Skip to content

fix: amm-1927 send headers only if the request is from the allowed origin #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
5Amogh merged 4 commits into from
Nov 20, 2025
Merged

fix: amm-1927 send headers only if the request is from the allowed origin #110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
608773a
fix: amm-1927 send headers only if the request is from the allowed or…
5Amogh Nov 17, 2025
5a7c6bf
fix: amm-1927 coderabbit fixes
5Amogh Nov 17, 2025
ad6ff5e
Update regex handling for localhost URLs
5Amogh Nov 18, 2025
eb98a5a
Enhance regex pattern for URL matching
5Amogh Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/main/java/com/iemr/admin/config/CorsConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ public void addCorsMappings(CorsRegistry registry) {
Arrays.stream(allowedOrigins.split(","))
.map(String::trim)
.toArray(String[]::new))
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.allowedMethods("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS")
.allowedHeaders("Authorization", "Content-Type", "Accept", "Jwttoken",
"serverAuthorization", "ServerAuthorization", "serverauthorization", "Serverauthorization")
.exposedHeaders("Authorization", "Jwttoken")
.allowCredentials(true)
.maxAge(3600);
Expand Down
77 changes: 59 additions & 18 deletions src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,23 +37,57 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
HttpServletResponse response = (HttpServletResponse) servletResponse;

String origin = request.getHeader("Origin");
if (origin != null && isOriginAllowed(origin)) {
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept, Jwttoken");
response.setHeader("Access-Control-Allow-Credentials", "true");
String method = request.getMethod();
String uri = request.getRequestURI();

logger.debug("Incoming Origin: {}", origin);
logger.debug("Request Method: {}", method);
logger.debug("Request URI: {}", uri);
logger.debug("Allowed Origins Configured: {}", allowedOrigins);

if ("OPTIONS".equalsIgnoreCase(method)) {
Copy link
Member

@vishwab1 vishwab1 Nov 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@5Amogh The current implementation returns 200 OK for OPTIONS requests, which is the correct behavior for CORS preflight requests. Could you please check it and revert back to the original implementation? As per my understanding, if we return 403 for invalid origins, the browser displays a confusing error message. When we return 200 OK without CORS headers, the browser shows a clear and correct message: β€˜CORS policy: No β€˜Access-Control-Allow-Origin’ header is present

if (origin == null) {
logger.warn("BLOCKED - OPTIONS request without Origin header | Method: {} | URI: {}", method, uri);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "OPTIONS request requires Origin header");
return;
}
if (!isOriginAllowed(origin)) {
logger.warn("BLOCKED - Unauthorized Origin | Origin: {} | Method: {} | URI: {}", origin, method, uri);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Origin not allowed");
return;
}
} else {
logger.warn("Origin [{}] is NOT allowed. CORS headers NOT added.", origin);
}

if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
logger.info("OPTIONS request - skipping JWT validation");
response.setStatus(HttpServletResponse.SC_OK);
return;
// For non-OPTIONS requests, validate origin if present
if (origin != null && !isOriginAllowed(origin)) {
logger.warn("BLOCKED - Unauthorized Origin | Origin: {} | Method: {} | URI: {}", origin, method, uri);
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Origin not allowed");
return;
}
}

// Determine request path/context for later checks
String path = request.getRequestURI();
String contextPath = request.getContextPath();

// Set CORS headers and handle OPTIONS request only if origin is valid and allowed
if (origin != null && isOriginAllowed(origin)) {
addCorsHeaders(response, origin);
logger.info("Origin Validated | Origin: {} | Method: {} | URI: {}", origin, method, uri);

if ("OPTIONS".equalsIgnoreCase(method)) {
// OPTIONS (preflight) - respond with full allowed methods
response.setStatus(HttpServletResponse.SC_OK);
return;
}
} else {
logger.warn("Origin [{}] is NOT allowed. CORS headers NOT added.", origin);

if ("OPTIONS".equalsIgnoreCase(method)) {
Copy link
Member

@vishwab1 vishwab1 Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please check

response.sendError(HttpServletResponse.SC_FORBIDDEN, "Origin not allowed for OPTIONS request");
return;
}
}

logger.info("JwtUserIdValidationFilter invoked for path: " + path);

// Log cookies for debugging
Expand All @@ -70,7 +104,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
}

// Log headers for debugging
logger.info("JWT token from header: ");
logger.debug("JWT token from header: {}", request.getHeader("Jwttoken") != null ? "present" : "not present");

// Skip login and public endpoints
if (path.equals(contextPath + "/user/userAuthenticate")
Expand Down Expand Up @@ -131,6 +165,15 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
}
}

private void addCorsHeaders(HttpServletResponse response, String origin) {
response.setHeader("Access-Control-Allow-Origin", origin); // Never use wildcard
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
response.setHeader("Access-Control-Allow-Headers",
"Authorization, Content-Type, Accept, Jwttoken, serverAuthorization, ServerAuthorization, serverauthorization, Serverauthorization");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Max-Age", "3600");
}

private boolean isOriginAllowed(String origin) {
if (origin == null || allowedOrigins == null || allowedOrigins.trim().isEmpty()) {
logger.warn("No allowed origins configured or origin is null");
Expand All @@ -143,14 +186,12 @@ private boolean isOriginAllowed(String origin) {
String regex = pattern
.replace(".", "\\.")
.replace("*", ".*")
.replace("http://localhost:.*", "http://localhost:\\d+"); // special case for wildcard port

