feature/Check Auth headers ambiguity

2026-02-06 17:56:46 +00:00 · 2025-01-06 10:05:00 +01:00 · 2025-01-06 10:05:00 +01:00 · 18d6767e34
commit 18d6767e34
parent 0e36e2f761
3 changed files with 26 additions and 1 deletions
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@ -2969,8 +2969,13 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
    val title = s"Request Headers for verb: $verb, URL: $url"
    surroundDebugMessage(reqHeaders.map(h => h.name + ": " + h.values.mkString(",")).mkString, title)
    val remoteIpAddress = getRemoteIpAddress()
+
+    val authHeaders = AuthorisationUtil.getAuthorisationHeaders(reqHeaders)
+
    val res =
-      if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent
+      if (authHeaders.size > 1) { // Check Authorization Headers ambiguity
+        Future { (Failure(ErrorMessages.AuthorizationHeaderAmbiguity + s"${authHeaders}"), None) }
+      } else if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent
        Consent.applyBerlinGroupRules(APIUtil.`getConsent-ID`(reqHeaders), cc)
      } else if (APIUtil.hasConsentJWT(reqHeaders)) { // Open Bank Project's Consent
        val consentValue = APIUtil.getConsentJWT(reqHeaders)
--- a/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala
@ -0,0 +1,18 @@
+package code.api.util
+
+import code.api.RequestHeader._
+import net.liftweb.http.provider.HTTPParam
+
+object AuthorisationUtil {
+  def getAuthorisationHeaders(requestHeaders: List[HTTPParam]): List[String] = {
+    requestHeaders.map(_.name).filter {
+      case `Consent-Id`| `Consent-ID` | `Consent-JWT` => true
+      case "Authorization" => true
+      case "DirectLogin" => true
+      case "GatewayLogin" => true
+      case _ => false
+    }
+  }
+  
+
+}
--- a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
+++ b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
@ -265,6 +265,8 @@ object ErrorMessages {
  val Oauth2IsNotRecognized = "OBP-20214: OAuth2 Access Token is not recognised at this instance."
  val Oauth2ValidateAccessTokenError = "OBP-20215: OAuth2 validate access token issue. "

+  val AuthorizationHeaderAmbiguity = "OBP-20250: Request headers cannot contain more than one authorization value. "
+
  // X.509
  val X509GeneralError = "OBP-20300: PEM Encoded Certificate issue."
  val X509ParsingFailed = "OBP-20301: Parsing failed for PEM Encoded Certificate."