FHIR Api issue facing

Vignesh_Raghavan · October 10, 2023, 5:39am

Hi, How can I add a new routing URL and manage the query in FHIR API without token authorization? Also, I am facing another issue below the screenshot. I don’t know what that issue. Anyone pls help me solve below the issue.

adunsulag · October 10, 2023, 3:45pm

Read the error message. Somehow your encryption keys for oauth have the wrong permission setting. They need to be 600 or 660. Did you by chance change the values on these keys? They are supposed to auto-generate with the correct permission settings.

As for adding a new routing URL that bypasses token authorization, if you are doing this in a module you will want to look at the RestApiSecurityCheckEvent. You can use this event to skip security checks or add in your own security checks for the API.

Here is where the event is fired inside the HttpRestRouteHandler class:

github.com

openemr/openemr/blob/master/src/Common/Http/HttpRestRouteHandler.php#L273-L286

      
        
            $restApiSecurityCheckEvent = new RestApiSecurityCheckEvent($restRequest);
            $restApiSecurityCheckEvent->setRestRequest($restRequest);
            $restApiSecurityCheckEvent->setScopeType($scopeType);
            $restApiSecurityCheckEvent->setResource($resource);
            $restApiSecurityCheckEvent->setPermission($permission);
            $checkedRestApiSecurityCheckEvent = $GLOBALS['kernel']->getEventDispatcher()->dispatch($restApiSecurityCheckEvent, RestApiSecurityCheckEvent::EVENT_HANDLE);
            if (!$checkedRestApiSecurityCheckEvent instanceof RestApiSecurityCheckEvent) {
                throw new \RuntimeException("Invalid event object returned as part of dispatch");
            }
            if ($checkedRestApiSecurityCheckEvent->hasSecurityCheckFailedResponse()) {
                return $checkedRestApiSecurityCheckEvent->getSecurityCheckFailedResponse();
            } else if ($checkedRestApiSecurityCheckEvent->shouldSkipSecurityCheck()) {
                return true;
            }

If you are looking to modify the core files (NOT recommended) then check out

github.com

openemr/openemr/blob/master/src/Common/Http/HttpRestRouteHandler.php#L336-L348

      
        
            public static function fhirRestRequestSkipSecurityCheck(HttpRestRequest $restRequest): bool
            {
                // if someone is hitting the local api and have a valid CSRF token we skip the security check.
                // TODO: @adunsulag need to verify this assumption is correct
                if ($restRequest->isLocalApi()) {
                    return true;
                }
            
            
    $resource = $restRequest->getResource();
                // capability statement, smart well knowns, and operation definitions are skipped.
                $skippedChecks = ['metadata', '.well-known', 'OperationDefinition'];
                return array_search($resource, $skippedChecks) !== false;
            }