Fix: Disable JWT auth on platform /health endpoint (#1885)

philipliu · web-flow · commit 458e8ca7e5c6 · 2026-02-05T10:32:51.000-05:00
### Description

This disables the JWT auth requirement on the platform health endpoint.

### Context

If auth is enabled, using `/health` as a liveness probe will fail as it
expects JWT auth.

### Testing

- `./gradlew test`
- Tested locally that this disables auth on the `/health` endpoint.

### Documentation

N/A

### Known limitations

N/A
diff --git a/.github/workflows/sub_extended_tests.yml b/.github/workflows/sub_extended_tests.yml
@@ -157,7 +157,7 @@ jobs:
         uses: mydea/action-wait-for-api@v1
         with:
           url: "http://localhost:8085/health"
-          expected-status: "403"
+          expected-status: "200"
           interval: "1"
           timeout: "600"
 
@@ -183,7 +183,7 @@ jobs:
         uses: mydea/action-wait-for-api@v1
         with:
           url: "http://localhost:8085/health"
-          expected-status: "403"
+          expected-status: "200"
           interval: "1"
           timeout: "600"
 
diff --git a/core/src/main/java/org/stellar/anchor/filter/AbstractJwtFilter.java b/core/src/main/java/org/stellar/anchor/filter/AbstractJwtFilter.java
@@ -49,6 +49,11 @@ public void doFilter(
         request.getRequestURL().toString(),
         request.getQueryString());
 
+    if (shouldSkip(request)) {
+      filterChain.doFilter(servletRequest, servletResponse);
+      return;
+    }
+
     if (request.getMethod().equals("OPTIONS")) {
       filterChain.doFilter(servletRequest, servletResponse);
       return;
@@ -88,6 +93,10 @@ public abstract void check(
       String jwtCipher, HttpServletRequest request, ServletResponse servletResponse)
       throws Exception;
 
+  protected boolean shouldSkip(HttpServletRequest request) {
+    return false;
+  }
+
   private static void sendForbiddenError(HttpServletResponse response) throws IOException {
     error("Forbidden: JwtTokenFilter failed to authenticate the request.");
     response.setStatus(HttpStatus.SC_FORBIDDEN);
diff --git a/core/src/main/java/org/stellar/anchor/filter/ApiKeyFilter.java b/core/src/main/java/org/stellar/anchor/filter/ApiKeyFilter.java
@@ -47,6 +47,11 @@ public void doFilter(
         request.getRequestURL().toString(),
         request.getQueryString());
 
+    if (shouldSkip(request)) {
+      filterChain.doFilter(servletRequest, servletResponse);
+      return;
+    }
+
     if (request.getMethod().equals(OPTIONS)) {
       filterChain.doFilter(servletRequest, servletResponse);
       return;
@@ -63,6 +68,10 @@ public void doFilter(
     filterChain.doFilter(servletRequest, servletResponse);
   }
 
+  protected boolean shouldSkip(HttpServletRequest request) {
+    return "/health".equals(FilterUtils.getRequestPath(request));
+  }
+
   private static void sendForbiddenError(HttpServletResponse response) throws IOException {
     error("Forbidden: ApiKeyFilter failed to authenticate the request.");
     response.setStatus(HttpStatus.SC_FORBIDDEN);
diff --git a/core/src/main/java/org/stellar/anchor/filter/FilterUtils.java b/core/src/main/java/org/stellar/anchor/filter/FilterUtils.java
@@ -0,0 +1,31 @@
+package org.stellar.anchor.filter;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+final class FilterUtils {
+  static String getRequestPath(HttpServletRequest request) {
+    String servletPath = request.getServletPath();
+    if (servletPath != null && !servletPath.isEmpty()) {
+      return servletPath;
+    }
+
+    String pathInfo = request.getPathInfo();
+    if (pathInfo != null && !pathInfo.isEmpty()) {
+      return pathInfo;
+    }
+
+    String requestUri = request.getRequestURI();
+    if (requestUri == null) {
+      return "";
+    }
+
+    String contextPath = request.getContextPath();
+    if (contextPath != null && !contextPath.isEmpty() && requestUri.startsWith(contextPath)) {
+      return requestUri.substring(contextPath.length());
+    }
+
+    return requestUri;
+  }
+
+  private FilterUtils() {}
+}
diff --git a/core/src/main/java/org/stellar/anchor/filter/PlatformAuthJwtFilter.java b/core/src/main/java/org/stellar/anchor/filter/PlatformAuthJwtFilter.java
@@ -12,6 +12,11 @@ public PlatformAuthJwtFilter(JwtService jwtService, String authorizationHeader)
     super(jwtService, authorizationHeader);
   }
 
