From b23f4c7b640062ed28907c4517ac4407fa976e08 Mon Sep 17 00:00:00 2001
From: Vanitha <vanitha@navadhiti.com>
Date: Mon, 17 Nov 2025 15:01:08 +0530
Subject: [PATCH 1/3] fix: wasa-IDOR Vulnerability

---
 pom.xml                                       | 16 +++++--
 .../common/main/WorklistController.java       | 46 +++++++++++++++----
 .../login/IemrMmuLoginController.java         | 34 ++++++++++++--
 .../TeleConsultationController.java           | 18 +++++++-
 .../VideoConsultationController.java          | 20 ++++++--
 src/main/java/com/iemr/tm/utils/JwtUtil.java  |  4 ++
 6 files changed, 115 insertions(+), 23 deletions(-)

diff --git a/pom.xml b/pom.xml
index cd3a8f6d..c515352a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 
 	<groupId>com.iemr.tm</groupId>
 	<artifactId>tm-api</artifactId>
-	<version>3.4.0</version>
+	<version>3.6.1</version>
 	<packaging>war</packaging>
 
 	<name>TM-API</name>
@@ -59,12 +59,12 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter</artifactId>
-			<exclusions>
+			<!-- <exclusions>
 				<exclusion>
 					<groupId>org.springframework.boot</groupId>
 					<artifactId>spring-boot-starter-logging</artifactId>
 				</exclusion>
-			</exclusions>
+			</exclusions> -->
 		</dependency>
 		<dependency>
 			<groupId>co.elastic.logging</groupId>
@@ -128,6 +128,16 @@
 			<artifactId>lombok</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+			<version>${slf4j.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-simple</artifactId>
+			<version>${slf4j.version}</version>
+		</dependency>
 		<!-- Tomcat provided -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
diff --git a/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java b/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
index 36217a88..27558964 100644
--- a/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
+++ b/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
@@ -41,11 +41,14 @@
 import com.iemr.tm.service.common.transaction.CommonDoctorServiceImpl;
 import com.iemr.tm.service.common.transaction.CommonNurseServiceImpl;
 import com.iemr.tm.service.common.transaction.CommonServiceImpl;
+import com.iemr.tm.utils.CookieUtil;
+import com.iemr.tm.utils.JwtUtil;
 import com.iemr.tm.utils.mapper.InputMapper;
 import com.iemr.tm.utils.response.OutputResponse;
 
 import io.lettuce.core.dynamic.annotation.Param;
 import io.swagger.v3.oas.annotations.Operation;
+import jakarta.servlet.http.HttpServletRequest;
 
 @RestController
 @RequestMapping(value = "/common", headers = "Authorization", consumes = "application/json", produces = "application/json")
@@ -57,6 +60,9 @@ public class WorklistController {
 	private CommonServiceImpl commonServiceImpl;
 	private InputMapper inputMapper = new InputMapper();
 
