restrict api call to (admin) users with the correct api-key value

MeasureAuthoringTool · Dec 5, 2024 · 7c0de7c · 7c0de7c
1 parent fdc18cc
commit 7c0de7c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/main/java/cms/gov/madie/measure/resources/MeasureController.java b/src/main/java/cms/gov/madie/measure/resources/MeasureController.java
@@ -327,8 +327,12 @@ public ResponseEntity<MeasureSet> createCmsId(
   }
 
   @DeleteMapping("/measures/{measureId}/delete-cms-id")
+  @PreAuthorize("#request.getHeader('api-key') == #apiKey")
   public ResponseEntity<String> deleteCmsId(
-      @PathVariable String measureId, @RequestParam(name = "cmsId") Integer cmsId) {
+      HttpServletRequest request,
+      @PathVariable String measureId,
+      @RequestParam(name = "cmsId") Integer cmsId,
+      @Value("${admin-api-key}") String apiKey) {
     return ResponseEntity.status(HttpStatus.OK)
         .body(measureSetService.deleteCmsId(measureId, cmsId));
   }