From 925bdca9ae536ffb9481d76c7c438d4639322d94 Mon Sep 17 00:00:00 2001 From: Ryan Doherty Date: Thu, 12 Feb 2026 22:08:19 -0500 Subject: [PATCH 1/3] Specify whitelist of paths where guests are allowed --- .../service/filter/ApiCheckLoginFilter.java | 47 +++++++++++++++++-- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java b/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java index a4a423050..0d5d9df8a 100644 --- a/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java +++ b/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java @@ -1,5 +1,7 @@ package org.apidb.apicommon.service.filter; +import java.util.List; + import javax.annotation.Priority; import org.gusdb.wdk.service.filter.CheckLoginFilter; @@ -7,11 +9,48 @@ @Priority(30) public class ApiCheckLoginFilter extends CheckLoginFilter { + private static final List OPEN_FULL_PATHS = List.of( + "", + "login", + "ontologies/Categories", + "site-messages", + "user-profile-vocabularies", + "subscription-groups", + "oauth/state-token", + "users", + "user-password-reset", + "users/current", + "users/current/preferences", + "client-errors", + "record-types", + "record-types/dataset/searches/AllDatasets/reports/standard", + "record-types/organism/searches/GenomeDataTypes/reports/standard", + "record-types/genomic-sequence/searches/SequencesByTaxon", + "record-types/transcript/searches/GeneByLocusTag", + "record-types/transcript/searches/GenesByText" + ); + + private static final List OPEN_PATH_PREFIXES = List.of( + "system/metrics/count-page-view", + "temporary-files", + "temporary-results" + ); + + private boolean isOpenPath(String path) { + if (OPEN_FULL_PATHS.contains(path)) return true; + for(String openPrefix : OPEN_PATH_PREFIXES) { + if (path.startsWith(openPrefix)) return true; + } + return false; + } + + @Override + protected boolean isValidTokenRequired(String path) { + return !isOpenPath(path); + } + @Override protected boolean isGuestUserAllowed(String path) { - if ((path.startsWith("jbrowse") && !path.startsWith("jbrowse2")) || path.startsWith("profileSet")) { - return false; - } - return super.isGuestUserAllowed(path); + return isOpenPath(path); } } From 84f41dde108af1e1d7f9b4b63a8af450656b32a9 Mon Sep 17 00:00:00 2001 From: Ryan Doherty Date: Tue, 17 Feb 2026 22:31:56 -0500 Subject: [PATCH 2/3] Add record page paths for dataset and organism, open profileSet back up for dataPlotter, and add supplemental message when access denied --- .../service/filter/ApiCheckLoginFilter.java | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java b/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java index 0d5d9df8a..ed666eda8 100644 --- a/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java +++ b/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java @@ -1,6 +1,7 @@ package org.apidb.apicommon.service.filter; import java.util.List; +import java.util.Map; import javax.annotation.Priority; @@ -21,8 +22,11 @@ public class ApiCheckLoginFilter extends CheckLoginFilter { "user-password-reset", "users/current", "users/current/preferences", + "users/current/favorites/query", "client-errors", + "system/metrics/organism", "record-types", + "record-types/dataset/records", "record-types/dataset/searches/AllDatasets/reports/standard", "record-types/organism/searches/GenomeDataTypes/reports/standard", "record-types/genomic-sequence/searches/SequencesByTaxon", @@ -36,6 +40,17 @@ public class ApiCheckLoginFilter extends CheckLoginFilter { "temporary-results" ); + private static final String ADDITIONAL_MESSAGE_TEMPLATE = + "\n\nRegistered users can obtain their API key here: %s/user/profile#serviceAccess" + + "\n\nFor instructions on how to include the API key in your request, see: %s/static-content/content/PlasmoDB/webServices.html"; + + @Override + protected String getAdditionalUnauthorizedMessage() { + Map props = _wdkModel.getProperties(); + String clientBaseUrl = props.get("LOCALHOST") + props.get("WEBAPP_BASE_URL"); + return ADDITIONAL_MESSAGE_TEMPLATE.formatted(clientBaseUrl, clientBaseUrl); + } + private boolean isOpenPath(String path) { if (OPEN_FULL_PATHS.contains(path)) return true; for(String openPrefix : OPEN_PATH_PREFIXES) { @@ -53,4 +68,10 @@ protected boolean isValidTokenRequired(String path) { protected boolean isGuestUserAllowed(String path) { return isOpenPath(path); } + + @Override + protected boolean isPathToSkip(String path) { + return path.startsWith("profileSet") || super.isPathToSkip(path); + } + } From 354681bdf5927ebc9615b515268db03fb1b96a57 Mon Sep 17 00:00:00 2001 From: Ryan Doherty Date: Wed, 18 Feb 2026 11:30:32 -0500 Subject: [PATCH 3/3] Allow same access for endpoints with trailing slashes as without --- .../apicommon/service/filter/ApiCheckLoginFilter.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java b/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java index ed666eda8..e83e98a86 100644 --- a/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java +++ b/Service/src/main/java/org/apidb/apicommon/service/filter/ApiCheckLoginFilter.java @@ -52,10 +52,18 @@ protected String getAdditionalUnauthorizedMessage() { } private boolean isOpenPath(String path) { + // get rid of trailing slashes + if (path.endsWith("/")) path = path.substring(0, path.length() - 1); + + // check if path matches any open full paths if (OPEN_FULL_PATHS.contains(path)) return true; + + // check if path prefix matches any open prefixes for(String openPrefix : OPEN_PATH_PREFIXES) { if (path.startsWith(openPrefix)) return true; } + + // deny access to any other path return false; }