Fix the WASA Issue : IDOR Vulnerability

pom.xml

@@ -5,7 +5,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.iemr.mmu</groupId>
 	<artifactId>mmu-api</artifactId>
-	<version>3.4.0</version>
+	<version>3.6.1</version>
 	<packaging>war</packaging>
 
 	<name>MMU-API</name>

src/main/java/com/iemr/mmu/controller/common/main/CommonController.java

@@ -40,6 +40,7 @@
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import com.iemr.mmu.utils.JwtUtil;
 
 import com.iemr.mmu.data.benFlowStatus.BeneficiaryFlowStatus;
 import com.iemr.mmu.service.common.transaction.CommonDoctorServiceImpl;
@@ -50,6 +51,7 @@
 import com.iemr.mmu.utils.exception.IEMRException;
 import com.iemr.mmu.utils.mapper.InputMapper;
 import com.iemr.mmu.utils.response.OutputResponse;
+import com.iemr.mmu.utils.CookieUtil;
 
 import io.swagger.annotations.ApiParam;
 import io.swagger.v3.oas.annotations.Operation;
@@ -68,6 +70,9 @@ public class CommonController {
 	@Autowired
 	private ServletContext servletContext;
 
+	@Autowired
+	private JwtUtil jwtUtil;
+
 	@Autowired
 	private AESEncryptionDecryption aESEncryptionDecryption;
 
@@ -659,12 +664,20 @@ public String getBeneficiaryCaseSheetHistory(
 	}
 
 	@Operation(summary = "TC specialist")
-	@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}/{userID}" })
+	@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}" })
 	public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID,
-			@PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID) {
+			@PathVariable("serviceID") Integer serviceID,HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
-			if (providerServiceMapID != null && userID != null) {
+
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+		int userID = Integer.parseInt(userId);
+			if(jwtToken == null || userId == null) {
+				response.setError(403, "Unauthorized access: Missing or invalid token");
+			}
+
+			if (providerServiceMapID != null && userId != null) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID,
 						serviceID);
 				if (s != null)
@@ -684,13 +697,20 @@ public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") I
 
 	@Operation(summary = "TC specialist future scheduled")
 	@GetMapping(value = {
-			"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}/{userID}" })
+			"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}" })
 	public String getTCSpecialistWorklistFutureScheduled(
-			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
-			@PathVariable("serviceID") Integer serviceID) {
+			@PathVariable("providerServiceMapID") Integer providerServiceMapID, 
+			@PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
-			if (providerServiceMapID != null && userID != null) {
+			String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+			String userId = jwtUtil.getUserIdFromToken(jwtToken);	
+			int userID = Integer.parseInt(userId);
+
+			if(jwtToken == null || userId == null) {
+				response.setError(403, "Unauthorized access: Missing or invalid token");
+			}
+			if (providerServiceMapID != null && userId != null) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID,
 						userID, serviceID);
 				if (s != null)

src/main/java/com/iemr/mmu/controller/location/LocationController.java

@@ -25,6 +25,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import com.iemr.mmu.utils.JwtUtil;
 
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -33,6 +34,8 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
+import jakarta.servlet.http.HttpServletRequest;
+import com.iemr.mmu.utils.CookieUtil;
 
 import com.iemr.mmu.controller.common.master.CommonMasterController;
 import com.iemr.mmu.service.location.LocationServiceImpl;
@@ -48,6 +51,9 @@ public class LocationController {
 
 	private LocationServiceImpl locationServiceImpl;
 
+	@Autowired
+	private JwtUtil jwtUtil;
+
 	@Autowired
 	public void setLocationServiceImpl(LocationServiceImpl locationServiceImpl) {
 		this.locationServiceImpl = locationServiceImpl;
@@ -137,22 +143,26 @@ public String getVillageMaster(@PathVariable("blockID") Integer blockID) {
 
 	@Operation(summary = "Get location details based on SP id and PSM id")
 	@PostMapping(value = "/getLocDetailsBasedOnSpIDAndPsmID", consumes = "application/json", produces = "application/json")
-	public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequest) {
+	public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
 			JSONObject obj = new JSONObject(comingRequest);
+			String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+			String userId = jwtUtil.getUserIdFromToken(jwtToken);
+			if(userId != null) {
+				int userID = Integer.parseInt(userId);
 			if (obj != null && obj.has("spID") && obj.has("spPSMID") && obj.get("spID") != null
 					&& obj.get("spPSMID") != null) {
-				Integer userId = null;
-				if (obj.has("userId") && null != obj.get("userId")) {
-					userId = Integer.valueOf(obj.get("userId").toString());
-				}
-				String s = locationServiceImpl.getLocDetailsNew(obj.getInt("spID"), obj.getInt("spPSMID"), userId);
+
+				String s = locationServiceImpl.getLocDetailsNew(obj.getInt("spID"), obj.getInt("spPSMID"), userID);
 
 				response.setResponse(s);
 			} else {
 				response.setError(5000, "Invalid request");
 			}
+			} else {
+				response.setError(403, "Unauthorized access");
+			}
 		} catch (Exception e) {
 			logger.error(e.getMessage());
 			response.setError(5000, "Error while getting location data");

src/main/java/com/iemr/mmu/controller/login/IemrMmuLoginController.java

@@ -33,9 +33,13 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
+import com.iemr.mmu.utils.CookieUtil;
+
+import jakarta.servlet.http.HttpServletRequest;
 
 import com.iemr.mmu.controller.registrar.main.RegistrarController;
 import com.iemr.mmu.service.login.IemrMmuLoginServiceImpl;
+import com.iemr.mmu.utils.JwtUtil;
 import com.iemr.mmu.utils.mapper.InputMapper;
 import com.iemr.mmu.utils.response.OutputResponse;
 
