Merge pull request #53 from beehyv/Vulnerability_fix

CHOAppSyncController - Request header vulnerability fix.

src/main/java/com/iemr/hwc/controller/choApp/CHOAppSyncController.java

@@ -8,6 +8,7 @@
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 import java.util.List;
@@ -31,7 +32,7 @@ public void setCHOAppSyncService(CHOAppSyncService choappSyncService) {
     @ApiOperation(value = "Sync new beneficiaries to AMRIT server", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/beneficiariesToServer" }, method = { RequestMethod.POST })
     public ResponseEntity<String> beneficiaryRegistrationSyncToServer(@RequestBody String comingReq,
-                                                              @RequestHeader(value = "Authorization") String Authorization) {
+                                                              @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.registerCHOAPPBeneficiary(comingReq, Authorization);
     }
@@ -40,7 +41,7 @@ public ResponseEntity<String> beneficiaryRegistrationSyncToServer(@RequestBody S
     @ApiOperation(value = "Sync beneficiaries from AMRIT server to CHO App", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/beneficiariesToApp" }, method = { RequestMethod.POST })
     public ResponseEntity<String> beneficiarySyncToAppLocal(@RequestBody SyncSearchRequest villageIDAndLastSyncDate,
-                                                                      @RequestHeader(value = "Authorization") String Authorization) {
+                                                                      @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.getBeneficiaryByVillageIDAndLastModifiedDate(villageIDAndLastSyncDate, Authorization);
     }
@@ -49,7 +50,7 @@ public ResponseEntity<String> beneficiarySyncToAppLocal(@RequestBody SyncSearchR
     @ApiOperation(value = "Returns count of beneficiaries to be synced from AMRIT server to CHO App", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/beneficiariesToAppCount" }, method = { RequestMethod.POST })
     public ResponseEntity<String> beneficiarySyncToAppLocalCount(@RequestBody SyncSearchRequest villageIDAndLastSyncDate,
-                                                            @RequestHeader(value = "Authorization") String Authorization) {
+                                                            @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.countBeneficiaryByVillageIDAndLastModifiedDate(villageIDAndLastSyncDate, Authorization);
     }
@@ -59,7 +60,7 @@ public ResponseEntity<String> beneficiarySyncToAppLocalCount(@RequestBody SyncSe
     @RequestMapping(value = { "/benFlowStatusRecordsCount" }, method = {
             RequestMethod.POST })
     public ResponseEntity<String> flowStatusesSyncToAppLocalCount(@RequestBody SyncSearchRequest villageIDAndLastSyncDate,
-                                                             @RequestHeader(value = "Authorization") String Authorization) {
+                                                             @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.countFlowRecordsByVillageIDAndLastModifiedDate(villageIDAndLastSyncDate, Authorization);
     }
@@ -69,7 +70,7 @@ public ResponseEntity<String> flowStatusesSyncToAppLocalCount(@RequestBody SyncS
     @RequestMapping(value = { "/benFlowStatusRecordsToApp" }, method = {
             RequestMethod.POST })
     public ResponseEntity<String> flowStatusesSyncToAppLocal(@RequestBody SyncSearchRequest villageIDAndLastSyncDate,
-                                             @RequestHeader(value = "Authorization") String Authorization) {
+                                             @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
             return choappSyncService.getFlowRecordsByVillageIDAndLastModifiedDate(villageIDAndLastSyncDate, Authorization);
     }
@@ -78,7 +79,7 @@ public ResponseEntity<String> flowStatusesSyncToAppLocal(@RequestBody SyncSearch
     @ApiOperation(value = "Sync user activity logs to AMRIT server", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/userActivityLogsToServer" }, method = { RequestMethod.POST })
     public ResponseEntity<String> userActivityLogsSyncToServer(@RequestBody List<UserActivityLogs> logsList,
-                                                                      @RequestHeader(value = "Authorization") String Authorization) {
+                                                                      @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.saveUserActivityLogs(logsList, Authorization);
     }
@@ -88,7 +89,7 @@ public ResponseEntity<String> userActivityLogsSyncToServer(@RequestBody List<Use
     @RequestMapping(value = { "/beneficiaryGeneralOPDNurseFormDataToApp" }, method = { RequestMethod.POST })
     public ResponseEntity<String> beneficiaryNurseFormDataGeneralOPDSyncToAppLocal(
             @ApiParam(value = "{\"benRegID\":\"Long\",\"visitCode\":\"Long\"}") @RequestBody String comingRequest,
-            @RequestHeader(value = "Authorization") String Authorization) {
+            @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.getBeneficiaryNurseFormDataGeneralOPD(comingRequest, Authorization);
     }
@@ -97,7 +98,7 @@ public ResponseEntity<String> beneficiaryNurseFormDataGeneralOPDSyncToAppLocal(
     @ApiOperation(value = "Save beneficiaries nurse-form data CHO App to AMRIT server", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/generalOPDNurseFormDataToServer" }, method = { RequestMethod.POST })
