search

Kailona / ehr

Private Electronic Health Records in Nextcloud
GNU Affero General Public License v3.0
54 stars 11 forks source link

ContentSecurityPolicy blocked #78

Closed makuser closed 3 years ago

makuser commented 3 years ago

Steps to reproduce

  1. Install App on nextcloud.domain.tld and ibm-fhir-server on fhir.domain.tld
  2. Add New Physical Data
  3. Select Date and input some additional data
  4. Confirm

Expected behaviour

CSP is set properly (https://nextcloud-server.netlify.app/classes/ocp-appframework-http-contentsecuritypolicy) or FHIR Proxy service is used

Actual behaviour

Server configuration

Operating system: Debian GNU/Linux 10 (buster)

Web server: apache2:amd64/stable 2.4.38-3+deb10u4

Database: mariadb-server:all/stable 1:10.3.27-0+deb10u1

PHP version: php7.4-fpm:amd64/buster 7.4.16-1+0~20210305.42+debian10~1.gbpbbe65e

Nextcloud version: 21.0.1

Where did you install Nextcloud from: Nextcloud 11 and upgraded regularily

List of activated apps:

Enabled:
  - accessibility: 1.7.0
  - activity: 2.14.3
  - admin_audit: 1.11.0
  - bruteforcesettings: 2.1.0
  - calendar: 2.2.0
  - cloud_federation_api: 1.4.0
  - comments: 1.11.0
  - contacts: 3.5.1
  - contactsinteraction: 1.2.0
  - cookbook: 0.8.4
  - dashboard: 7.1.0
  - dav: 1.17.1
  - deck: 1.4.1
  - dicomviewer: 1.2.2
  - ehr: 0.1.5
  - external: 3.8.1
  - federatedfilesharing: 1.11.0
  - federation: 1.11.0
  - files: 1.16.0
  - files_external: 1.12.0
  - files_pdfviewer: 2.1.0
  - files_rightclick: 1.0.0
  - files_sharing: 1.13.1
  - files_trackdownloads: 1.10.0
  - files_trashbin: 1.11.0
  - files_versions: 1.14.0
  - files_videoplayer: 1.10.0
  - firstrunwizard: 2.10.0
  - groupfolders: 9.0.0
  - logreader: 2.6.0
  - lookup_server_connector: 1.9.0
  - mail: 1.9.5
  - maps: 0.1.8
  - metadata: 0.13.0
  - nextcloud_announcements: 1.10.0
  - notes: 4.0.4
  - notifications: 2.9.0
  - oauth2: 1.9.0
  - password_policy: 1.11.0
  - phonetrack: 0.6.7
  - photos: 1.3.0
  - previewgenerator: 3.1.1
  - privacy: 1.5.0
  - provisioning_api: 1.11.0
  - ransomware_protection: 1.10.0
  - recommendations: 1.0.0
  - richdocuments: 4.0.4
  - scanner: 0.2.1
  - serverinfo: 1.11.0
  - settings: 1.3.0
  - sharebymail: 1.11.0
  - socialsharing_diaspora: 2.2.0
  - socialsharing_email: 2.2.0
  - socialsharing_facebook: 2.2.0
  - socialsharing_twitter: 2.2.0
  - spreed: 11.1.2
  - support: 1.4.0
  - survey_client: 1.9.0
  - systemtags: 1.11.0
  - talk_matterbridge: 1.22.1
  - tasks: 0.13.6
  - text: 3.2.0
  - theming: 1.12.0
  - twofactor_backupcodes: 1.10.0
  - twofactor_totp: 6.0.0
  - twofactor_u2f: 6.1.0
  - updatenotification: 1.11.0
  - user_status: 1.1.1
  - viewer: 1.5.0
  - weather_status: 1.1.0
  - workflowengine: 2.3.0
Disabled:
  - encryption
  - facerecognition
  - ocsms
  - user_ldap

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "DE",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.domain.de",
            "cloud.domain.eu"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/cloud.domain.eu",
        "dbtype": "mysql",
        "version": "21.0.1.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "dbindex": 0
        },
        "updater.release.channel": "stable",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_smtpport": "587",
        "mail_smtpauthtype": "PLAIN",
        "app_install_overwrite": [
            "music",
            "audioplayer",
            "dicomviewer"
        ]
    }
}

or

<?php
$CONFIG = array (
  'instanceid' => 'occinstnace',
  'default_phone_region' => 'DE',
  'passwordsalt' => 'mysalt',
  'secret' => 'mysecret',
  'trusted_domains' => 
  array (
    0 => 'cloud.domain.de',
    1 => 'cloud.domain.eu',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'overwrite.cli.url' => 'https://cloud.domain.eu',
  'dbtype' => 'mysql',
  'version' => '21.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'mydb',
  'installed' => true,
  'filelocking.enabled' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'dbindex' => 0,
  ),
  'updater.release.channel' => 'stable',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_from_address' => 'cloud',
  'mail_domain' => 'domain.de',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'mail.hosting.com',
  'mail_smtpname' => 'cloud@domain.de',
  'mail_smtppassword' => 'mypassword',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '587',
  'mail_smtpauthtype' => 'PLAIN',
  'app_install_overwrite' => 
  array (
    0 => 'music',
    1 => 'audioplayer',
    2 => 'dicomviewer',
  ),
);

Client configuration

Browser: Firefox 87.0+build3-0ubuntu0.20.10.1 Operating system: Ubuntu 20.10

Logs

Nextcloud log (data/nextcloud.log)

Nothing about ehr unfortunately, even on loglevel 2/debug.

