From 6b1767aab15338b68cf9b1a54ae3e5ae322780a7 Mon Sep 17 00:00:00 2001 From: Fabian Engelniederhammer Date: Wed, 13 Dec 2023 15:38:54 +0100 Subject: [PATCH] fix: consider only servlet URL when checking auth behind a proxy Don't consider the full "requestURI" as this might contain a prefix that a proxy sets. The MockMVC unit tests don't set the servlet path properly though. If not behind a proxy, one can fall back to requestURI --- .../lapis/auth/DataOpennessAuthorizationFilter.kt | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lapis2/src/main/kotlin/org/genspectrum/lapis/auth/DataOpennessAuthorizationFilter.kt b/lapis2/src/main/kotlin/org/genspectrum/lapis/auth/DataOpennessAuthorizationFilter.kt index 5891e20d..c0627684 100644 --- a/lapis2/src/main/kotlin/org/genspectrum/lapis/auth/DataOpennessAuthorizationFilter.kt +++ b/lapis2/src/main/kotlin/org/genspectrum/lapis/auth/DataOpennessAuthorizationFilter.kt @@ -107,7 +107,11 @@ private class ProtectedDataAuthorizationFilter( } override fun isAuthorizedForEndpoint(request: CachedBodyHttpServletRequest): AuthorizationResult { - val path = request.servletPath + val isOperatedBehindAProxy = !request.contextPath.isNullOrBlank() + val path = when { + isOperatedBehindAProxy -> request.servletPath + else -> request.requestURI + } if (path == "/" || WHITELISTED_PATH_PREFIXES.any { path.startsWith(it) }) { return AuthorizationResult.success() @@ -116,7 +120,7 @@ private class ProtectedDataAuthorizationFilter( val requestFields = request.getRequestFields() val accessKey = requestFields[ACCESS_KEY_PROPERTY]?.textValue() - ?: return AuthorizationResult.failure("An access key is required to access ${path}.") + ?: return AuthorizationResult.failure("An access key is required to access $path.") if (accessKeys.fullAccessKey == accessKey) { return AuthorizationResult.success() @@ -129,6 +133,6 @@ private class ProtectedDataAuthorizationFilter( return AuthorizationResult.success() } - return AuthorizationResult.failure("You are not authorized to access ${path}.") + return AuthorizationResult.failure("You are not authorized to access $path.") } }