Versions Compared

Old Version 1

changes.mady.by.user Vishwanath Balkur

Saved on

compared with

New Version Current

changes.mady.by.user Vishwanath Balkur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Technique Used: Log/Trace Review

The preHandle method in tm-api intercepts the request and extracts the Authorization header. If the header is missing or empty, the request proceeds without validation. For other requests, it tries to validate the session key using the validator.checkKeyExists() method.

Currently, the checkKeyExists method is missing in tm-api, so the request falls back to common-api (connected to another service), which throws a generic 5000 error without proper validation.

The correct checkKeyExists method should be implemented in tm-api to validate the login key and optionally the IP address

Currently, preHandle does not correctly handle this, which results in returning 5002 status (USERID_FAILURE) from the generic error handler. The OutputResponse class maps exceptions to status codes:

  • SUCCESS = 200

  • GENERIC_FAILURE = 5000

  • OBJECT_FAILURE = 5001

  • USERID_FAILURE = 5002

  • PASSWORD_FAILURE = 5003

  • ...

For IEMRException, the response sets:

  • statusCode = USERID_FAILURE (5002)

  • status = "User login failed"

  • errorMessage = <exception message>

Summary: The 5000 error occurs because the session key validation is missing in tm-api. Implementing checkKeyExists in tm-api ensures validation happens at an earlier stage, preventing fallback to common-api and returning proper error codes (like 5002) with meaningful messages.



...


...

4. Corrective Actions (Fixes for this instance)

  • Added AuthorizationHeaderRequestWrapper to remove Authorization header after Redis session expiry.

  • Updated JwtUserIdValidationFilter to wrap request post JWT validation.

  • Prevented interceptors from checking Redis if session expired.

  • Ensured valid JWT token continues to work without forcing re-login.

ActionOwnerTarget DateStatus

  • Implement checkKeyExists in tm-api to validate the session/login key and optionally the IP. Update preHandle to call this method for requests with authorization headers and return USERID_FAILURE (5002) for invalid or missing keys, avoiding fallback to common-api. Add logging for failed validations including userId, IP, and timestamp. Test the flow to ensure invalid or missing keys are blocked and proper status codes are returned.



Developer

Developer

06 Aug  

Completed


...

5. Preventive Actions (To prevent recurrence)

ActionOwnerTarget DateStatus

  • Include session expiry test cases in regression suite.

  • Validate fallback logic when Redis session is missing but JWT is present.

QA


...

6. Verification of Effectiveness

  • Tested session expiry scenarios with valid JWT token.

  • Confirmed wrapped requests bypass Redis session fetch errors.

  • Verified uninterrupted access to protected endpoints post-timeout.

    • No

  • Session key validation in tm-api was tested using valid and expired JWT tokens. Requests correctly return USERID_FAILURE (5002) for invalid/missing keys. Protected endpoints remain accessible for valid sessions, fallback to common-api no longer occurs, and no forced re-login is observed after Redis expiry.

...

7. Lessons Learned

    • Always implement critical validation logic (checkKeyExists) within the service itself to prevent fallback to external services and avoid generic errors.

    • Proper error mapping and meaningful status codes improve troubleshooting and user experience.

    • Session handling should account for expiry, Redis failures, and IP validation to maintain secure and uninterrupted access.

    • Early testing of authentication and session scenarios prevents recurrence of similar issues.

    • Logging and monitoring of failed validations are essential for quick detection and resolution of issues

  • Redis expiry must not break user flow when JWT is valid.

  • Always ensure standard Authorization header is available for interceptors.

  • Session-dependent logic should gracefully fallback when cache is missing.

    • Avoid hard dependency on Redis presence for authentication flow

    • .

...

8. CAPA Review & Closure

Reviewed ByDateRemarks



...