[ALS-7554] User should not be able to search without a valid token (#208

) * Improve JWT open access validation Enhanced JWTFilter to handle referer headers for open access requests, disallowing explorer-origin requests. Fixed several code formatting issues and improved logging for better error visibility. * Update unauthorized message on session expiry Changed the unauthorized error message to inform users their session has expired and prompt them to log in again. This enhances clarity and user experience by providing a specific reason for the authorization failure.
hms-dbmi · Oct 23, 2024 · eb358c2 · eb358c2
1 parent 5fec463
commit eb358c2
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/JWTFilter.java b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/JWTFilter.java
@@ -86,10 +86,19 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
             // Everything else goes through PSAMA token introspection
             String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
             boolean isOpenAccessEnabled = picSureWarInit.isOpenAccessEnabled();
+            // get referer header
             if (
                 (StringUtils.isBlank(authorizationHeader) && isOpenAccessEnabled)
                     || (StringUtils.isNotBlank(authorizationHeader) && authorizationHeader.length() <= 7 && isOpenAccessEnabled)
             ) {
+                String referer = requestContext.getHeaderString("Referer");
+                boolean isExplorer = referer != null && referer.contains("/explorer");
+                if (isExplorer) {
+                    // If the request is coming from the explorer, we should not allow open access
+                    logger.error("User is not authorized.");
+                    requestContext.abortWith(PICSUREResponse.unauthorizedError("Your session has expired. Please log in again."));
+                }
+
                 boolean isAuthorized = callOpenAccessValidationEndpoint(requestContext);
                 if (!isAuthorized) {
                     logger.error("User is not authorized.");
@@ -139,7 +148,6 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
     }
 
     /**
-     *
      * @param token
      * @param userIdClaim
      * @return