+	@Autowired
+	private JwtUtil jwtUtil;
+
 	@Autowired
 	public void setCommonServiceImpl(CommonServiceImpl commonServiceImpl) {
 		this.commonServiceImpl = commonServiceImpl;
@@ -678,14 +684,20 @@ public String getBeneficiaryCaseSheetHistory(
 	@Operation(summary = "Get teleconsultation specialist worklist")
 	@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}/{userID}" })
 	public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID,
-			@PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID) {
+			@PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 		try {
-			if (providerServiceMapID != null && userID != null) {
+			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID,
 						serviceID);
 				if (s != null)
 					response.setResponse(s);
+			}
+			else if(userId  == null || !userID.toString().equals(userId))
+			{
+				response.setError(5000, "Unauthorized access!");
 			} else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
 						+ providerServiceMapID + " SID = " + userID);
@@ -705,15 +717,24 @@ public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") I
 			"/getTCSpecialistWorklistPatientApp/{providerServiceMapID}/{serviceID}/{userID}/{vanID}" })
 	public String getTCSpecialistWorkListNewPatientApp(
 			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
-			@PathVariable("serviceID") Integer serviceID, @PathVariable("vanID") Integer vanID) {
+			@PathVariable("serviceID") Integer serviceID, @PathVariable("vanID") Integer vanID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+
 		try {
-			if (providerServiceMapID != null && userID != null) {
+			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTMPatientApp(providerServiceMapID,
 						userID, serviceID, vanID);
 				if (s != null)
 					response.setResponse(s);
-			} else {
+			}
+			else if(userId  == null || !userID.toString().equals(userId))
+			{
+				response.setError(5000, "Unauthorized access!");
+			}
+			 else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
 						+ providerServiceMapID + " SID = " + userID);
 				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
@@ -732,15 +753,24 @@ public String getTCSpecialistWorkListNewPatientApp(
 			"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}/{userID}" })
 	public String getTCSpecialistWorklistFutureScheduled(
 			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
-			@PathVariable("serviceID") Integer serviceID) {
+			@PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+
 		try {
-			if (providerServiceMapID != null && userID != null) {
+			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID,
 						userID, serviceID);
 				if (s != null)
 					response.setResponse(s);
-			} else {
+			} 
+			else if(userId  == null || !userID.toString().equals(userId))
+			{
+				response.setError(5000, "Unauthorized access!");
+			}	
+			else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
 						+ providerServiceMapID + " UserID = " + userID);
 				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
diff --git a/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java b/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
index 6d2c06f7..c771f61a 100644
--- a/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
+++ b/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
@@ -35,10 +35,13 @@
 
 import com.iemr.tm.controller.registrar.main.RegistrarController;
 import com.iemr.tm.service.login.IemrMmuLoginServiceImpl;
+import com.iemr.tm.utils.CookieUtil;
+import com.iemr.tm.utils.JwtUtil;
 import com.iemr.tm.utils.mapper.InputMapper;
 import com.iemr.tm.utils.response.OutputResponse;
 
 import io.swagger.v3.oas.annotations.Operation;
+import jakarta.servlet.http.HttpServletRequest;
 
 @RestController
 @RequestMapping(value = "/user", headers = "Authorization", consumes = "application/json", produces = "application/json")
@@ -49,6 +52,10 @@ public class IemrMmuLoginController {
 
 	private IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl;
 
+
+	@Autowired
+	private JwtUtil jwtUtil;
+	
 	@Autowired
 	public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServiceImpl) {
 		this.iemrMmuLoginServiceImpl = iemrMmuLoginServiceImpl;
@@ -57,12 +64,20 @@ public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServi
 	@Operation(summary = "Get user service point van details")
 	@PostMapping(value = "/getUserServicePointVanDetails", produces = {
 			"application/json" })
-	public String getUserServicePointVanDetails(@RequestBody String comingRequest) {
+	public String getUserServicePointVanDetails(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+
 		try {
 
 			JSONObject obj = new JSONObject(comingRequest);
 			logger.info("getUserServicePointVanDetails request " + comingRequest);
+			if (!obj.has("userID") || !obj.get("userID").toString().equals(userId)) {
+				response.setError(5001, "Unauthorized access - userID does not match token");
+				return response.toString();
+			}
 			String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID"));
 			response.setResponse(responseData);
 		} catch (Exception e) {
@@ -97,16 +112,25 @@ public String getServicepointVillages(@RequestBody String comingRequest) {
 
 	@Operation(summary = "Get user service point van details")
 	@PostMapping(value = "/getUserVanSpDetails", produces = { "application/json" })
-	public String getUserVanSpDetails(@RequestBody String comingRequest) {
+	public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 		try {
 
 			JSONObject obj = new JSONObject(comingRequest);
 			logger.info("getServicepointVillages request " + comingRequest);
+			
 			if (obj.has("userID") && obj.has("providerServiceMapID")) {
-				String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"),
-						obj.getInt("providerServiceMapID"));
-				response.setResponse(responseData);
+				// read userID from payload and compare with userId from token
+				String payloadUserId = String.valueOf(obj.getInt("userID"));
+				if (payloadUserId.equals(userId)) {
+					String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"),
+							obj.getInt("providerServiceMapID"));
+					response.setResponse(responseData);
+				} else {
+					response.setError(5001, "Unauthorized access - userID does not match token");
+				}
 			} else {
 				response.setError(5000, "Invalid request");
 			}
diff --git a/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java b/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
index 92e95b44..6b7ac44c 100644
--- a/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
+++ b/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
@@ -30,6 +30,9 @@
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import jakarta.servlet.http.HttpServletRequest;
+import com.iemr.tm.utils.CookieUtil;
+import com.iemr.tm.utils.JwtUtil;
 
