Skip to content

AMM-1456 : JwtToken skiped if it not present from mobile #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
drtechie merged 5 commits into from
May 21, 2025
Merged

AMM-1456 : JwtToken skiped if it not present from mobile #76

drtechie merged 5 commits into from
May 21, 2025

Conversation

@ravishanigarapu
Copy link
Contributor

@ravishanigarapu ravishanigarapu commented May 20, 2025
edited by coderabbitai bot
Loading

πŸ“‹ Description

JIRA ID: AMM-1456

Please provide a summary of the change and the motivation behind it. Include relevant context and details.

βœ… Type of Change

  • 🐞 Bug fix (non-breaking change which resolves an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • πŸ”₯ Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • πŸ›  Refactor (change that is neither a fix nor a new feature)
  • βš™οΈ Config change (configuration file or build script updates)
  • πŸ“š Documentation (updates to docs or readme)
  • πŸ§ͺ Tests (adding new or updating existing tests)
  • 🎨 UI/UX (changes that affect the user interface)
  • πŸš€ Performance (improves performance)
  • 🧹 Chore (miscellaneous changes that don't modify src or test files)

ℹ️ Additional Information

Please describe how the changes were tested, and include any relevant screenshots, logs, or other information that provides additional context.

Summary by CodeRabbit

  • Bug Fixes

    • Improved handling of authentication tokens from cookies and headers, ensuring more reliable user validation.
    • Enhanced support for mobile clients, allowing certain requests to proceed without JWT validation when appropriate.

  • Refactor

    • Streamlined authentication logic for better reliability and maintainability.

@coderabbitai
Copy link

coderabbitai bot commented May 20, 2025
edited
Loading

Walkthrough

The JWT validation filter was refactored to sequentially check JWT tokens from cookies first, then headers, instead of choosing one source. If neither token is valid, the filter now allows requests from mobile clients with an "Authorization" header to proceed, otherwise returning a 401 error. A helper method for mobile client detection was added.

Changes

File(s) Change Summary
src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java Refactored JWT validation to sequentially check cookie and header tokens; added mobile client bypass logic and a private isMobileClient helper method.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant JwtUserIdValidationFilter
    participant Application

    Client->>JwtUserIdValidationFilter: Send request (with cookies/headers)
    alt Cookie JWT token is valid
        JwtUserIdValidationFilter->>Application: Proceed with request
    else Header JWT token is valid
        JwtUserIdValidationFilter->>Application: Proceed with request
    else Mobile client with Authorization header
        JwtUserIdValidationFilter->>Application: Proceed with request
    else
        JwtUserIdValidationFilter-->>Client: Respond 401 Unauthorized
    end
Loading

Poem

A filter refines how tokens are checked,
Cookies, then headers, each path is dissected.
Mobile clients may hop right through,
If their user agent gives the right clue.
With a helper to spot the mobile crowd,
The code now guards, both strong and proud!
πŸ‡βœ¨

✨ Finishing Touches
  • πŸ“ Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share
πŸͺ§ Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@sonarqubecloud
Copy link

sonarqubecloud bot commented May 20, 2025

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

coderabbitai[bot]
coderabbitai bot reviewed May 20, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

πŸ”­ Outside diff range comments (1)
src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java (1)

109-119: πŸ› οΈ Refactor suggestion

Cookie name inconsistency with header name.

There's a case sensitivity issue between cookie name "Jwttoken" (line 113) and header name "JwtToken" (line 69).

Use consistent naming across both cookie and header checks to prevent authentication failures:

if (cookie.getName().equals("Jwttoken")) {

Should match the header name used in the validation logic.

πŸ“œ Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 6599d15 and d2d44c4.

πŸ“’ Files selected for processing (1)
  • src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
  • GitHub Check: Analyze (java)
πŸ”‡ Additional comments (3)
src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java (3)

72-78: Improved JWT validation flow.

The sequential validation first checking cookies then headers is a good approach. This provides better flow control and ensures the request only proceeds when a valid token is found.

80-86: Clear and efficient validation logic.

The header token validation is well-structured with appropriate logging. The early return pattern after successful validation improves code readability and efficiency.

95-96: Improved error handling.

Clear error messaging and appropriate status code for unauthorized access. The additional logging helps with troubleshooting authentication issues.

src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java
Comment on lines +103 to +108
private boolean isMobileClient(String userAgent) {
if (userAgent == null)
return false;
userAgent = userAgent.toLowerCase();
return userAgent.contains("okhttp");
}
Copy link

@coderabbitai coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion

Mobile client detection is too simplistic.

The mobile client detection relies solely on checking for "okhttp" in the User-Agent string. This is fragile and can be easily circumvented.

