Reverted includeUserID changes to ProxyController & hub cookie change…

…, added domain whitelist check to all webServices calls with auth header, fixed doPost implementation
AtlasOfLivingAustralia · Jul 31, 2024 · 14fc0d1 · 14fc0d1
1 parent 1339a2b
commit 14fc0d1
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 20 deletions.
diff --git a/grails-app/controllers/au/org/ala/biocollect/merit/ProxyController.groovy b/grails-app/controllers/au/org/ala/biocollect/merit/ProxyController.groovy
@@ -35,11 +35,11 @@ class ProxyController {
     }
 
     def features(){
-        render webService.get("${grailsApplication.config.spatial.layersUrl}/objects/${params.layerId}")
+        render webService.get("${grailsApplication.config.spatial.layersUrl}/objects/${params.layerId}", false)
     }
 
     def feature(){
-        render webService.get("${grailsApplication.config.spatial.layersUrl}/object/${params.featureId}")
+        render webService.get("${grailsApplication.config.spatial.layersUrl}/object/${params.featureId}", false)
     }
 
     def speciesProfile(String id) {

diff --git a/grails-app/services/au/org/ala/biocollect/merit/AdminService.groovy b/grails-app/services/au/org/ala/biocollect/merit/AdminService.groovy
@@ -195,6 +195,6 @@ class AdminService {
 
     def syncCollectoryOrgs() {
         def url = "${grailsApplication.config.ecodata.service.url}admin/syncCollectoryOrgs"
-        webService.doPost(url)
+        webService.doPost(url, [:])
     }
 }
diff --git a/grails-app/services/au/org/ala/biocollect/merit/SettingService.groovy b/grails-app/services/au/org/ala/biocollect/merit/SettingService.groovy
@@ -134,7 +134,7 @@ class SettingService {
 
         // Do not set cookie value to default hub since it overwrites genuine hub selection when calls are made with default hub.
         // This usually happens when calls are made without hub parameter like downloading images.
-        if (settings?.urlPath != defaultHub || cookieService.getCookie(LAST_ACCESSED_HUB) == null)
+        if (settings?.urlPath != defaultHub)
             cookieService.setCookie(LAST_ACCESSED_HUB, settings?.urlPath, -1 /* -1 means the cookie expires when the browser is closed */, '/')
         GrailsWebRequest.lookup().params.hub = settings?.urlPath
         SettingService.setHubConfig(settings)

diff --git a/grails-app/services/au/org/ala/biocollect/merit/WebService.groovy b/grails-app/services/au/org/ala/biocollect/merit/WebService.groovy
@@ -78,14 +78,25 @@ class WebService {
         grailsApplication.config.webservice.readTimeout as int
     }
 
+    private void addAuthForAllowedDomains(URLConnection conn) {
+        def host = conn.getURL().getHost()
+        for (int domIndex = 0; domIndex < WHITE_LISTED_DOMAINS.size(); domIndex++) {
+            if (host.endsWith(WHITE_LISTED_DOMAINS[domIndex])) {
+                conn.setRequestProperty("Authorization", getAuthHeader())
+                break
+            }
+        }
+    }
+
     private URLConnection configureConnection(String url, boolean includeUserId, Integer timeout = null) {
-        def connUrl = new URL(url)
-        URLConnection conn = connUrl.openConnection()
+        URLConnection conn = (new URL(url)).openConnection()
 
         def readTimeout = timeout?:defaultTimeout()
         conn.setConnectTimeout(grailsApplication.config.getProperty("webservice.connectTimeout", Integer))
         conn.setReadTimeout(readTimeout)
+
         addHubUrlPath(conn)
+        addAuthForAllowedDomains(conn)
 
         if (includeUserId) {
             def user = getUserService().getUser()
@@ -94,15 +105,6 @@ class WebService {
             }
         }
 
-        def host = connUrl.getHost()
-
-        for (int domIndex = 0; domIndex < WHITE_LISTED_DOMAINS.size(); domIndex++) {
-            if (host.endsWith(WHITE_LISTED_DOMAINS[domIndex])) {
-                conn.setRequestProperty("Authorization", getAuthHeader())
-                break
-            }
-        }
-
         conn
     }
 
@@ -265,7 +267,8 @@ class WebService {
             conn.setRequestMethod("POST")
             conn.setDoOutput(true)
             conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")
-            conn.setRequestProperty("Authorization", getAuthHeader())
+
+            addAuthForAllowedDomains(conn)
             addHubUrlPath(conn)
 
             def user = getUserService().getUser()
@@ -301,8 +304,8 @@ class WebService {
             conn = new URL(url).openConnection()
             conn.setDoOutput(true)
             conn.setRequestProperty("Content-Type", "application/json;charset=${charEncoding}")
-            conn.setRequestProperty("Authorization", getAuthHeader())
 
+            addAuthForAllowedDomains(conn)
             addHubUrlPath(conn)
 
             def user = getUserService().getUser()
@@ -337,7 +340,8 @@ class WebService {
             conn.setRequestMethod("PUT")
             conn.setDoOutput(true)
             conn.setRequestProperty("Content-Type", "application/json;charset=${charEncoding}")
-            conn.setRequestProperty("Authorization", getAuthHeader())
+
+            addAuthForAllowedDomains(conn)
             addHubUrlPath(conn)
 
             def user = getUserService().getUser()
@@ -383,7 +387,8 @@ class WebService {
             conn.setDoOutput(true)
             conn.setRequestMethod("GET")
             conn.setRequestProperty("Content-Type", "${APPLICATION_JSON};charset=${StandardCharsets.UTF_8.toString()}");
-            conn.setRequestProperty("Authorization", getAuthHeader())
+
+            addAuthForAllowedDomains(conn)
             addHubUrlPath(conn)
 
             def user = getUserService().getUser()
@@ -411,7 +416,8 @@ class WebService {
         try {
             conn = new URL(url).openConnection()
             conn.setRequestMethod("DELETE")
-            conn.setRequestProperty("Authorization", getAuthHeader())
+
+            addAuthForAllowedDomains(conn)
             addHubUrlPath(conn)
 
             def user = getUserService().getUser()