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
@@ -47,6 +50,9 @@ public class TeleConsultationController {
 	@Autowired
 	private TeleConsultationServiceImpl teleConsultationServiceImpl;
 
+	@Autowired
+	private JwtUtil jwtUtil;
+
 	@Operation(summary = "Update beneficiary arrival status based on request")
 	@PostMapping(value = { "/update/benArrivalStatus" })
 	public String benArrivalStatusUpdater(@RequestBody String requestOBJ) {
@@ -137,20 +143,28 @@ public String createTCRequestForBeneficiary(@RequestBody String requestOBJ, @Req
 	// TC request List
 	@Operation(summary = "Get teleconsultation request list for a specialist")
 	@PostMapping(value = { "/getTCRequestList" })
-	public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ) {
+	public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+
 		try {
 			if (requestOBJ != null) {
 				JsonObject jsnOBJ = new JsonObject();
 				JsonParser jsnParser = new JsonParser();
 				JsonElement jsnElmnt = jsnParser.parse(requestOBJ);
 				jsnOBJ = jsnElmnt.getAsJsonObject();
-
+				if (jsnOBJ.get("userID").getAsInt() == Integer.parseInt(userId)) {
 				String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate(
 						jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(),
 						jsnOBJ.get("date").getAsString());
 				if (s != null)
 					response.setResponse(s);
+			}
+			else
+			{
+				response.setError(5000, "Unauthorized access!");
+			}
 			} else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID or reqDate is invalid");
 				response.setError(5000,
diff --git a/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java b/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
index aca8405a..4e83e6ed 100644
--- a/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
+++ b/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
@@ -32,6 +32,9 @@
 
 import com.iemr.tm.service.videoconsultation.VideoConsultationService;
 import com.iemr.tm.utils.response.OutputResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import com.iemr.tm.utils.CookieUtil;
+import com.iemr.tm.utils.JwtUtil;
 
 import io.swagger.v3.oas.annotations.Operation;
 
@@ -44,19 +47,26 @@ public class VideoConsultationController {
 	@Autowired
 	private VideoConsultationService videoConsultationService;
 
+	@Autowired
+	private JwtUtil jwtUtil;
+
 	@Operation(summary = "Login to video consultation service")
 	@GetMapping(value = "/login/{userID}", headers = "Authorization", produces = {
 			"application/json" })
-	public String login(@PathVariable("userID") Long userID) {
+	public String login(@PathVariable("userID") Long userID, HttpServletRequest request) {
 
 		OutputResponse response = new OutputResponse();
+		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
 		try {
+			if(userID.toString().equals(userId)) {
+				String createdData = videoConsultationService.login(userID);
 
-			String createdData = videoConsultationService.login(userID);
-
-			response.setResponse(createdData.toString());
-
+				response.setResponse(createdData.toString());
+			}else {
+				response.setError(5000, "Unauthorized access!");
+			}
 		} catch (Exception e) {
 			logger.error(e.getMessage());
 			response.setError(e);
diff --git a/src/main/java/com/iemr/tm/utils/JwtUtil.java b/src/main/java/com/iemr/tm/utils/JwtUtil.java
index 2639896e..6081f15d 100644
--- a/src/main/java/com/iemr/tm/utils/JwtUtil.java
+++ b/src/main/java/com/iemr/tm/utils/JwtUtil.java
@@ -66,4 +66,8 @@ private Claims extractAllClaims(String token) {
 			.parseSignedClaims(token)
 			.getPayload();
 	}
+
+	 public String getUserIdFromToken(String token) {
+        return extractAllClaims(token).get("userId", String.class);
+    }
 }

From 9cd210c5737fdf978d0559e6d9d5c10df733aba6 Mon Sep 17 00:00:00 2001
From: Vanitha <vanitha@navadhiti.com>
Date: Mon, 17 Nov 2025 15:54:45 +0530
Subject: [PATCH 2/3] fix: coderabbit comments