     public ResponseEntity<String> beneficiaryNurseFormDataGeneralOPDSyncToServer(@RequestBody String comingRequest,
-                                                                                 @RequestHeader(value = "Authorization") String Authorization) {
+                                                                                 @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.saveBeneficiaryNurseFormDataGeneralOPD(comingRequest, Authorization);
     }
@@ -106,7 +107,7 @@ public ResponseEntity<String> beneficiaryNurseFormDataGeneralOPDSyncToServer(@Re
     @ApiOperation(value = "Save prescription templates to AMRIT server", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/prescriptionTemplatesToServer" }, method = { RequestMethod.POST })
     public ResponseEntity<String> prescriptionTemplatesToServer(@RequestBody List<PrescriptionTemplates> templateList,
-                                                               @RequestHeader(value = "Authorization") String Authorization) {
+                                                               @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.savePrescriptionTemplatesToServer(templateList, Authorization);
     }
@@ -115,7 +116,7 @@ public ResponseEntity<String> prescriptionTemplatesToServer(@RequestBody List<Pr
     @ApiOperation(value = "Fetch prescription templates for doctor to AMRIT server", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/{userID}/prescriptionTemplatesDataToApp" }, method = { RequestMethod.GET })
     public ResponseEntity<String> prescriptionTemplatesToApp(@PathVariable Integer userID,
-                                                                @RequestHeader(value = "Authorization") String Authorization) {
+                                                                @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.savePrescriptionTemplatesToApp(userID, Authorization);
     }
@@ -125,7 +126,7 @@ public ResponseEntity<String> prescriptionTemplatesToApp(@PathVariable Integer u
     @RequestMapping(value = { "/{userID}/prescriptionTemplates/{tempID}/delete" }, method = { RequestMethod.DELETE })
     public ResponseEntity<String> deleteTemplate(@PathVariable Integer userID,
                                                              @PathVariable Integer tempID,
-                                                             @RequestHeader(value = "Authorization") String Authorization) {
+                                                             @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.deletePrescriptionTemplates(userID, tempID);
     }
@@ -134,7 +135,7 @@ public ResponseEntity<String> deleteTemplate(@PathVariable Integer userID,
     @ApiOperation(value = "Create new event for outreach activity", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/activity/create" }, method = { RequestMethod.POST })
     public ResponseEntity<String> createNewOutreachActivity(@RequestBody OutreachActivity activity,
-                                                               @RequestHeader(value = "Authorization") String Authorization) {
+                                                               @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.createNewOutreachActivity(activity, Authorization);
     }
@@ -143,7 +144,7 @@ public ResponseEntity<String> createNewOutreachActivity(@RequestBody OutreachAct
     @ApiOperation(value = "Get list of all outreach activities by user", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/activity/{userId}/getAllByUser" }, method = { RequestMethod.GET })
     public ResponseEntity<String> getActivitiesByUser(@PathVariable Integer userId,
-                                                               @RequestHeader(value = "Authorization") String Authorization) {
+                                                               @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.getActivitiesByUser(userId, Authorization);
     }
@@ -152,7 +153,7 @@ public ResponseEntity<String> getActivitiesByUser(@PathVariable Integer userId,
     @ApiOperation(value = "Get an outreach activities by activityId", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/activity/{activityId}/getById" }, method = { RequestMethod.GET })
     public ResponseEntity<String> getActivityByIdr(@PathVariable Integer activityId,
-                                                      @RequestHeader(value = "Authorization") String Authorization) {
+                                                      @RequestHeader(HttpHeaders.AUTHORIZATION) String Authorization) {
 
         return choappSyncService.getActivityById(activityId, Authorization);
     }

src/main/java/com/iemr/hwc/controller/wo/LocationControllerWo.java

@@ -165,7 +165,7 @@ public String getLocDetailsBasedOnSpIDAndPsmIDNew(@RequestBody String comingRequ
     @CrossOrigin
     @ApiOperation(value = "Update health and wellness center coordinates", consumes = "application/json", produces = "application/json")
     @RequestMapping(value = { "/update/villageCoordinates" }, method = { RequestMethod.POST })
-    public String updateGeolocationVillage(@RequestBody String requestObj, @RequestHeader(value = "Authorization") String Authorization) {
+    public String updateGeolocationVillage(@RequestBody String requestObj) {
         OutputResponse response = new OutputResponse();
         try {
             logger.info("Request object for Geolocation update :" + requestObj);