Skip to content

Refactor to allow CSRF bypass, improve error logging for API authoring #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mgaffigan wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Refactor to allow CSRF bypass, improve error logging for API authoring #176

mgaffigan wants to merge 2 commits into from

Conversation

@mgaffigan
Copy link
Contributor

@mgaffigan mgaffigan commented Aug 26, 2025

  • Refactor to allow CSRF bypass (optional X-Requested-With header) on endpoints that opt-in with @DontRequireRequestedWith
  • Improve error logging for API authoring on a few sharp edges

In support for future merge of mgaffigan:feature/add-oidc-auth

@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from ab26cad to 3cba2c1 Compare August 26, 2025 22:11
@mgaffigan mgaffigan mentioned this pull request Aug 27, 2025
Open
@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from 3cba2c1 to c5443b7 Compare September 3, 2025 15:02
@mgaffigan
Copy link
Contributor Author

mgaffigan commented Sep 3, 2025

@tonygermano, rewrote history here as well by topic.

@kpalang kpalang requested review from a team, jonbartels, kayyagari, kpalang and tonygermano and removed request for a team September 8, 2025 15:32
kpalang
kpalang requested changes Oct 11, 2025
View reviewed changes
Copy link
Contributor

@kpalang kpalang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain why you've chosen to go with static configuration in the class instead of the previous instantiation approach?

@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from c5443b7 to 8620766 Compare October 11, 2025 13:26
@mgaffigan mgaffigan requested a review from kpalang October 11, 2025 14:32
@kpalang kpalang requested a review from a team October 11, 2025 15:27
kpalang
kpalang previously approved these changes Oct 11, 2025
View reviewed changes
jonbartels
jonbartels previously approved these changes Oct 14, 2025
View reviewed changes
tonygermano
tonygermano requested changes Nov 26, 2025
View reviewed changes
Copy link
Member

@tonygermano tonygermano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made a few comments and questions. The headers should be addressed. The questions may just need to be answered with no changes if you don't think any are necessary.

I'm assuming that since there are not any methods yet which use the DontRequireRequestedWith annotation that it is not possible for someone to manually test whether it is working as intended or not?

@mgaffigan mgaffigan dismissed stale reviews from jonbartels and kpalang via 9b6b9f1 November 26, 2025 21:00
@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from 8620766 to 9b6b9f1 Compare November 26, 2025 21:00
@mgaffigan
Copy link
Contributor Author

mgaffigan commented Nov 26, 2025

@tonygermano, as far as how to test the behavior dynamically:

  1. Test an existing API endpoint without X-Requested-With: foo, observe 400 response
  2. Test an existing API endpoint with X-Requested-With: foo, observe normal response
  3. Add annotation to an endpoint (example use), test without X-Requested-With, observe normal response

@mgaffigan mgaffigan force-pushed the maint/add-server-error branch 3 times, most recently from dbdadd3 to b5a5f4d Compare November 27, 2025 00:35
jonbartels
jonbartels previously approved these changes Dec 3, 2025
View reviewed changes
@pacmano1 pacmano1 requested review from Copilot and removed request for kpalang December 9, 2025 05:27
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the CSRF protection mechanism to support selective bypass via a @DontRequireRequestedWith annotation, and improves error logging for API provider registration issues. The changes migrate RequestedWithFilter from a servlet Filter to a JAX-RS ContainerRequestFilter to enable annotation-based access to resource metadata.

Key changes:

  • Introduced @DontRequireRequestedWith annotation for opt-in CSRF bypass on specific endpoints
  • Migrated RequestedWithFilter from servlet Filter to JAX-RS ContainerRequestFilter with annotation checking
  • Enhanced error logging to include stack traces when API provider registration fails