---
 pom.xml                                       | 14 ++-------
 .../common/main/WorklistController.java       | 31 +++++++------------
 .../login/IemrMmuLoginController.java         |  4 +--
 .../TeleConsultationController.java           | 11 +++----
 .../VideoConsultationController.java          |  6 ++--
 src/main/java/com/iemr/tm/utils/JwtUtil.java  | 11 +++++--
 6 files changed, 30 insertions(+), 47 deletions(-)

diff --git a/pom.xml b/pom.xml
index c515352a..530d60e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -59,12 +59,12 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter</artifactId>
-			<!-- <exclusions>
+			<exclusions>
 				<exclusion>
 					<groupId>org.springframework.boot</groupId>
 					<artifactId>spring-boot-starter-logging</artifactId>
 				</exclusion>
-			</exclusions> -->
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>co.elastic.logging</groupId>
@@ -128,16 +128,6 @@
 			<artifactId>lombok</artifactId>
 			<optional>true</optional>
 		</dependency>
-		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-api</artifactId>
-			<version>${slf4j.version}</version>
-		</dependency>
-		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-simple</artifactId>
-			<version>${slf4j.version}</version>
-		</dependency>
 		<!-- Tomcat provided -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
diff --git a/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java b/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
index 27558964..acf7c4b0 100644
--- a/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
+++ b/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
@@ -686,18 +686,16 @@ public String getBeneficiaryCaseSheetHistory(
 	public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID,
 			@PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
-		try {
 			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID,
 						serviceID);
 				if (s != null)
 					response.setResponse(s);
-			}
-			else if(userId  == null || !userID.toString().equals(userId))
-			{
-				response.setError(5000, "Unauthorized access!");
+			} else if(userId  == null || !userID.toString().equals(userId)) {
+				response.setError(403, "Unauthorized access!");
 			} else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
 						+ providerServiceMapID + " SID = " + userID);
@@ -719,22 +717,18 @@ public String getTCSpecialistWorkListNewPatientApp(
 			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
 			@PathVariable("serviceID") Integer serviceID, @PathVariable("vanID") Integer vanID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
-
+		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
-		try {
 			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTMPatientApp(providerServiceMapID,
 						userID, serviceID, vanID);
 				if (s != null)
 					response.setResponse(s);
-			}
-			else if(userId  == null || !userID.toString().equals(userId))
-			{
-				response.setError(5000, "Unauthorized access!");
-			}
-			 else {
+			} else if(userId  == null || !userID.toString().equals(userId)) {
+				response.setError(403, "Unauthorized access!");
+			} else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
 						+ providerServiceMapID + " SID = " + userID);
 				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
@@ -755,22 +749,19 @@ public String getTCSpecialistWorklistFutureScheduled(
 			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
 			@PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		try {
 
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
-		try {
 			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID,
 						userID, serviceID);
 				if (s != null)
 					response.setResponse(s);
-			} 
-			else if(userId  == null || !userID.toString().equals(userId))
-			{
-				response.setError(5000, "Unauthorized access!");
-			}	
-			else {
+			} else if(userId  == null || !userID.toString().equals(userId)) {
+				response.setError(403, "Unauthorized access!");
+			} else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
 						+ providerServiceMapID + " UserID = " + userID);
 				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
diff --git a/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java b/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
index c771f61a..04c8b5c7 100644
--- a/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
+++ b/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
@@ -114,9 +114,9 @@ public String getServicepointVillages(@RequestBody String comingRequest) {
 	@PostMapping(value = "/getUserVanSpDetails", produces = { "application/json" })
 	public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
-		try {
 
