From ea142123377bd337c0c5b8a19cd492b06053f79f Mon Sep 17 00:00:00 2001
From: "gowthaman.b" <gowthaman.b@m2pfintech.com>
Date: Sat, 11 Nov 2023 11:41:47 +0530
Subject: [PATCH] move path check to app access manager

---
 src/main/kotlin/com/restapi/AppAccessManager.kt |  9 ++++++++-
 src/main/kotlin/com/restapi/Main.kt             | 11 -----------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/src/main/kotlin/com/restapi/AppAccessManager.kt b/src/main/kotlin/com/restapi/AppAccessManager.kt
index 410dc88..b84e445 100644
--- a/src/main/kotlin/com/restapi/AppAccessManager.kt
+++ b/src/main/kotlin/com/restapi/AppAccessManager.kt
@@ -2,6 +2,7 @@ package com.restapi
 
 import io.javalin.http.Context
 import io.javalin.http.Handler
+import io.javalin.http.HttpStatus
 import io.javalin.security.AccessManager
 import io.javalin.security.RouteRole
 import org.slf4j.LoggerFactory
@@ -10,6 +11,12 @@ class AppAccessManager : AccessManager {
     private val logger = LoggerFactory.getLogger("Access")
     override fun manage(handler: Handler, ctx: Context, routeRoles: Set<RouteRole>) {
         logger.warn("access {}, {}", ctx.pathParamMap(), routeRoles)
-        handler.handle(ctx)
+        val regex = Regex("^[a-zA-Z0-9\\-_\\.]+$")
+
+        if(ctx.pathParamMap().values.count { !regex.matches(it) } > 0){
+         ctx.status(HttpStatus.FORBIDDEN).result("invalid request")
+        } else {
+            handler.handle(ctx)
+        }
     }
 }
\ No newline at end of file
diff --git a/src/main/kotlin/com/restapi/Main.kt b/src/main/kotlin/com/restapi/Main.kt
index 1bf9a7e..9b9594e 100644
--- a/src/main/kotlin/com/restapi/Main.kt
+++ b/src/main/kotlin/com/restapi/Main.kt
@@ -103,17 +103,6 @@ fun main(args: Array<String>) {
 
                 NaiveRateLimit.requestPerTimeUnit(ctx, appConfig.rateLimit().getOrDefault(30), TimeUnit.MINUTES) // throws if rate limit is exceeded
 
-                //allow only alpha, numeric, hypen, underscore, dot in paths
-                val regex = Regex("^[a-zA-Z0-9\\-_\\.]+$")
-
-                ctx.path().split("/")
-                    .dropWhile { it.isEmpty() }
-                    .forEach {
-                        if (!it.matches(regex)) {
-                            throw IllegalArgumentException()
-                        }
-                    }
-
                 val authToken = ctx.header("Authorization")?.replace("Bearer ", "")
                     ?.replace("Bearer: ", "")
                     ?.trim() ?: throw UnauthorizedResponse()