Skip to content

Cors configuration for fhir api service #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
vishwab1 wants to merge 4 commits into from
Closed

Cors configuration for fhir api service #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d5aeb79
fix(cors): global cors config added
kevalkanp1011 Apr 14, 2025
2db16f9
cors config removed from all controllers
kevalkanp1011 Apr 14, 2025
c05afdc
fix(cors): dynamic cors filter added
kevalkanp1011 May 17, 2025
35d8a7a
fix(cors): added fliter user validation
vishwab1 May 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/main/environment/common_ci.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,3 +115,4 @@ [email protected]_SECRET_KEY@

[email protected]_DOC_ENABLED@
[email protected]_DOC_ENABLED@
cors.allowed-origins=@CORS_ALLOWED_ORIGINS@
3 changes: 2 additions & 1 deletion src/main/environment/common_example.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,4 +111,5 @@ logging.level.com.iemr=DEBUG
logging.level.org.springframework=INFO
jwt.secret=my-32-character-ultra-secure-and-ultra-long-secret
logging.path=logs/
logging.file.name=logs/fhir-api.log
logging.file.name=logs/fhir-api.log
cors.allowed-origins=http://localhost:*
25 changes: 25 additions & 0 deletions src/main/java/com/wipro/fhir/config/CorsConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package com.wipro.fhir.config;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class CorsConfig implements WebMvcConfigurer {

@Value("${cors.allowed-origins}")
private String allowedOrigins;

@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOriginPatterns(allowedOrigins.split(","))
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.exposedHeaders("Authorization", "Jwttoken") // Explicitly expose headers if needed
.allowCredentials(true)
.maxAge(3600)
;
Comment on lines +16 to +23
Copy link
Contributor

@coderabbitai coderabbitai bot May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Address security concerns in CORS configuration.

The current CORS configuration has several security concerns:

  1. String splitting without trimming: allowedOrigins.split(",") doesn't handle whitespace, which could lead to unexpected behavior.
  2. Overly permissive headers: Using allowedHeaders("*") allows all headers, which might be too broad.
  3. Credentials with patterns: Using allowCredentials(true) with allowedOriginPatterns can be risky if the patterns are too broad.

Apply this diff to improve security:

-        registry.addMapping("/**")
-				.allowedOriginPatterns(allowedOrigins.split(","))
-                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
-                .allowedHeaders("*")
-                .exposedHeaders("Authorization", "Jwttoken") // Explicitly expose headers if needed
-                .allowCredentials(true)
-                .maxAge(3600)
-                ;
+        String[] origins = allowedOrigins.split(",");
+        for (int i = 0; i < origins.length; i++) {
+            origins[i] = origins[i].trim();
+        }
+        
+        registry.addMapping("/**")
+                .allowedOriginPatterns(origins)
+                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
+                .allowedHeaders("Content-Type", "Authorization", "X-Requested-With", "Accept", "Origin")
+                .exposedHeaders("Authorization", "Jwttoken")
+                .allowCredentials(true)
+                .maxAge(3600);
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
registry.addMapping("/**")
.allowedOriginPatterns(allowedOrigins.split(","))
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.exposedHeaders("Authorization", "Jwttoken") // Explicitly expose headers if needed
.allowCredentials(true)
.maxAge(3600)
;
String[] origins = allowedOrigins.split(",");
for (int i = 0; i < origins.length; i++) {
origins[i] = origins[i].trim();
}
registry.addMapping("/**")
.allowedOriginPatterns(origins)
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("Content-Type", "Authorization", "X-Requested-With", "Accept", "Origin")
.exposedHeaders("Authorization", "Jwttoken")
.allowCredentials(true)
.maxAge(3600);
πŸ€– Prompt for AI Agents 
In src/main/java/com/wipro/fhir/config/CorsConfig.java around lines 16 to 23,
improve CORS security by trimming whitespace from each origin after splitting
allowedOrigins by commas, replacing allowedHeaders("*") with a specific list of
allowed headers instead of all headers, and ensure that allowCredentials(true)
is only used if allowedOriginPatterns are strictly defined and not overly broad
to prevent security risks.