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
server/src/com/mirth/connect/server/api/DontRequireRequestedWith.java New annotation to mark methods/classes that don't require X-Requested-With header
server/src/com/mirth/connect/server/api/providers/RequestedWithFilter.java Refactored from servlet Filter to JAX-RS ContainerRequestFilter with annotation-based bypass logic
server/test/com/mirth/connect/server/api/providers/RequestedWithFilterTest.java Updated tests to match new ContainerRequestFilter implementation
server/src/com/mirth/connect/server/MirthWebServer.java Updated filter configuration to use static configure() method and register filter class
server/src/com/mirth/connect/server/api/MirthServlet.java Added null check with helpful error message for operation parameter
server/src/com/mirth/connect/client/core/Client.java Enhanced error logging to include throwable for better debugging
Comments suppressed due to low confidence (1)

server/test/com/mirth/connect/server/api/providers/RequestedWithFilterTest.java:80

  • The test suite is missing coverage for the new annotation-based bypass feature. Consider adding tests that verify:
  1. A request to a method annotated with @DontRequireRequestedWith succeeds without the header
  2. A request to a class annotated with @DontRequireRequestedWith succeeds without the header
  3. The annotation is properly ignored when server.api.require-requested-with is set to false

This is important functionality that should be tested to prevent regressions.

    @Test
    //assert that HttpServletResponse.sendError() is called when X-Requested-With is required but not present 
    public void testDoFilterRequestedWithTrue() {
        
        mirthProperties.setProperty("server.api.require-requested-with", "true");
        RequestedWithFilter.configure(mirthProperties);

        ContainerRequestContext mockCtx = Mockito.mock(ContainerRequestContext.class);
        when(mockCtx.getHeaders()).thenReturn(new javax.ws.rs.core.MultivaluedHashMap<String, String>());

        try {
            RequestedWithFilter filter = new RequestedWithFilter();
            filter.filter(mockCtx);
            ArgumentCaptor<Response> responseCaptor = 
                ArgumentCaptor.forClass(Response.class);
            verify(mockCtx).abortWith(responseCaptor.capture());
            Response response = responseCaptor.getValue();
            assertEquals(400, response.getStatus());
            assertEquals("All requests must have 'X-Requested-With' header", response.getEntity());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    @Test
    //assert that HttpServletResponse.sendError() is NOT called when X-Requested-With is not required and not present 
    public void testDoFilterRequestedWithFalse() {
        
        mirthProperties.setProperty("server.api.require-requested-with", "false");
        RequestedWithFilter.configure(mirthProperties);

        ContainerRequestContext mockCtx = Mockito.mock(ContainerRequestContext.class);
        when(mockCtx.getHeaders()).thenReturn(new javax.ws.rs.core.MultivaluedHashMap<String, String>());

        try {
            RequestedWithFilter filter = new RequestedWithFilter();
            filter.filter(mockCtx);
            verify(mockCtx, never()).abortWith(ArgumentMatchers.any(javax.ws.rs.core.Response.class));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tonygermano
tonygermano requested changes Dec 13, 2025
View reviewed changes
Copy link
Member

@tonygermano tonygermano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replying to the copilot comments. One is to be ignored, one is a nitpick, and one requires changes.

I think I'm good to approve after the required changes are made.

@mgaffigan
Improve error messsages for a few sharp edges
8c5d5a7 
Signed-off-by: Mitch Gaffigan <mitch.gaffigan@comcast.net>
@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from b5a5f4d to 61ee4d7 Compare December 13, 2025 18:33
@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from 61ee4d7 to 90d853d Compare December 13, 2025 18:35
@mgaffigan
Refactor to allow CSRF bypass
d387729 
Signed-off-by: Mitch Gaffigan <mitch.gaffigan@comcast.net>
@mgaffigan mgaffigan force-pushed the maint/add-server-error branch from 90d853d to d387729 Compare December 13, 2025 18:38
NicoPiel
NicoPiel reviewed Dec 16, 2025
View reviewed changes
Copy link
Collaborator

@NicoPiel NicoPiel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Main concerns have already been addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonygermano tonygermano tonygermano approved these changes

Copilot code review Copilot Copilot left review comments

@kayyagari kayyagari kayyagari approved these changes

@jonbartels jonbartels jonbartels left review comments

@kpalang kpalang Awaiting requested review from kpalang

+1 more reviewer

@NicoPiel NicoPiel NicoPiel left review comments

Reviewers whose approvals may not affect merge requirements

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mgaffigan @kayyagari @kpalang @jonbartels @NicoPiel @tonygermano