From fa5bd8f2727f199ef16e0acc31a370605859ff65 Mon Sep 17 00:00:00 2001 From: Vanitha Date: Mon, 17 Nov 2025 14:50:07 +0530 Subject: [PATCH 1/3] fix: wasa-IDOR Vulnerability --- pom.xml | 2 +- .../common/main/CommonController.java | 20 +++++++++-- .../location/LocationController.java | 21 +++++++++--- .../login/IemrMmuLoginController.java | 33 ++++++++++++++++--- .../TeleConsultationController.java | 12 +++++-- src/main/java/com/iemr/mmu/utils/JwtUtil.java | 4 +++ 6 files changed, 79 insertions(+), 13 deletions(-) diff --git a/pom.xml b/pom.xml index b0e8639c..5fac3076 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 com.iemr.mmu mmu-api - 3.4.0 + 3.6.1 war MMU-API diff --git a/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java b/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java index 137e4455..a0eabe62 100644 --- a/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java +++ b/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java @@ -40,6 +40,7 @@ import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; +import com.iemr.mmu.utils.JwtUtil; import com.iemr.mmu.data.benFlowStatus.BeneficiaryFlowStatus; import com.iemr.mmu.service.common.transaction.CommonDoctorServiceImpl; @@ -50,6 +51,7 @@ import com.iemr.mmu.utils.exception.IEMRException; import com.iemr.mmu.utils.mapper.InputMapper; import com.iemr.mmu.utils.response.OutputResponse; +import com.iemr.mmu.utils.CookieUtil; import io.swagger.annotations.ApiParam; import io.swagger.v3.oas.annotations.Operation; @@ -68,6 +70,9 @@ public class CommonController { @Autowired private ServletContext servletContext; + @Autowired + private JwtUtil jwtUtil; + @Autowired private AESEncryptionDecryption aESEncryptionDecryption; @@ -661,9 +666,15 @@ public String getBeneficiaryCaseSheetHistory( @Operation(summary = "TC specialist") @GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}/{userID}" }) public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID, - @PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID) { + @PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID,HttpServletRequest request) { OutputResponse response = new OutputResponse(); + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); + try { + if(!userId.equals(String.valueOf(userID))) { + throw new IEMRException("Unauthorized access"); + } if (providerServiceMapID != null && userID != null) { String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID, serviceID); @@ -687,9 +698,14 @@ public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") I "/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}/{userID}" }) public String getTCSpecialistWorklistFutureScheduled( @PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID, - @PathVariable("serviceID") Integer serviceID) { + @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) { OutputResponse response = new OutputResponse(); + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); try { + if(!userId.equals(String.valueOf(userID))) { + throw new IEMRException("Unauthorized access"); + } if (providerServiceMapID != null && userID != null) { String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID, userID, serviceID); diff --git a/src/main/java/com/iemr/mmu/controller/location/LocationController.java b/src/main/java/com/iemr/mmu/controller/location/LocationController.java index 71e90724..d75e38d3 100644 --- a/src/main/java/com/iemr/mmu/controller/location/LocationController.java +++ b/src/main/java/com/iemr/mmu/controller/location/LocationController.java @@ -25,6 +25,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import com.iemr.mmu.utils.JwtUtil; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PathVariable; @@ -33,6 +34,8 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; +import jakarta.servlet.http.HttpServletRequest; +import com.iemr.mmu.utils.CookieUtil; import com.iemr.mmu.controller.common.master.CommonMasterController; import com.iemr.mmu.service.location.LocationServiceImpl; @@ -48,6 +51,9 @@ public class LocationController { private LocationServiceImpl locationServiceImpl; + @Autowired + private JwtUtil jwtUtil; + @Autowired public void setLocationServiceImpl(LocationServiceImpl locationServiceImpl) { this.locationServiceImpl = locationServiceImpl; @@ -137,22 +143,29 @@ public String getVillageMaster(@PathVariable("blockID") Integer blockID) { @Operation(summary = "Get location details based on SP id and PSM id") @PostMapping(value = "/getLocDetailsBasedOnSpIDAndPsmID", consumes = "application/json", produces = "application/json") - public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequest) { + public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequest, HttpServletRequest request) { OutputResponse response = new OutputResponse(); try { JSONObject obj = new JSONObject(comingRequest); + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); + if(userId != null && obj.has("userId") && userId.equals(String.valueOf( obj.getInt("userId")))) { if (obj != null && obj.has("spID") && obj.has("spPSMID") && obj.get("spID") != null && obj.get("spPSMID") != null) { - Integer userId = null; + Integer userID = null; if (obj.has("userId") && null != obj.get("userId")) { - userId = Integer.valueOf(obj.get("userId").toString()); + userID = Integer.valueOf(obj.get("userId").toString()); } - String s = locationServiceImpl.getLocDetailsNew(obj.getInt("spID"), obj.getInt("spPSMID"), userId); + String s = locationServiceImpl.getLocDetailsNew(obj.getInt("spID"), obj.getInt("spPSMID"), userID); response.setResponse(s); } else { response.setError(5000, "Invalid request"); } + } + else { + response.setError(5000, "Unauthorized access"); + } } catch (Exception e) { logger.error(e.getMessage()); response.setError(5000, "Error while getting location data"); diff --git a/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java b/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java index 08942297..c260e70e 100644 --- a/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java +++ b/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java @@ -33,9 +33,13 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; +import com.iemr.mmu.utils.CookieUtil; + +import jakarta.servlet.http.HttpServletRequest; import com.iemr.mmu.controller.registrar.main.RegistrarController; import com.iemr.mmu.service.login.IemrMmuLoginServiceImpl; +import com.iemr.mmu.utils.JwtUtil; import com.iemr.mmu.utils.mapper.InputMapper; import com.iemr.mmu.utils.response.OutputResponse; @@ -50,6 +54,9 @@ public class IemrMmuLoginController { private IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl; + @Autowired + private JwtUtil jwtUtil; + @Autowired public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl) { this.iemrMmuLoginServiceImpl = iemrMmuLoginServiceImpl; @@ -57,14 +64,23 @@ public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServi @Operation(summary = "Get user service point van details") @GetMapping(value = "/getUserServicePointVanDetails", consumes = "application/json", produces = "application/json") - public String getUserServicePointVanDetails(@RequestBody String comingRequest) { + public String getUserServicePointVanDetails(@RequestBody String comingRequest, HttpServletRequest request) { OutputResponse response = new OutputResponse(); + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); try { JSONObject obj = new JSONObject(comingRequest); logger.info("getUserServicePointVanDetails request " + comingRequest); - String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID")); + if(userId != null && obj.has("userID") && userId.equals(String.valueOf( obj.getInt("userID")))) { + String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID")); response.setResponse(responseData); + } + else { + response.setError(5000, "Unauthorized access"); + return response.toString(); + } + } catch (Exception e) { response.setError(5000, "Error while getting service points and van data"); logger.error("get User SP and van details failed with " + e.getMessage(), e); @@ -95,12 +111,17 @@ public String getServicepointVillages(@RequestBody String comingRequest) { @Operation(summary = "Get user van details") @PostMapping(value = "/getUserVanSpDetails", consumes = "application/json", produces = "application/json") - public String getUserVanSpDetails(@RequestBody String comingRequest) { + public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServletRequest request) { OutputResponse response = new OutputResponse(); + try { JSONObject obj = new JSONObject(comingRequest); + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); + logger.info("getServicepointVillages request " + comingRequest); + if(userId != null && userId.equals(String.valueOf( obj.getInt("userID")))) { if (obj.has("userID") && obj.has("providerServiceMapID")) { String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"), obj.getInt("providerServiceMapID")); @@ -108,6 +129,10 @@ public String getUserVanSpDetails(@RequestBody String comingRequest) { } else { response.setError(5000, "Invalid request"); } + } + else { + response.setError(5000, "Unauthorized access"); + } } catch (Exception e) { response.setError(5000, "Error while getting van and service points data"); logger.error("getUserVanSpDetails failed with " + e.getMessage(), e); @@ -129,7 +154,7 @@ public String getVanMaster(@PathVariable("psmID") Integer psmID) { } catch (Exception e) { logger.info("Error occurred while fetching van master is : " + e); response.setError(5000, "Error occurred while fetching van master is : " + e); - ; + } return response.toString(); } diff --git a/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java b/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java index d85158b5..8f497db4 100644 --- a/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java +++ b/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java @@ -24,6 +24,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import com.iemr.mmu.utils.JwtUtil; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; @@ -48,6 +49,9 @@ public class TeleConsultationController { @Autowired private TeleConsultationServiceImpl teleConsultationServiceImpl; + + @Autowired + private JwtUtil jwtUtil; @Operation(summary = "Update beneficiary arrival status based on request") @PostMapping(value = { "/update/benArrivalStatus" }) @@ -137,12 +141,16 @@ public String createTCRequestForBeneficiary(@RequestBody String requestOBJ, @Req @Operation(summary = "Get TC