}
}
8 changes: 4 additions & 4 deletions src/main/java/com/wipro/fhir/controller/carecontext/CareContextController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,15 @@
import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/careContext", headers = "Authorization", consumes = "application/json", produces = "application/json")
public class CareContextController {
private final Logger logger = LoggerFactory.getLogger(this.getClass().getName());
@Autowired
private CareContextService careContextService;

@CrossOrigin

@Operation(summary = "Generate OTP for care context linking")
@PostMapping(value = { "/generateOTPForCareContext" })
public String generateOTP(
Expand All @@ -69,7 +69,7 @@ public String generateOTP(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Validate OTP and create care context")
@PostMapping(value = { "/validateOTPAndCreateCareContext" })
public String validateOTPAndCreateCareContext(
Expand All @@ -94,7 +94,7 @@ public String validateOTPAndCreateCareContext(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Add care context to Mongo")
@PostMapping(value = { "/addCarecontextToMongo" })
public String saveCareContextToMongo(@Param(value = "{}") @RequestBody String request,
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/com/wipro/fhir/controller/eaushdhi/EAushadhiController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
* @author DE40034072 Date 01-12-2021
*/

@CrossOrigin

@RestController
@RequestMapping(value = "/eAushadhi", headers = "Authorization", consumes = "application/json", produces = "application/json")
public class EAushadhiController {
Expand All @@ -56,7 +56,7 @@ public class EAushadhiController {
private EAushadhiService eAushadhiService;
private final Logger logger = LoggerFactory.getLogger(this.getClass().getName());

@CrossOrigin

@Operation(summary = "Getting store stock details from e-aushadhi")
@PostMapping(value = { "/getStoreStockDetails" })
public String getStoreStockDetails(@Param(value = "{\"facilityID\":\"Integer\"}") @RequestBody String request,
Expand Down Expand Up @@ -90,7 +90,7 @@ public String getStoreStockDetails(@Param(value = "{\"facilityID\":\"Integer\"}"
* @param Authorization
* @return sync dispense data and patient information to E-Aushadhi.
*/
@CrossOrigin

@Operation(summary = "Sync drug dispense data and patient details with e-aushadhi")
@PostMapping(value = { "/syncDrugDispenseDetails" })
public String syncDrugDispenseAndPatientDetails(
Expand All @@ -113,7 +113,7 @@ public String syncDrugDispenseAndPatientDetails(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Get log for stock processing")
@PostMapping(value = { "/getFacilityStockProcessLog" })
public String getFacilityStockProcessLog(@RequestBody String request) {
Expand All @@ -134,7 +134,7 @@ public String getFacilityStockProcessLog(@RequestBody String request) {
return response.toString();
}

@CrossOrigin

@Operation(summary = "Sync e-aushadhi for patient issue details")
@PostMapping(value = { "/updatePatientIssueSyncStatus" })
public String addFacility(@RequestBody String request) {
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/com/wipro/fhir/controller/facility/FacilityController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
import io.swagger.v3.oas.annotations.Operation;


@CrossOrigin

@RestController
@RequestMapping(value = "/facility", headers = "Authorization")
public class FacilityController {
Expand All @@ -31,7 +31,7 @@ public class FacilityController {

Logger logger = LoggerFactory.getLogger(this.getClass().getName());

@CrossOrigin

@Operation(summary = "Get ABDM Registered Facilities")
@GetMapping(value = { "/getAbdmRegisteredFacilities" })
public String getAbdmRegisteredFacilities(@RequestHeader(value = "Authorization") String Authorization) {
Expand All @@ -54,7 +54,7 @@ public String getAbdmRegisteredFacilities(@RequestHeader(value = "Authorization"
}


@CrossOrigin

@Operation(summary = "Get ABDM Registered Facilities")
@PostMapping(value = { "/saveAbdmFacilityId" })
public String saveAbdmFacilityForVisit(@RequestHeader(value = "Authorization") String Authorization, @RequestBody() String reqObj) {
Expand Down
8 changes: 4 additions & 4 deletions src/main/java/com/wipro/fhir/controller/generateresource/ResourceRequestGateway.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
*
*/

@CrossOrigin

@RestController
@RequestMapping(value = "/get/resource", headers = "Authorization", consumes = "application/json", produces = "application/json")
public class ResourceRequestGateway {
Expand All @@ -73,7 +73,7 @@ public class ResourceRequestGateway {
* DocumentReference}
*
*/
@CrossOrigin

