CorsPatchFilter NPE

Description

Fixes a bug where the CorsPatchFilter would throw an NPE on a request without an origin header.

Resolves #242 (closed)

Changes

CorsPatchFilter::requiresHeaderPatchCheck now returns false on requests without a header.

Test and Review

To be filled in by the reviewers

• All of the methods are commented to expectation

• The methods are tested to satisfaction

• There are no unnecessary files present in the MR

• The continuous integration has no problems with the MR

• The MR is filled in as requested (including labels, milestones, and reviewers)

• The documentation is up-to-date

• All nullable parameters are marked as such

core/src/main/java/nl/tudelft/ewi/auta/core/authentication/CorsPatchFilter.java

@@ -10,6 +10,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
 import org.springframework.web.filter.GenericFilterBean;
 
+import javax.annotation.Nullable;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
@@ -187,10 +188,12 @@ public class CorsPatchFilter extends GenericFilterBean {
      * @return {@code true} if the headers may need patching, {@code false} otherwise
      */
     private boolean requiresHeaderPatchCheck(
-            final HttpServletRequest req, final String origin
+            final HttpServletRequest req, final @Nullable String origin
     ) {
         final var allowedOrigins = this.settings.get("allowed API origins", List.class);
-        return allowedOrigins.contains(origin) && req.getRequestURI().startsWith("/api");
+        return origin != null
+                && allowedOrigins.contains(origin)
+                && req.getRequestURI().startsWith("/api");
     }
 
     /**