request list for a specialist") @PostMapping(value = { "/getTCRequestList" }) - public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ) { + public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpServletRequest request) { OutputResponse response = new OutputResponse(); + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); try { if (requestOBJ != null) { JsonObject jsnOBJ = parseJsonRequest(requestOBJ); - + if(!userId.equals(String.valueOf(jsnOBJ.get("userID").getAsInt()))) { + throw new Exception("Unauthorized access"); + } String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate( jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(), jsnOBJ.get("date").getAsString()); diff --git a/src/main/java/com/iemr/mmu/utils/JwtUtil.java b/src/main/java/com/iemr/mmu/utils/JwtUtil.java index aaa2b07e..79d029f6 100644 --- a/src/main/java/com/iemr/mmu/utils/JwtUtil.java +++ b/src/main/java/com/iemr/mmu/utils/JwtUtil.java @@ -66,4 +66,8 @@ private Claims extractAllClaims(String token) { .parseSignedClaims(token) .getPayload(); } + + public String getUserIdFromToken(String token) { + return extractAllClaims(token).get("userId", String.class); + } } From 51beb430e0347f3ff1384226db1a3a9673b9295d Mon Sep 17 00:00:00 2001 From: Vanitha Date: Mon, 17 Nov 2025 16:10:08 +0530 Subject: [PATCH 2/3] fix: coderabbit comments --- .../common/main/CommonController.java | 18 ++++++++++++------ .../location/LocationController.java | 5 ++--- .../login/IemrMmuLoginController.java | 8 ++++---- .../TeleConsultationController.java | 7 ++++--- src/main/java/com/iemr/mmu/utils/JwtUtil.java | 11 ++++++++--- 5 files changed, 30 insertions(+), 19 deletions(-) diff --git a/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java b/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java index a0eabe62..4b42965f 100644 --- a/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java +++ b/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java @@ -668,12 +668,15 @@ public String getBeneficiaryCaseSheetHistory( public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID,HttpServletRequest request) { OutputResponse response = new OutputResponse(); + try { + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); - - try { + if(jwtToken == null || userId == null) { + response.setError(403, "Unauthorized access: Missing or invalid token"); + } if(!userId.equals(String.valueOf(userID))) { - throw new IEMRException("Unauthorized access"); + response.setError(403, "Unauthorized access: User ID does not match token"); } if (providerServiceMapID != null && userID != null) { String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID, @@ -700,11 +703,14 @@ public String getTCSpecialistWorklistFutureScheduled( @PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) { OutputResponse response = new OutputResponse(); - String jwtToken = CookieUtil.getJwtTokenFromCookie(request); - String userId = jwtUtil.getUserIdFromToken(jwtToken); try { + String jwtToken = CookieUtil.getJwtTokenFromCookie(request); + String userId = jwtUtil.getUserIdFromToken(jwtToken); if(!userId.equals(String.valueOf(userID))) { - throw new IEMRException("Unauthorized access"); + response.setError(403, "Unauthorized access: User ID does not match token"); + } + if(jwtToken == null || userId == null) { + response.setError(403, "Unauthorized access: Missing or invalid token"); } if (providerServiceMapID != null && userID != null) { String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID, diff --git a/src/main/java/com/iemr/mmu/controller/location/LocationController.java b/src/main/java/com/iemr/mmu/controller/location/LocationController.java index d75e38d3..5c644f16 100644 --- a/src/main/java/com/iemr/mmu/controller/location/LocationController.java +++ b/src/main/java/com/iemr/mmu/controller/location/LocationController.java @@ -162,9 +162,8 @@ public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequ } else { response.setError(5000, "Invalid request"); } - } - else { - response.setError(5000, "Unauthorized access"); + } else { + response.setError(403, "Unauthorized access: User ID does not match token"); } } catch (Exception e) { logger.error(e.getMessage()); diff --git a/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java b/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java index c260e70e..99c4120c 100644 --- a/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java +++ b/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java @@ -66,9 +66,9 @@ public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServi @GetMapping(value = "/getUserServicePointVanDetails", consumes = "application/json", produces = "application/json") public String getUserServicePointVanDetails(@RequestBody String comingRequest, HttpServletRequest request) { OutputResponse response = new OutputResponse(); + try { String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); - try { JSONObject obj = new JSONObject(comingRequest); logger.info("getUserServicePointVanDetails request " + comingRequest); @@ -77,7 +77,7 @@ public String getUserServicePointVanDetails(@RequestBody String comingRequest, H response.setResponse(responseData); } else { - response.setError(5000, "Unauthorized