 			JSONObject obj = new JSONObject(comingRequest);
 			logger.info("getServicepointVillages request " + comingRequest);
@@ -129,7 +129,7 @@ public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServlet
 							obj.getInt("providerServiceMapID"));
 					response.setResponse(responseData);
 				} else {
-					response.setError(5001, "Unauthorized access - userID does not match token");
+					response.setError(403, "Unauthorized access - userID does not match token");
 				}
 			} else {
 				response.setError(5000, "Invalid request");
diff --git a/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java b/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
index 6b7ac44c..2fd3ef46 100644
--- a/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
+++ b/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
@@ -145,27 +145,24 @@ public String createTCRequestForBeneficiary(@RequestBody String requestOBJ, @Req
 	@PostMapping(value = { "/getTCRequestList" })
 	public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
+		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
-		try {
 			if (requestOBJ != null) {
 				JsonObject jsnOBJ = new JsonObject();
 				JsonParser jsnParser = new JsonParser();
 				JsonElement jsnElmnt = jsnParser.parse(requestOBJ);
 				jsnOBJ = jsnElmnt.getAsJsonObject();
-				if (jsnOBJ.get("userID").getAsInt() == Integer.parseInt(userId)) {
+				if (userId != null && jsnOBJ.has("userID") && jsnOBJ.get("userID").getAsString().equals(userId)) {
 				String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate(
 						jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(),
 						jsnOBJ.get("date").getAsString());
 				if (s != null)
 					response.setResponse(s);
-			}
-			else
-			{
-				response.setError(5000, "Unauthorized access!");
-			}
 			} else {
+				response.setError(403, "Unauthorized access!");
+			} } else {
 				logger.error("Invalid request, either ProviderServiceMapID or userID or reqDate is invalid");
 				response.setError(5000,
 						"Invalid request, either ProviderServiceMapID or UserID or RequestDate is invalid");
diff --git a/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java b/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
index 4e83e6ed..90243696 100644
--- a/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
+++ b/src/main/java/com/iemr/tm/controller/videoconsultationcontroller/VideoConsultationController.java
@@ -56,16 +56,16 @@ public class VideoConsultationController {
 	public String login(@PathVariable("userID") Long userID, HttpServletRequest request) {
 
 		OutputResponse response = new OutputResponse();
+		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
 
-		try {
 			if(userID.toString().equals(userId)) {
 				String createdData = videoConsultationService.login(userID);
 
 				response.setResponse(createdData.toString());
-			}else {
-				response.setError(5000, "Unauthorized access!");
+			} else {
+				response.setError(403, "Unauthorized access!");
 			}
 		} catch (Exception e) {
 			logger.error(e.getMessage());
diff --git a/src/main/java/com/iemr/tm/utils/JwtUtil.java b/src/main/java/com/iemr/tm/utils/JwtUtil.java
index 6081f15d..e0576c71 100644
--- a/src/main/java/com/iemr/tm/utils/JwtUtil.java
+++ b/src/main/java/com/iemr/tm/utils/JwtUtil.java
@@ -67,7 +67,12 @@ private Claims extractAllClaims(String token) {
 			.getPayload();
 	}
 
-	 public String getUserIdFromToken(String token) {
-        return extractAllClaims(token).get("userId", String.class);
-    }
+	public String getUserIdFromToken(String token) {
+     Claims claims = validateToken(token);
+     if (claims == null) {
+         return null;
+     }
+     return claims.get("userId", String.class);
+ }
 }
+

From c455c663d28bc7e07d81a7e685aa7777c0cb86a2 Mon Sep 17 00:00:00 2001
From: Vanitha <vanitha@navadhiti.com>
Date: Tue, 18 Nov 2025 17:03:00 +0530
Subject: [PATCH 3/3] fix: remove userid from request

---
 .../common/main/WorklistController.java       | 44 +++++++++----------
 .../login/IemrMmuLoginController.java         | 27 +++++-------
 .../TeleConsultationController.java           |  9 ++--
 3 files changed, 38 insertions(+), 42 deletions(-)

diff --git a/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java b/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
index acf7c4b0..308ecf81 100644
--- a/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
+++ b/src/main/java/com/iemr/tm/controller/common/main/WorklistController.java
@@ -682,24 +682,24 @@ public String getBeneficiaryCaseSheetHistory(
 