+  @Override
+  protected boolean shouldSkip(HttpServletRequest request) {
+    return "/health".equals(FilterUtils.getRequestPath(request));
+  }
+
   @Override
   public void check(String jwtCipher, HttpServletRequest request, ServletResponse servletResponse)
       throws Exception {
diff --git a/core/src/test/kotlin/org/stellar/anchor/filter/ApiKeyFilterTest.kt b/core/src/test/kotlin/org/stellar/anchor/filter/ApiKeyFilterTest.kt
@@ -111,6 +111,18 @@ internal class ApiKeyFilterTest {
     verify { mockFilterChain.doFilter(request, response) }
   }
 
+  @Test
+  fun `health endpoint bypasses api key auth`() {
+    every { request.method } returns "GET"
+    every { request.servletPath } returns "/health"
+    every { request.getHeader("X-Api-Key") } returns null
+
+    apiKeyFilter.doFilter(request, response, mockFilterChain)
+
+    verify { mockFilterChain.doFilter(request, response) }
+    verify(exactly = 0) { response.setStatus(HttpStatus.SC_FORBIDDEN) }
+  }
+
   @ParameterizedTest
   @ValueSource(strings = ["GET", "PUT", "POST", "DELETE"])
   fun `make sure FORBIDDEN is returned when the filter requires header names other than X-Api-Key`(
diff --git a/core/src/test/kotlin/org/stellar/anchor/filter/PlatformAuthJwtFilterTest.kt b/core/src/test/kotlin/org/stellar/anchor/filter/PlatformAuthJwtFilterTest.kt
@@ -0,0 +1,42 @@
+package org.stellar.anchor.filter
+
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.spyk
+import io.mockk.verify
+import jakarta.servlet.FilterChain
+import jakarta.servlet.http.HttpServletRequest
+import jakarta.servlet.http.HttpServletResponse
+import org.apache.hc.core5.http.HttpStatus
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.stellar.anchor.auth.JwtService
+
+internal class PlatformAuthJwtFilterTest {
+  private lateinit var jwtService: JwtService
+  private lateinit var request: HttpServletRequest
+  private lateinit var response: HttpServletResponse
+  private lateinit var mockFilterChain: FilterChain
+
+  @BeforeEach
+  fun setup() {
+    this.jwtService = mockk(relaxed = true)
+    this.request = mockk(relaxed = true)
+    this.response = mockk(relaxed = true)
+    this.mockFilterChain = mockk(relaxed = true)
+  }
+
+  @Test
+  fun `health endpoint bypasses jwt auth`() {
+    every { request.method } returns "GET"
+    every { request.servletPath } returns "/health"
+    every { request.getHeader("Authorization") } returns null
+    val filter = spyk(PlatformAuthJwtFilter(jwtService, "Authorization"))
+
+    filter.doFilter(request, response, mockFilterChain)
+
+    verify { mockFilterChain.doFilter(request, response) }
+    verify(exactly = 0) { response.setStatus(HttpStatus.SC_FORBIDDEN) }
+    verify(exactly = 0) { filter.check(any(), any(), any()) }
+  }
+}