access"); + response.setError(403, "Unauthorized access: User ID does not match token"); return response.toString(); } @@ -121,7 +121,7 @@ public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServlet String userId = jwtUtil.getUserIdFromToken(jwtToken); logger.info("getServicepointVillages request " + comingRequest); - if(userId != null && userId.equals(String.valueOf( obj.getInt("userID")))) { + if (userId != null && userId.equals(String.valueOf( obj.getInt("userID")))) { if (obj.has("userID") && obj.has("providerServiceMapID")) { String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"), obj.getInt("providerServiceMapID")); @@ -131,7 +131,7 @@ public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServlet } } else { - response.setError(5000, "Unauthorized access"); + response.setError(403, "Unauthorized access: User ID does not match token"); } } catch (Exception e) { response.setError(5000, "Error while getting van and service points data"); diff --git a/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java b/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java index 8f497db4..946ced97 100644 --- a/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java +++ b/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java @@ -143,13 +143,14 @@ public String createTCRequestForBeneficiary(@RequestBody String requestOBJ, @Req @PostMapping(value = { "/getTCRequestList" }) public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpServletRequest request) { OutputResponse response = new OutputResponse(); + try { String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); - try { if (requestOBJ != null) { JsonObject jsnOBJ = parseJsonRequest(requestOBJ); - if(!userId.equals(String.valueOf(jsnOBJ.get("userID").getAsInt()))) { - throw new Exception("Unauthorized access"); + if(userId == null || !jsnOBJ.has("userID") || !userId.equals(String.valueOf(jsnOBJ.get("userID").getAsInt()))) { + response.setError(403, "Unauthorized access: User ID does not match token"); + return response.toString(); } String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate( jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(), diff --git a/src/main/java/com/iemr/mmu/utils/JwtUtil.java b/src/main/java/com/iemr/mmu/utils/JwtUtil.java index 79d029f6..ee6ee025 100644 --- a/src/main/java/com/iemr/mmu/utils/JwtUtil.java +++ b/src/main/java/com/iemr/mmu/utils/JwtUtil.java @@ -67,7 +67,12 @@ private Claims extractAllClaims(String token) { .getPayload(); } - public String getUserIdFromToken(String token) { - return extractAllClaims(token).get("userId", String.class); - } + + public String getUserIdFromToken(String token) { + Claims claims = validateToken(token); + if (claims == null) { + return null; + } + return claims.get("userId", String.class); + } } From 6a15a1157b2609ad3cf8ad017d96ad1b8821b43f Mon Sep 17 00:00:00 2001 From: Vanitha Date: Tue, 18 Nov 2025 15:42:29 +0530 Subject: [PATCH 3/3] fix: remove userid from payload --- .../common/main/CommonController.java | 22 +++++++++---------- .../location/LocationController.java | 10 ++++----- .../login/IemrMmuLoginController.java | 21 +++++++++--------- .../TeleConsultationController.java | 6 ++--- 4 files changed, 27 insertions(+), 32 deletions(-) diff --git a/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java b/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java index 4b42965f..d05c4655 100644 --- a/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java +++ b/src/main/java/com/iemr/mmu/controller/common/main/CommonController.java @@ -664,21 +664,20 @@ public String getBeneficiaryCaseSheetHistory( } @Operation(summary = "TC specialist") - @GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}/{userID}" }) + @GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}" }) public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID, - @PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID,HttpServletRequest request) { + @PathVariable("serviceID") Integer serviceID,HttpServletRequest request) { OutputResponse response = new OutputResponse(); try { String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); + int userID = Integer.parseInt(userId); if(jwtToken == null || userId == null) { response.setError(403, "Unauthorized access: Missing or invalid token"); } - if(!userId.equals(String.valueOf(userID))) { - response.setError(403, "Unauthorized access: User ID does not match token"); - } - if (providerServiceMapID != null && userID != null) { + + if (providerServiceMapID != null && userId != null) { String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID, serviceID); if (s != null) @@ -698,21 +697,20 @@ public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") I @Operation(summary = "TC specialist future scheduled") @GetMapping(value = { - "/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}/{userID}" }) + "/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}" }) public String getTCSpecialistWorklistFutureScheduled( - @PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID, + @PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) { OutputResponse response = new OutputResponse(); try { String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); - if(!userId.equals(String.valueOf(userID))) { - response.setError(403, "Unauthorized