From eb358c2bd19dc5cb9577470c8d1bd66ecb6c94f3 Mon Sep 17 00:00:00 2001
From: Gcolon021 <34667267+Gcolon021@users.noreply.github.com>
Date: Wed, 23 Oct 2024 15:08:39 -0400
Subject: [PATCH] [ALS-7554] User should not be able to search without a valid
 token (#208)

* Improve JWT open access validation
Enhanced JWTFilter to handle referer headers for open access requests, disallowing explorer-origin requests. Fixed several code formatting issues and improved logging for better error visibility.

* Update unauthorized message on session expiry
Changed the unauthorized error message to inform users their session has expired and prompt them to log in again. This enhances clarity and user experience by providing a specific reason for the authorization failure.
---
 .../edu/harvard/dbmi/avillach/security/JWTFilter.java  | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/JWTFilter.java b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/JWTFilter.java
index dc201c38..ba6b19a0 100755
--- a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/JWTFilter.java
+++ b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/JWTFilter.java
@@ -86,10 +86,19 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
             // Everything else goes through PSAMA token introspection
             String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
             boolean isOpenAccessEnabled = picSureWarInit.isOpenAccessEnabled();
+            // get referer header
             if (
                 (StringUtils.isBlank(authorizationHeader) && isOpenAccessEnabled)
                     || (StringUtils.isNotBlank(authorizationHeader) && authorizationHeader.length() <= 7 && isOpenAccessEnabled)
             ) {
+                String referer = requestContext.getHeaderString("Referer");
+                boolean isExplorer = referer != null && referer.contains("/explorer");
+                if (isExplorer) {
+                    // If the request is coming from the explorer, we should not allow open access
+                    logger.error("User is not authorized.");
+                    requestContext.abortWith(PICSUREResponse.unauthorizedError("Your session has expired. Please log in again."));
+                }
+
                 boolean isAuthorized = callOpenAccessValidationEndpoint(requestContext);
                 if (!isAuthorized) {
                     logger.error("User is not authorized.");
@@ -139,7 +148,6 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
     }
 
     /**
-     *
      * @param token
      * @param userIdClaim
      * @return