# OSCE Nexus – mobile API (/api/v1)
#
# The token-authenticated endpoints read the HTTP Authorization: Bearer header.
# Under CGI/FastCGI (typical on cPanel) Apache does not forward that header to
# PHP by default, so copy it into an env var PHP can see. lib/api.php checks
# HTTP_AUTHORIZATION, REDIRECT_HTTP_AUTHORIZATION and getallheaders().

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP:Authorization} .
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

# Apache 2.4.13+ can forward it natively; harmless to also request it.
<IfModule mod_setenvif.c>
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>

# No directory listings; index is irrelevant for an API.
Options -Indexes -MultiViews
