feat: record adapter caller in audit log and forward correlation headers#250
feat: record adapter caller in audit log and forward correlation headers#250Gcolon021 wants to merge 4 commits into
Conversation
AuditLoggingFilter records the X-Client-Type header as metadata.caller; ProxyWebClient forwards x-session-id and x-client-type to proxied services.
|
Warning Review limit reached
Next review available in: 55 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthrough
ChangesX-Client-Type header forwarding and audit logging
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/AuditLoggingFilter.java`:
- Around line 212-214: Trim the X-Client-Type header before using it in
AuditLoggingFilter so whitespace-only values are treated as empty. Update the
caller handling around the httpServletRequest.getHeader("X-Client-Type") lookup
to normalize the value first, then only populate metadata.put("caller", caller)
when the trimmed result is non-empty.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 87ebc521-efc0-4b30-be4c-9b5a5f41e2c6
📒 Files selected for processing (4)
pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/AuditLoggingFilter.javapic-sure-api-war/src/test/java/edu/harvard/dbmi/avillach/security/AuditLoggingFilterTest.javapic-sure-resources/pic-sure-resource-api/src/main/java/edu/harvard/dbmi/avillach/service/ProxyWebClient.javapic-sure-resources/pic-sure-resource-api/src/test/java/edu/harvard/dbmi/avillach/service/ProxyWebClientTest.java
| String caller = httpServletRequest.getHeader("X-Client-Type"); | ||
| if (caller != null && !caller.isEmpty()) { | ||
| metadata.put("caller", caller); |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win
Trim X-Client-Type before storing caller.
Whitespace-only header values still pass this check and get recorded as a real caller, which pollutes audit metadata. Normalize first so the field is omitted unless it has an actual value.
Suggested fix
String caller = httpServletRequest.getHeader("X-Client-Type");
-if (caller != null && !caller.isEmpty()) {
- metadata.put("caller", caller);
+if (caller != null) {
+ caller = caller.trim();
+ if (!caller.isEmpty()) {
+ metadata.put("caller", caller);
+ }
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| String caller = httpServletRequest.getHeader("X-Client-Type"); | |
| if (caller != null && !caller.isEmpty()) { | |
| metadata.put("caller", caller); | |
| String caller = httpServletRequest.getHeader("X-Client-Type"); | |
| if (caller != null) { | |
| caller = caller.trim(); | |
| if (!caller.isEmpty()) { | |
| metadata.put("caller", caller); | |
| } | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/security/AuditLoggingFilter.java`
around lines 212 - 214, Trim the X-Client-Type header before using it in
AuditLoggingFilter so whitespace-only values are treated as empty. Update the
caller handling around the httpServletRequest.getHeader("X-Client-Type") lookup
to normalize the value first, then only populate metadata.put("caller", caller)
when the trimmed result is non-empty.
|
New Issues (45)Checkmarx found the following issues in this Pull Request
Fixed Issues (14)Great job! The following issues were fixed in this Pull Request
Use @Checkmarx to interact with Checkmarx PR Assistant. |
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
3510a20 to
06130bb
Compare
These files are intended to test endpoints in the application similar to postman





AuditLoggingFilter records the X-Client-Type header as metadata.caller. ProxyWebClient forwards x-session-id and x-client-type to proxied services.
Summary by CodeRabbit
New Features
Bug Fixes
Tests