fix: consider only servlet URL when checking auth behind a proxy

Don't consider the full "requestURI" as this might contain a prefix that a proxy sets. The MockMVC unit tests don't set the servlet path properly though. If not behind a proxy, one can fall back to requestURI
GenSpectrum · Dec 14, 2023 · 6b1767a · 6b1767a
1 parent 0006ac2
commit 6b1767a
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/lapis2/src/main/kotlin/org/genspectrum/lapis/auth/DataOpennessAuthorizationFilter.kt b/lapis2/src/main/kotlin/org/genspectrum/lapis/auth/DataOpennessAuthorizationFilter.kt
@@ -107,7 +107,11 @@ private class ProtectedDataAuthorizationFilter(
     }
 
     override fun isAuthorizedForEndpoint(request: CachedBodyHttpServletRequest): AuthorizationResult {
-        val path = request.servletPath
+        val isOperatedBehindAProxy = !request.contextPath.isNullOrBlank()
+        val path = when {
+            isOperatedBehindAProxy -> request.servletPath
+            else -> request.requestURI
+        }
 
         if (path == "/" || WHITELISTED_PATH_PREFIXES.any { path.startsWith(it) }) {
             return AuthorizationResult.success()
@@ -116,7 +120,7 @@ private class ProtectedDataAuthorizationFilter(
         val requestFields = request.getRequestFields()
 
         val accessKey = requestFields[ACCESS_KEY_PROPERTY]?.textValue()
-            ?: return AuthorizationResult.failure("An access key is required to access ${path}.")
+            ?: return AuthorizationResult.failure("An access key is required to access $path.")
 
         if (accessKeys.fullAccessKey == accessKey) {
             return AuthorizationResult.success()
@@ -129,6 +133,6 @@ private class ProtectedDataAuthorizationFilter(
             return AuthorizationResult.success()
         }
 
-        return AuthorizationResult.failure("You are not authorized to access ${path}.")
+        return AuthorizationResult.failure("You are not authorized to access $path.")
     }
 }