Consider:

  1. Using a more comprehensive list of mobile client identifiers
  2. Implementing additional verification methods beyond User-Agent
  3. Creating a configurable list of trusted mobile clients
private boolean isMobileClient(String userAgent) {
    if (userAgent == null)
        return false;
    userAgent = userAgent.toLowerCase();
-   return userAgent.contains("okhttp");
+   // Check for common mobile client indicators
+   return userAgent.contains("okhttp") || 
+          userAgent.contains("android") || 
+          userAgent.contains("iphone") || 
+          userAgent.contains("mobile");
}
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
private boolean isMobileClient(String userAgent) {
if (userAgent == null)
return false;
userAgent = userAgent.toLowerCase();
return userAgent.contains("okhttp");
}
private boolean isMobileClient(String userAgent) {
if (userAgent == null)
return false;
userAgent = userAgent.toLowerCase();
// Check for common mobile client indicators
return userAgent.contains("okhttp") ||
userAgent.contains("android") ||
userAgent.contains("iphone") ||
userAgent.contains("mobile");
}
πŸ€– Prompt for AI Agents 
In src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java around
lines 103 to 108, the current mobile client detection only checks if the
User-Agent contains "okhttp", which is too simplistic and unreliable. To fix
this, replace the hardcoded check with a configurable list of trusted mobile
client identifiers and update the method to check if the User-Agent matches any
entry in this list. Additionally, consider implementing extra verification
methods beyond User-Agent to improve detection accuracy.

src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java
Comment on lines +68 to +71
String jwtFromCookie = getJwtTokenFromCookies(request);
String jwtFromHeader = request.getHeader("JwtToken");
String authHeader = request.getHeader("Authorization");

Copy link

@coderabbitai coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Inconsistent JWT token header naming.

There's an inconsistency between the JWT token header name used in initial logging (line 52: "Jwttoken") and the one used for actual validation (line 69: "JwtToken"). This case difference could cause the header check to fail if clients are using the case shown in the logging statement.

- String jwtFromHeader = request.getHeader("JwtToken");
+ String jwtFromHeader = request.getHeader("Jwttoken");

Also, consider using constants for header names to maintain consistency throughout the code.

πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
String jwtFromCookie = getJwtTokenFromCookies(request);
String jwtFromHeader = request.getHeader("JwtToken");
String authHeader = request.getHeader("Authorization");
String jwtFromCookie = getJwtTokenFromCookies(request);
- String jwtFromHeader = request.getHeader("JwtToken");
+ String jwtFromHeader = request.getHeader("Jwttoken");
String authHeader = request.getHeader("Authorization");
πŸ€– Prompt for AI Agents 
In src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java around
lines 52 and 69, the JWT token header name is inconsistently cased ("Jwttoken"
vs "JwtToken"), which can cause header retrieval failures. Standardize the
header name casing across all usages to be identical. Additionally, define a
constant for the JWT token header name and replace all hardcoded instances with
this constant to ensure consistency and easier maintenance.

src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java
Comment on lines +87 to 93
String userAgent = request.getHeader("User-Agent");
logger.info("User-Agent: " + userAgent);

if (isValid) {
// If token is valid, allow the request to proceed
if (userAgent != null && isMobileClient(userAgent) && authHeader != null) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid JWT token");
return;
}
Copy link

@coderabbitai coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ’‘ Verification agent

🧩 Analysis chain

Security concern with mobile client bypass.

Allowing mobile clients to bypass JWT validation based solely on User-Agent and presence of an Authorization header creates a security vulnerability. The User-Agent can be easily spoofed.

Consider implementing a more robust authentication mechanism for mobile clients. At minimum, verify that the Authorization header contains a valid token:

🏁 Script executed:

#!/bin/bash
# Check if there's any validation for the Authorization header elsewhere in the codebase
rg -A 3 "Authorization.*header" --type java

Length of output: 45

🏁 Script executed:

#!/bin/bash
# Locate where the Authorization header is retrieved
rg -n 'getHeader.*"Authorization"' -A 3 --type java

# Show all occurrences of the local variable authHeader for context
rg -n 'authHeader' -A 5 --type java

Length of output: 4717

Ensure JWT validation for mobile clients, not just header presence

The current logic in JwtUserIdValidationFilter.java (around lines 87–93) skips any real token check for mobile UAs:

String userAgent = request.getHeader("User-Agent");
if (userAgent != null && isMobileClient(userAgent) && authHeader != null) {
    filterChain.doFilter(servletRequest, servletResponse);
    return;
}

User-Agent values are trivial to spoofβ€”allowing any non-null Authorization header effectively opens a backdoor. You should validate the token in the header just as you do for the cookie:

β€’ File: src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java
β€’ Lines: ~87–93

Suggested change:

- if (userAgent != null && isMobileClient(userAgent) && authHeader != null) {
-     filterChain.doFilter(servletRequest, servletResponse);
-     return;
- }
+ if (userAgent != null && isMobileClient(userAgent) && authHeader != null) {
+     logger.info("Validating JWT token from Authorization header for mobile client");
+     if (jwtAuthenticationUtil.validateUserIdAndJwtToken(authHeader)) {
+         filterChain.doFilter(servletRequest, servletResponse);
+         return;
+     }
+     logger.warn("Invalid JWT token in Authorization header for mobile client");
+ }

This ensures mobile clients can’t bypass authentication by spoofing User-Agent.

πŸ€– Prompt for AI Agents 
In src/main/java/com/iemr/admin/utils/JwtUserIdValidationFilter.java around
lines 87 to 93, the code currently bypasses JWT validation for mobile clients if
the User-Agent header indicates a mobile client and the Authorization header is
present, which is insecure due to easy User-Agent spoofing. To fix this, remove
the bypass condition and instead validate the JWT token in the Authorization
header for mobile clients just as you do for other clients, ensuring the token
is properly parsed and verified before allowing the request to proceed.

@drtechie drtechie merged commit 357f765 into PSMRI:develop May 21, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@drtechie drtechie drtechie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ravishanigarapu @drtechie