.replace("http://localhost:.*", "http://localhost:\\d+");
boolean matched = origin.matches(regex);
return matched;
});
}

private boolean isMobileClient(String userAgent) {
} private boolean isMobileClient(String userAgent) {
if (userAgent == null)
return false;
userAgent = userAgent.toLowerCase();
Expand Down
29 changes: 28 additions & 1 deletion src/main/java/com/iemr/admin/utils/http/HTTPRequestInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,14 @@
package com.iemr.admin.utils.http;


import java.util.Arrays;

import javax.ws.rs.core.MediaType;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
Expand All @@ -41,6 +44,8 @@
@Component
public class HTTPRequestInterceptor implements HandlerInterceptor {
Logger logger = LoggerFactory.getLogger(this.getClass().getName());
@Value("${cors.allowed-origins}")
private String allowedOrigins;
@Autowired
private RedisStorage redisStorage;
@Autowired
Expand Down Expand Up @@ -104,7 +109,13 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
response.getOutputStream().print(output.toString());
response.setContentType(MediaType.APPLICATION_JSON);
response.setContentLength(output.toString().length());
response.setHeader("Access-Control-Allow-Origin", "*");
String origin = request.getHeader("Origin");
if (origin != null && isOriginAllowed(origin)) {
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Credentials", "true");
} else if (origin != null) {
logger.warn("CORS headers NOT added for error response | Unauthorized origin: {}", origin);
}
status = false;
}
}
Expand Down Expand Up @@ -138,4 +149,20 @@ public void afterCompletion(HttpServletRequest request, HttpServletResponse resp
logger.info("http interceptor - after completion");

}

private boolean isOriginAllowed(String origin) {
if (origin == null || allowedOrigins == null || allowedOrigins.trim().isEmpty()) {
return false;
}

return Arrays.stream(allowedOrigins.split(","))
.map(String::trim)
.anyMatch(pattern -> {
String regex = pattern
.replace(".", "\\.")
.replace("*", ".*")
.replace("http://localhost:.*", "http://localhost:\\d+");
return origin.matches(regex);
});
}
Comment on lines 153 to 167
Copy link

@coderabbitai coderabbitai bot Nov 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion | 🟠 Major

Code duplication: isOriginAllowed method.

This method duplicates identical logic found in JwtUserIdValidationFilter (lines 172-188). Code duplication creates maintenance overhead and risks inconsistencies when one copy is updated but not the other.

Extract this method to a shared utility class that both HTTPRequestInterceptor and JwtUserIdValidationFilter can use:

// New file: src/main/java/com/iemr/admin/utils/CorsOriginValidator.java
package com.iemr.admin.utils;

import java.util.Arrays;
import org.springframework.stereotype.Component;

@Component
public class CorsOriginValidator {
    
    public boolean isOriginAllowed(String origin, String allowedOrigins) {
        if (origin == null || allowedOrigins == null || allowedOrigins.trim().isEmpty()) {
            return false;
        }
        
        return Arrays.stream(allowedOrigins.split(","))
                .map(String::trim)
                .anyMatch(pattern -> {
                    String regex = pattern
                            .replace(".", "\\.")
                            .replace("*", ".*");
                    return origin.matches(regex);
                });
    }
}

Then inject and use this utility in both classes.

πŸ€– Prompt for AI Agents 
In src/main/java/com/iemr/admin/utils/http/HTTPRequestInterceptor.java around
lines 153 to 166 the isOriginAllowed logic duplicates code in
JwtUserIdValidationFilter (lines ~172-188); extract that logic into a shared
utility class (e.g.,
src/main/java/com/iemr/admin/utils/CorsOriginValidator.java) with a public
boolean isOriginAllowed(String origin, String allowedOrigins) method
implementing the same validation, then remove the duplicate method from both
HTTPRequestInterceptor and JwtUserIdValidationFilter and inject
CorsOriginValidator (via @Component/@Autowired or constructor injection) into
both classes and call the new utility method instead.

Copy link
Member Author

@5Amogh 5Amogh Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tolerable due to ease of readability

Copy link

@coderabbitai coderabbitai bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@5Amogh, understood! I've noted your preference. The duplicated method is indeed small and self-contained, so keeping it local to each class can make the code easier to follow without jumping between files.

✏️ Learnings added 
Learnt from: 5Amogh
Repo: PSMRI/Admin-API PR: 110
File: src/main/java/com/iemr/admin/utils/http/HTTPRequestInterceptor.java:153-166
Timestamp: 2025-11-17T11:55:39.481Z
Learning: In the Admin-API Java codebase, small self-contained utility methods like `isOriginAllowed` can be tolerated as duplicates across classes (e.g., HTTPRequestInterceptor and JwtUserIdValidationFilter) if it improves local readability and avoids unnecessary abstraction.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

}
Loading