mod_authn_dbd SQL query to authenticate a user
    AuthDBDUserPWQuery "SELECT passphrase FROM webserver.authorize_for_context('SYNC', %s);"

    Require method OPTIONS
    Require valid-user
</Location>

UnDefine _SYNC_CLOUD_PREFIX