breakfix: Error 404 Not Found when mounting the authentication portal on a path that is not / nor /auth

[em-]

This works fine (quoting only the relevant bits):

authorization policy mypolicy {
  set auth url /auth/
}

localhost {
  handle /auth/* {
        authenticate with myportal
  }
  handle /* {
        authorize with mypolicy
  }
}

When accessing http://localhost, we get redirected to http://localhost/auth/?redirect_url=http://localhost, which in turn puts the redirect_url in a cookie and redirects to http://localhost/auth/login, which gives us the portal login ui.

However, replacing /auth/ with /foobar/ does not work: http://localhost/ redirects to http://localhost/foobar/ but instead of being redirected we get a HTTP 404 error.

Using set auth url /foobar/login instead of set auth url /foobar/ works around the issue at the price of keeping redirect_url in the login URL (not a big deal).

That's because https://github.com/greenpau/go-authcrunch/blob/a5596e855f924d62ea471b/pkg/authn/respond_http.go#L35 hardcodes the assumption that the portal is either at the root or under /auth:

	case r.URL.Path == "/" || r.URL.Path == "/auth" || r.URL.Path == "/auth/":
		p.injectRedirectURL(ctx, w, r, rr)
		return p.handleHTTPRedirect(ctx, w, r, rr, "/login")

[em-]

An absolutely cursed workaround is to do something like:

authorization policy mypolicy {
  set auth url /foobar/
}

localhost {
  handle /foobar/ {
        rewrite * /auth
        request_header +X-Forwarded-Prefix /foobar/
        authenticate with myportal
  }
  handle /foobar/* {
        authenticate with myportal
  }
  handle /* {
        authorize with mypolicy
  }
}

The rewrite in the handle /foobar/ stanza persuades the portal to be where it expects to be, and the request_header overrides ensure that the redirect is based on the real prefix instead of /auth/.