@Operation(summary = "Get OP consult record bundle")
@PostMapping(value = { "/OPConsultRecord" })
public String getPatientResource(@RequestBody ResourceRequestHandler patientResourceRequest,
Expand All @@ -100,7 +100,7 @@ public String getPatientResource(@RequestBody ResourceRequestHandler patientReso
* DocumentReference}
*
*/
@CrossOrigin

@Operation(summary = "Get diagnostic report record bundle")
@PostMapping(value = { "/DiagnosticReportRecord" })
public String getDiagnosticReportRecord(@RequestBody ResourceRequestHandler patientResourceRequest,
Expand All @@ -126,7 +126,7 @@ public String getDiagnosticReportRecord(@RequestBody ResourceRequestHandler pati
* || Organization || MedicationRequest || Binary}
*
*/
@CrossOrigin

@Operation(summary = "Get prescription record")
@PostMapping(value = { "/PrescriptionRecord" })
public String getPrescriptionRecord(@RequestBody ResourceRequestHandler patientResourceRequest,
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/com/wipro/fhir/controller/healthCard/GenerateHealthIDCardController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,15 @@
import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/healthIDCard", headers = "Authorization")
public class GenerateHealthIDCardController {
private final Logger logger = LoggerFactory.getLogger(this.getClass().getName());
@Autowired
private HealthID_CardService healthID_CardService;

@CrossOrigin

@Operation(summary = "Generate OTP for ABHA card")
@PostMapping(value = { "/generateOTP" })
public String mapHealthIDToBeneficiary(
Expand All @@ -68,7 +68,7 @@ public String mapHealthIDToBeneficiary(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Generate OTP for ABHA card")
@PostMapping(value = { "/verifyOTPAndGenerateHealthCard" })
public String verifyOTPAndGenerateHealthCard(
Expand Down
8 changes: 4 additions & 4 deletions src/main/java/com/wipro/fhir/controller/healthID/CreateHealthIDWithBio.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/healthIDWithBio", headers = "Authorization")
public class CreateHealthIDWithBio {
Expand All @@ -26,7 +26,7 @@ public class CreateHealthIDWithBio {
@Autowired
private HealthIDWithBioService healthIDWithBioService;

@CrossOrigin

@Operation(summary = "Verify Bio")
@PostMapping(value = { "/verifyBio" })
public String verifyBio(@Param(value = "{\"Aadhaar\":\"String\", \"pid\":\"String\",\"bioType\":\"String\"}") @RequestBody String request,
Expand All @@ -50,7 +50,7 @@ public String verifyBio(@Param(value = "{\"Aadhaar\":\"String\", \"pid\":\"Strin
}


@CrossOrigin

@Operation(summary = "generate Mobile OTP")
@PostMapping(value = { "/generateMobileOTP" })
public String checkAndGenerateMobileOTP(
Expand All @@ -72,7 +72,7 @@ public String checkAndGenerateMobileOTP(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Confirm with Aadhaar Bio")
@PostMapping(value = { "/confirmWithAadhaarBio" })
public String confirmWithAadhaarBio(@Param(value = "{\"txnId\":\"String\", \"pid\":\"String\",\"bioType\":\"String\",\"authType\":\"String\"}") @RequestBody String request,
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/com/wipro/fhir/controller/healthID/CreateHealthIDWithMobileOTP.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/healthID", headers = "Authorization", consumes = "application/json", produces = "application/json")
public class CreateHealthIDWithMobileOTP {
Expand All @@ -56,7 +56,7 @@ public class CreateHealthIDWithMobileOTP {
* @param Authorization
* @return NDHM transactionID
*/
@CrossOrigin

@Operation(summary = "generate OTP")
@PostMapping(value = { "/generateOTP" })
public String generateOTP(@Param(value = "{\"mobile\":\"String\"}") @RequestBody String request,
Expand Down Expand Up @@ -84,7 +84,7 @@ public String generateOTP(@Param(value = "{\"mobile\":\"String\"}") @RequestBody
* @param Authorization
* @return Generated ABHA for Beneficiary
*/
@CrossOrigin

@Operation(summary = "verify OTP and generate ABHA")
@PostMapping(value = { "/verifyOTPAndGenerateHealthID" })
public String verifyOTPAndGenerateHealthID(
Expand Down Expand Up @@ -114,7 +114,7 @@ public String verifyOTPAndGenerateHealthID(
* @param comingRequest
* @return ABHA of Beneficiary
*/
@CrossOrigin()