access: User ID does not match token"); - } + int userID = Integer.parseInt(userId); + if(jwtToken == null || userId == null) { response.setError(403, "Unauthorized access: Missing or invalid token"); } - if (providerServiceMapID != null && userID != null) { + if (providerServiceMapID != null && userId != null) { String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID, userID, serviceID); if (s != null) diff --git a/src/main/java/com/iemr/mmu/controller/location/LocationController.java b/src/main/java/com/iemr/mmu/controller/location/LocationController.java index 5c644f16..6559182b 100644 --- a/src/main/java/com/iemr/mmu/controller/location/LocationController.java +++ b/src/main/java/com/iemr/mmu/controller/location/LocationController.java @@ -149,13 +149,11 @@ public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequ JSONObject obj = new JSONObject(comingRequest); String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); - if(userId != null && obj.has("userId") && userId.equals(String.valueOf( obj.getInt("userId")))) { + if(userId != null) { + int userID = Integer.parseInt(userId); if (obj != null && obj.has("spID") && obj.has("spPSMID") && obj.get("spID") != null && obj.get("spPSMID") != null) { - Integer userID = null; - if (obj.has("userId") && null != obj.get("userId")) { - userID = Integer.valueOf(obj.get("userId").toString()); - } + String s = locationServiceImpl.getLocDetailsNew(obj.getInt("spID"), obj.getInt("spPSMID"), userID); response.setResponse(s); @@ -163,7 +161,7 @@ public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequ response.setError(5000, "Invalid request"); } } else { - response.setError(403, "Unauthorized access: User ID does not match token"); + response.setError(403, "Unauthorized access"); } } catch (Exception e) { logger.error(e.getMessage()); diff --git a/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java b/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java index 99c4120c..a3fe4869 100644 --- a/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java +++ b/src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java @@ -72,12 +72,12 @@ public String getUserServicePointVanDetails(@RequestBody String comingRequest, H JSONObject obj = new JSONObject(comingRequest); logger.info("getUserServicePointVanDetails request " + comingRequest); - if(userId != null && obj.has("userID") && userId.equals(String.valueOf( obj.getInt("userID")))) { - String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID")); + if(userId != null ) { + String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(Integer.parseInt(userId)); response.setResponse(responseData); } else { - response.setError(403, "Unauthorized access: User ID does not match token"); + response.setError(403, "Unauthorized access: Missing or invalid token"); return response.toString(); } @@ -119,20 +119,19 @@ public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServlet JSONObject obj = new JSONObject(comingRequest); String jwtToken = CookieUtil.getJwtTokenFromCookie(request); String userId = jwtUtil.getUserIdFromToken(jwtToken); - + int userID = Integer.parseInt(userId); logger.info("getServicepointVillages request " + comingRequest); - if (userId != null && userId.equals(String.valueOf( obj.getInt("userID")))) { - if (obj.has("userID") && obj.has("providerServiceMapID")) { - String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"), + if (userId != null && obj.has("providerServiceMapID")) { + String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(userID, obj.getInt("providerServiceMapID")); response.setResponse(responseData); + } else if (userId == null || jwtToken == null) { + response.setError(403, "Unauthorized access: Missing or invalid token"); } else { response.setError(5000, "Invalid request"); } - } - else { - response.setError(403, "Unauthorized access: User ID does not match token"); - } + + } catch (Exception e) { response.setError(5000, "Error while getting van and service points data"); logger.error("getUserVanSpDetails failed with " + e.getMessage(), e); diff --git a/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java b/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java index 946ced97..5a5eea00 100644 --- a/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java +++ b/src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java @@ -148,12 +148,12 @@ public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpSer String userId = jwtUtil.getUserIdFromToken(jwtToken); if (requestOBJ != null) { JsonObject jsnOBJ = parseJsonRequest(requestOBJ); - if(userId == null || !jsnOBJ.has("userID") || !userId.equals(String.valueOf(jsnOBJ.get("userID").getAsInt()))) { - response.setError(403, "Unauthorized access: User ID does not match token"); + if(userId == null) { + response.setError(403, "Unauthorized access: Missing or invalid token"); return response.toString(); } String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate( - jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(), + jsnOBJ.get("psmID").getAsInt(), Integer.parseInt(userId), jsnOBJ.get("date").getAsString()); if (s != null) response.setResponse(s);