move path check to app access manager

src/main/kotlin/com/restapi/AppAccessManager.kt

@@ -2,6 +2,7 @@ package com.restapi
 
 import io.javalin.http.Context
 import io.javalin.http.Handler
+import io.javalin.http.HttpStatus
 import io.javalin.security.AccessManager
 import io.javalin.security.RouteRole
 import org.slf4j.LoggerFactory
@@ -10,6 +11,12 @@ class AppAccessManager : AccessManager {
     private val logger = LoggerFactory.getLogger("Access")
     override fun manage(handler: Handler, ctx: Context, routeRoles: Set<RouteRole>) {
         logger.warn("access {}, {}", ctx.pathParamMap(), routeRoles)
+        val regex = Regex("^[a-zA-Z0-9\\-_\\.]+$")
+
+        if(ctx.pathParamMap().values.count { !regex.matches(it) } > 0){
+         ctx.status(HttpStatus.FORBIDDEN).result("invalid request")
+        } else {
             handler.handle(ctx)
         }
+    }
 }

src/main/kotlin/com/restapi/Main.kt

@@ -103,17 +103,6 @@ fun main(args: Array<String>) {
 
                 NaiveRateLimit.requestPerTimeUnit(ctx, appConfig.rateLimit().getOrDefault(30), TimeUnit.MINUTES) // throws if rate limit is exceeded
 
-                //allow only alpha, numeric, hypen, underscore, dot in paths
-                val regex = Regex("^[a-zA-Z0-9\\-_\\.]+$")
-
-                ctx.path().split("/")
-                    .dropWhile { it.isEmpty() }
-                    .forEach {
-                        if (!it.matches(regex)) {
-                            throw IllegalArgumentException()
-                        }
-                    }
-
                 val authToken = ctx.header("Authorization")?.replace("Bearer ", "")
                     ?.replace("Bearer: ", "")
                     ?.trim() ?: throw UnauthorizedResponse()