.htaccess challenge

[ekandreas]

I'm concerned about the .htaccess configuration.
When using this statement everything works well, but also unauthenticated access is slipped through:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>

If I put a "last" in the rule, the pages is protected with 404, but then also the authenticated (with token) requests fails:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>

So I need som hint of what could go wrong and what to do.

Apache/2.4.12 (Ubuntu)
5.6.10-1+deb.sury.org~trusty+1

[ekandreas]

I'm using a Vagrant server and a Bedrock setup with WP installed aside with composer.

[Tmeister]

Can you please tell me what Vagrant Image are you using to try to replicate the server on my local..

[ekandreas]

Oh, thanks!
It's the latest Scotchbox, https://box.scotch.io. No modifications, just a Roots Bedrock as the "public" folder.

[ekandreas]

Do youwant me to make a provision setup?

[ekandreas]

You can use this repo to get up and running quick: https://github.com/ekandreas/scotch-bedrock

[ekandreas]

Perhaps #6 has something to do with my issue?

[ekandreas]

Think there was a missunderstanding from my side. The API is open for every get request. I wanted to protect the whole WP-API from access.