@Operation(summary = "Get Beneficiary ABHA details")
@PostMapping(value = { "/getBenhealthID" })
public String getBenhealthID(
Expand All @@ -140,7 +140,7 @@ public String getBenhealthID(
return response.toString();
}

@CrossOrigin()

@Operation(summary = "Get Beneficiary Id for ABHA Id")
@PostMapping(value = { "/getBenIdForhealthID" })
public String getBenIdForhealthID(
Expand Down
12 changes: 6 additions & 6 deletions src/main/java/com/wipro/fhir/controller/healthID/CreateHealthIDWithUID.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/healthIDWithUID", headers = "Authorization", consumes = "application/json", produces = "application/json")
public class CreateHealthIDWithUID {
Expand All @@ -47,7 +47,7 @@ public class CreateHealthIDWithUID {
@Autowired
private HealthIDWithUIDService HealthIDWithUIDService;

@CrossOrigin

@Operation(summary = "Generate OTP")
@PostMapping(value = { "/generateOTP" })
public String generateOTP(@Param(value = "{\"mobile\":\"String\"}") @RequestBody String request,
Expand All @@ -70,7 +70,7 @@ public String generateOTP(@Param(value = "{\"mobile\":\"String\"}") @RequestBody
return response.toString();
}

@CrossOrigin

@Operation(summary = "Verify OTP")
@PostMapping(value = { "/verifyOTP" })
public String verifyOTP(@Param(value = "{\"OTP\":\"String\", \"txnId\":\"String\"}") @RequestBody String request,
Expand All @@ -93,7 +93,7 @@ public String verifyOTP(@Param(value = "{\"OTP\":\"String\", \"txnId\":\"String\
return response.toString();
}

@CrossOrigin

@Operation(summary = "Check and generate OTP")
@PostMapping(value = { "/checkAndGenerateMobileOTP" })
public String checkAndGenerateMobileOTP(
Expand All @@ -117,7 +117,7 @@ public String checkAndGenerateMobileOTP(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Verify mobile OTP")
@PostMapping(value = { "/verifyMobileOTP" })
public String verifyMobileOTP(
Expand All @@ -141,7 +141,7 @@ public String verifyMobileOTP(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Create ABHA with UID")
@PostMapping(value = { "/createHealthIDWithUID" })
public String createHealthIDWithUID(
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/com/wipro/fhir/controller/healthID/CreateHealthIdRecord.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/healthIDRecord", headers = "Authorization", consumes = "application/json", produces = "application/json")
public class CreateHealthIdRecord {
Expand All @@ -32,7 +32,7 @@ public class CreateHealthIdRecord {
* @param Authorization
* @return BenRegID of beneficiary after mapping
*/
@CrossOrigin

@Operation(summary = "Map ABHA to beneficiary")
@PostMapping(value = { "/mapHealthIDToBeneficiary" })
public String mapHealthIDToBeneficiary(
Expand All @@ -54,7 +54,7 @@ public String mapHealthIDToBeneficiary(
}


@CrossOrigin

@Operation(summary = "Add New health ID record to healthId table")
@PostMapping(value = { "/addHealthIdRecord" })
public String addRecordToHealthIdTable(
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/com/wipro/fhir/controller/healthIDvalidate/HealthIDValidateController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
import io.lettuce.core.dynamic.annotation.Param;
import io.swagger.v3.oas.annotations.Operation;

@CrossOrigin

@RestController
@RequestMapping(value = "/validate", headers = "Authorization")
public class HealthIDValidateController {
Expand All @@ -47,7 +47,7 @@ public class HealthIDValidateController {
private HealthIDValidationService healthIDValidationService;
private final Logger logger = LoggerFactory.getLogger(this.getClass().getName());

@CrossOrigin

@Operation(summary = "Generate OTP for ABHA validation")
@PostMapping(value = { "/generateOTPForHealthIDValidation" })
public String generateOTPForHealthIDValidation(
Expand All @@ -70,7 +70,7 @@ public String generateOTPForHealthIDValidation(
return response.toString();
}

@CrossOrigin

@Operation(summary = "Verify OTP for ABHA validation")
@PostMapping(value = { "/verifyOTPForHealthIDValidation" })
public String verifyOTPForHealthIDValidation(
Expand Down
Loading
Loading