Hey @happybeing, yeh, as noted over here you’re going to run into the same CSP trouble here for now. 
The URL rewrite wont, in the end, be how to access safe API requests, it will be via SAFEBB, window.safe calls (implemented via beaker-plugin setup). There’s nothing really usable as yet, but this will be my next point of call once I’ve cleared linux build issues.
Another suggestion might be for you to set up a domain to proxy this, or as @ben suggests, via [webpack proxy] (CORS, Content Security Policy and Access Control for SAFE sites - #21 by ben).
Or:
I’d normally setup really basic nginx host to do this for webdev projects (as CSP is often an issue with localhost:port setups). Such that you create a new domain <happy> and proxy <happy>/auth to localhost:8100 so that it appears to live under the same host to the browser.
for example (from the nginx page above):
location /some/path/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
}
This does require some nginx setup, which I’m aware is another thing. But once setup, you’re pretty free to setup proxies as you want, and spoof certain urls etc to the browser to get around CORS/CSP problems.
Hope that’s helpful.