 	// TC specialist worklist new
 	@Operation(summary = "Get teleconsultation specialist worklist")
-	@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}/{userID}" })
+	@GetMapping(value = { "/getTCSpecialistWorklist/{providerServiceMapID}/{serviceID}" })
 	public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") Integer providerServiceMapID,
-			@PathVariable("userID") Integer userID, @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
+			 @PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
-			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
+			Integer userID=Integer.parseInt(userId);
+			if (providerServiceMapID != null && userId != null ) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTM(providerServiceMapID, userID,
 						serviceID);
 				if (s != null)
 					response.setResponse(s);
-			} else if(userId  == null || !userID.toString().equals(userId)) {
+			} else if(userId  == null || jwtToken == null) {
 				response.setError(403, "Unauthorized access!");
 			} else {
-				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
-						+ providerServiceMapID + " SID = " + userID);
-				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
+				logger.error("Invalid request");
+				response.setError(5000, "Invalid request");
 			}
 
 		} catch (Exception e) {
@@ -712,26 +712,25 @@ public String getTCSpecialistWorkListNew(@PathVariable("providerServiceMapID") I
 	// TC specialist worklist new, patient App, 14-08-2020
 	@Operation(summary = "Get teleconsultation specialist worklist for patient app")
 	@GetMapping(value = {
-			"/getTCSpecialistWorklistPatientApp/{providerServiceMapID}/{serviceID}/{userID}/{vanID}" })
+			"/getTCSpecialistWorklistPatientApp/{providerServiceMapID}/{serviceID}/{vanID}" })
 	public String getTCSpecialistWorkListNewPatientApp(
-			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
+			@PathVariable("providerServiceMapID") Integer providerServiceMapID, 
 			@PathVariable("serviceID") Integer serviceID, @PathVariable("vanID") Integer vanID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
-
-			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
+		Integer userID=Integer.parseInt(userId);
+			if (providerServiceMapID != null && userID != null) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewForTMPatientApp(providerServiceMapID,
 						userID, serviceID, vanID);
 				if (s != null)
 					response.setResponse(s);
-			} else if(userId  == null || !userID.toString().equals(userId)) {
+			} else if(userId  == null || jwtToken == null) {
 				response.setError(403, "Unauthorized access!");
 			} else {
-				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
-						+ providerServiceMapID + " SID = " + userID);
-				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
+				logger.error("Invalid request");
+				response.setError(5000, "Invalid request");
 			}
 
 		} catch (Exception e) {
@@ -744,27 +743,26 @@ public String getTCSpecialistWorkListNewPatientApp(
 	// TC specialist worklist new future scheduled
 	@Operation(summary = "Get teleconsultation specialist future scheduled")
 	@GetMapping(value = {
-			"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}/{userID}" })
+			"/getTCSpecialistWorklistFutureScheduled/{providerServiceMapID}/{serviceID}" })
 	public String getTCSpecialistWorklistFutureScheduled(
-			@PathVariable("providerServiceMapID") Integer providerServiceMapID, @PathVariable("userID") Integer userID,
+			@PathVariable("providerServiceMapID") Integer providerServiceMapID, 
 			@PathVariable("serviceID") Integer serviceID, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
 		try {
 
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
-
-			if (providerServiceMapID != null && userID != null && userID.toString().equals(userId)) {
+		Integer userID=Integer.parseInt(userId);
+			if (providerServiceMapID != null && userID != null ) {
 				String s = commonDoctorServiceImpl.getTCSpecialistWorkListNewFutureScheduledForTM(providerServiceMapID,
 						userID, serviceID);
 				if (s != null)
 					response.setResponse(s);
-			} else if(userId  == null || !userID.toString().equals(userId)) {
+			} else if(userId  == null || jwtToken == null) {
 				response.setError(403, "Unauthorized access!");
 			} else {
-				logger.error("Invalid request, either ProviderServiceMapID or userID is invalid. PSMID = "
-						+ providerServiceMapID + " UserID = " + userID);
-				response.setError(5000, "Invalid request, either ProviderServiceMapID or userID is invalid");
+				logger.error("Invalid request");
+				response.setError(5000, "Invalid request");
 			}
 
 		} catch (Exception e) {
diff --git a/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java b/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
index 04c8b5c7..de8c36f5 100644
--- a/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
+++ b/src/main/java/com/iemr/tm/controller/login/IemrMmuLoginController.java
@@ -66,19 +66,19 @@ public void setIemrMmuLoginServiceImpl(IemrMmuLoginServiceImpl iemrMmuLoginServi
 			"application/json" })
 	public String getUserServicePointVanDetails(@RequestBody String comingRequest, HttpServletRequest request) {
 		OutputResponse response = new OutputResponse();
-
-		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
-		String userId = jwtUtil.getUserIdFromToken(jwtToken);
-
 		try {
 
