Cannot exclude route from http basic auth

Question

I am trying to exclude a specific route from http basic authentication.

My .htaccess looks like this:

# Set an environment variable if requesting /dev
SetEnvIfNoCase Request_URI ^/dev/? DONT_NEED_AUTH=true

# Require authentication
AuthUserFile /etc/users
AuthName "This is a protected area"
AuthGroupFile /dev/null
AuthType Basic

# Set the allow/deny order
Order Deny,Allow

# Indicate that any of the following will satisfy the Deny/Allow
Satisfy any

# First off, deny from all
Deny from all

# Allow outright if this environment variable is set
Allow from env=DONT_NEED_AUTH

# or require a valid user
Require valid-user

# Rewrite url (make it pretty)
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^?]*)$ index.php?path=$1 [NC,L,QSA]

If I use that exact same .htaccess http authentication is removed for route "/dev", so this works as expected, however the problem is that I want password protection for route "/dev", but I want to remove password protection for route "/dev/guest".

I have tried changing to the following:

SetEnvIfNoCase Request_URI ^/dev/guest/? DONT_NEED_AUTH=true

and with escaping the slash in the middle:

SetEnvIfNoCase Request_URI ^/dev\/guest/? DONT_NEED_AUTH=true

but none of those two options are working, all routes are password protected again.

also, since the route is rewritten the actual url I want to allow is "dev/index.php?path=guest" but I am not sure if I should care about that since part of that is the query string, and a end-user will never use that route directly.

Any help is highly appreciated.

Answer 1

Finally found a working solution.

Used this:

SetEnvIf Request_URI /dev/guest noauth=1
<RequireAny>
    Require env noauth
    Require env REDIRECT_noauth
    Require valid-user
</RequireAny>