@@ -50,21 +54,33 @@ public class IemrMmuLoginController {
 
 	private IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl;
 
+	@Autowired
+	private JwtUtil jwtUtil;
+
 	@Autowired
 	public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl) {
 		this.iemrMmuLoginServiceImpl = iemrMmuLoginServiceImpl;
 	}
 
 	@Operation(summary = "Get user service point van details")
 	@GetMapping(value = "/getUserServicePointVanDetails", consumes = "application/json", produces = "application/json")
-	public String getUserServicePointVanDetails(@RequestBody String comingRequest) {
+	public String getUserServicePointVanDetails(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
 			JSONObject obj = new JSONObject(comingRequest);
 			logger.info("getUserServicePointVanDetails request " + comingRequest);
-			String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID"));
+			if(userId != null ) {
+				String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(Integer.parseInt(userId));
 			response.setResponse(responseData);
+			}
+			else {
+				response.setError(403, "Unauthorized access: Missing or invalid token");
+				return response.toString();
+			}
+
 		} catch (Exception e) {
 			response.setError(5000, "Error while getting service points and van data");
 			logger.error("get User SP and van details failed with " + e.getMessage(), e);
@@ -95,19 +111,27 @@ public String getServicepointVillages(@RequestBody String comingRequest) {
 
 	@Operation(summary = "Get user van details")
 	@PostMapping(value = "/getUserVanSpDetails", consumes = "application/json", produces = "application/json")
-	public String getUserVanSpDetails(@RequestBody String comingRequest) {
+	public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+
 		try {
 
 			JSONObject obj = new JSONObject(comingRequest);
+			String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+			String userId = jwtUtil.getUserIdFromToken(jwtToken);
+			int userID = Integer.parseInt(userId);
 			logger.info("getServicepointVillages request " + comingRequest);
-			if (obj.has("userID") && obj.has("providerServiceMapID")) {
-				String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"),
+			if (userId != null && obj.has("providerServiceMapID")) {
+				String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(userID,
 						obj.getInt("providerServiceMapID"));
 				response.setResponse(responseData);
+			} else if (userId == null || jwtToken == null) {
+				response.setError(403, "Unauthorized access: Missing or invalid token");
 			} else {
 				response.setError(5000, "Invalid request");
 			}
+
+
 		} catch (Exception e) {
 			response.setError(5000, "Error while getting van and service points data");
 			logger.error("getUserVanSpDetails failed with " + e.getMessage(), e);
@@ -129,7 +153,7 @@ public String getVanMaster(@PathVariable("psmID") Integer psmID) {
 		} catch (Exception e) {
 			logger.info("Error occurred while fetching van master is  : " + e);
 			response.setError(5000, "Error occurred while fetching van master is  : " + e);
-			;
+
 		}
 		return response.toString();
 	}

src/main/java/com/iemr/mmu/controller/teleconsultation/TeleConsultationController.java

@@ -24,6 +24,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import com.iemr.mmu.utils.JwtUtil;
 
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -48,6 +49,9 @@ public class TeleConsultationController {
 
 	@Autowired
 	private TeleConsultationServiceImpl teleConsultationServiceImpl;
+
+	@Autowired
+	private JwtUtil jwtUtil;
 
 	@Operation(summary = "Update beneficiary arrival status based on request")
 	@PostMapping(value = { "/update/benArrivalStatus" })
@@ -137,14 +141,19 @@ public String createTCRequestForBeneficiary(@RequestBody String requestOBJ, @Req
 
 	@Operation(summary = "Get TC request list for a specialist")
 	@PostMapping(value = { "/getTCRequestList" })
-	public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ) {
+	public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 			if (requestOBJ != null) {
 				JsonObject jsnOBJ = parseJsonRequest(requestOBJ);
-
+				if(userId == null) {
+					response.setError(403, "Unauthorized access: Missing or invalid token");
+					return response.toString();
+				}
 				String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate(
-						jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(),
+						jsnOBJ.get("psmID").getAsInt(), Integer.parseInt(userId),
 						jsnOBJ.get("date").getAsString());
 				if (s != null)
 					response.setResponse(s);

src/main/java/com/iemr/mmu/utils/JwtUtil.java

@@ -66,4 +66,13 @@ private Claims extractAllClaims(String token) {
 			.parseSignedClaims(token)
 			.getPayload();
 	}
+
+
+	public String getUserIdFromToken(String token) {
+	    Claims claims = validateToken(token);
+	    if (claims == null) {
+	        return null;
+	    }
+	    return claims.get("userId", String.class);
+	}
 }