+			String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
+			String userId = jwtUtil.getUserIdFromToken(jwtToken);
+			Integer userID=Integer.parseInt(userId);
+
 			JSONObject obj = new JSONObject(comingRequest);
 			logger.info("getUserServicePointVanDetails request " + comingRequest);
-			if (!obj.has("userID") || !obj.get("userID").toString().equals(userId)) {
-				response.setError(5001, "Unauthorized access - userID does not match token");
+			if (userId == null || jwtToken ==null) {
+				response.setError(403, "Unauthorized access: Missing or invalid token");
 				return response.toString();
 			}
-			String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(obj.getInt("userID"));
+			String responseData = iemrMmuLoginServiceImpl.getUserServicePointVanDetails(userID);
 			response.setResponse(responseData);
 		} catch (Exception e) {
 			// e.printStackTrace();
@@ -117,21 +117,18 @@ public String getUserVanSpDetails(@RequestBody String comingRequest, HttpServlet
 		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+		Integer userID=Integer.parseInt(userId);
 
 			JSONObject obj = new JSONObject(comingRequest);
 			logger.info("getServicepointVillages request " + comingRequest);
 			
-			if (obj.has("userID") && obj.has("providerServiceMapID")) {
-				// read userID from payload and compare with userId from token
-				String payloadUserId = String.valueOf(obj.getInt("userID"));
-				if (payloadUserId.equals(userId)) {
-					String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(obj.getInt("userID"),
+			if (userId !=null  && obj.has("providerServiceMapID")) {
+					String responseData = iemrMmuLoginServiceImpl.getUserVanSpDetails(userID,
 							obj.getInt("providerServiceMapID"));
 					response.setResponse(responseData);
+				} else if(userId == null || jwtToken ==null) {
+					response.setError(403, "Unauthorized access : Missing or invalid token");
 				} else {
-					response.setError(403, "Unauthorized access - userID does not match token");
-				}
-			} else {
 				response.setError(5000, "Invalid request");
 			}
 		} catch (Exception e) {
diff --git a/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java b/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
index 2fd3ef46..390d05c7 100644
--- a/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
+++ b/src/main/java/com/iemr/tm/controller/teleconsultation/TeleConsultationController.java
@@ -148,24 +148,25 @@ public String getTCSpecialistWorkListNew(@RequestBody String requestOBJ, HttpSer
 		try {
 		String jwtToken = CookieUtil.getJwtTokenFromCookie(request);
 		String userId = jwtUtil.getUserIdFromToken(jwtToken);
+		Integer userID=Integer.parseInt(userId);
 
 			if (requestOBJ != null) {
 				JsonObject jsnOBJ = new JsonObject();
 				JsonParser jsnParser = new JsonParser();
 				JsonElement jsnElmnt = jsnParser.parse(requestOBJ);
 				jsnOBJ = jsnElmnt.getAsJsonObject();
-				if (userId != null && jsnOBJ.has("userID") && jsnOBJ.get("userID").getAsString().equals(userId)) {
+				if (userId != null) {
 				String s = teleConsultationServiceImpl.getTCRequestListBySpecialistIdAndDate(
-						jsnOBJ.get("psmID").getAsInt(), jsnOBJ.get("userID").getAsInt(),
+						jsnOBJ.get("psmID").getAsInt(), userID,
 						jsnOBJ.get("date").getAsString());
 				if (s != null)
 					response.setResponse(s);
 			} else {
 				response.setError(403, "Unauthorized access!");
 			} } else {
-				logger.error("Invalid request, either ProviderServiceMapID or userID or reqDate is invalid");
+				logger.error("Invalid request, either ProviderServiceMapID or reqDate is invalid");
 				response.setError(5000,
-						"Invalid request, either ProviderServiceMapID or UserID or RequestDate is invalid");
+						"Invalid request, either ProviderServiceMapID or RequestDate is invalid");
 			}
 
 		} catch (Exception e) {