Browser log

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf https://fhir.domain.tld/fhir-server/api/v4/Observation/observation_uuid_hidden/_history/1 blockiert ("connect-src").
PhysicalData.PhysicalDataModule Error: Network Error
    exports createError.js:16
    onerror xhr.js:84
    exports xhr.js:81
    exports xhr.js:13
    exports dispatchRequest.js:52
    promise callback*i.prototype.request Axios.js:61
    e Axios.js:87
    exports bind.js:9
    e FHIRService.js:80
    u runtime.js:63
    _invoke runtime.js:293
    M runtime.js:118
    Babel 4
    value FHIRService.js:94
    e BaseResourceService.js:197
    u runtime.js:63
    _invoke runtime.js:293
    M runtime.js:118
    Babel 4
    value BaseResourceService.js:213
    e PhysicalDataService.js:115
    u runtime.js:63
    _invoke runtime.js:293
    M runtime.js:118
    Babel 4
    value PhysicalDataService.js:157
Logger.js:29:33
    value Logger.js:29
    e PhysicalDataModule.js:189
    u runtime.js:63
    _invoke runtime.js:293
    M runtime.js:118
    Babel 6
    PhysicalDataModule PhysicalDataModule.js:205
    PhysicalDataEditModal PhysicalDataEditModal.js:120
    React 12
    unstable_runWithPriority scheduler.production.min.js:19
    React 13
    unstable_runWithPriority scheduler.production.min.js:19
    React 6
    e App.js:69
    u runtime.js:63
    _invoke runtime.js:293
    M runtime.js:118
    Babel 6
    React 2
    unstable_runWithPriority scheduler.production.min.js:19
    React 9
    m index.js:26
    <anonym> index.js:33
    jQuery 9
    <anonym> index.js:29
    <anonym> main.js:292
    Webpack 5
ayselafsar commented 3 years ago

Thanks for the report!

It looks like FHIR gateway was not able to replace the Location header returned from FHIR server in the previous call. Could you please attach your nextcloud server logs as well. Anything seen there?

makuser commented 3 years ago

Could you please attach your nextcloud server logs as well. Anything seen there?

I set the loglevel to debug and performed the action again, but I do not get any log entries for the ehr app or any other module either.

makuser commented 3 years ago

I do have note that an observation object gets created, I asked my fhir server and got a list of several observations I created via ehr.

Unfortunately even on page reload no data will be displayed in the physical data or vitals section. This is because ehr queries for code 34565-2 and does not get any objects, but for example if I ask for 8302-2 I do get height objects. Is the fhir server supposed to return objects based on their loinc code hierarchy, because by following the guide on kailona.org neither ibmcom/ibm-fhir-server:4.4.2 nor updating to ibmcom/ibm-fhir-server:4.7.0 return them. Do I have to import profiles or codes first or is some parameter missing from the query? https://cloud.domain.eu/fhir-server/api/v4/Observation?patient=Patient/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5&category=http://hl7.org/fhir/ValueSet/observation-category|vital-signs&date=ge2019-09-24T22:00:00.582Z&date=le2021-04-25T21:59:59.582Z&code=http://loinc.org|34565-2&_include=Observation:has-member&_count=25

ayselafsar commented 3 years ago

Kailona creates individual observation resources for each data, e.g. one for height, one for weight, etc. Then, it gets the created individual observations and group them in an observation category to display them in a single row in table, so that is why it queries observation categories by panel loinc codes such as 34565-2.

It gets the individual created observation using Location header in the response of its POST call when it is created. However, i think Location header is retrieved with your FHIR server url instead of FHIR gateway (nextcloud url) in your environment, so it can't get individual created observations and can't create observation category to display them in the table although individual observations are created.

Here is the code where it replaces FHIR server url in Location header: https://github.com/Kailona/ehr/blob/master/lib/Service/FhirService.php#L173

Could you please check and let me know Location header in the response of an individual observation POST call to confirm this issue?

makuser commented 3 years ago

Oh man... FHIR is really really really lacking transactions :/ So if I understand this correctly the resource objects (containing values and actual value types, eg. height, weight, etc) have been created, but not the virtual linking object, the vital data panel? Sad that this still has not been addressed in the FHIR spec...

Unfortunately I have not been able to see a request where the Location header was set to the FHIR server.

I now tried to create a height entry, but the API proxy seems to return a 404 on the newly created Observation history, even though it even returns the actual history item...

ehr HTTP calls ```json { "log": { "version": "1.2", "creator": { "name": "Firefox", "version": "87.0" }, "browser": { "name": "Firefox", "version": "87.0" }, "pages": [ { "startedDateTime": "2021-04-26T15:52:47.662+02:00", "id": "page_2", "title": "eGA - Klaud", "pageTimings": { "onContentLoad": -1, "onLoad": -1 } } ], "entries": [ { "pageref": "page_2", "startedDateTime": "2021-04-26T15:52:47.662+02:00", "request": { "bodySize": 0, "method": "GET", "url": "https://cloud.domain.eu/index.php/apps/ehr/fhir/Observation?patient=Patient/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5&category=http://hl7.org/fhir/ValueSet/observation-category%7Cvital-signs&date=ge2019-09-25T22:00:00.568Z&date=le2021-04-26T21:59:59.568Z&code=http://loinc.org%7C34565-2&_include=Observation:has-member&_count=25", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Host", "value": "cloud.domain.eu" }, { "name": "User-Agent", "value": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" }, { "name": "Accept", "value": "application/json, text/plain, */*" }, { "name": "Accept-Language", "value": "de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Cookie", "value": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=marc; nc_token=hidden; nc_session_id=hidden; oc_sessionPassphrase=hidden; occinstance=hidden" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [ { "name": "__Host-nc_sameSiteCookielax", "value": "true" }, { "name": "__Host-nc_sameSiteCookiestrict", "value": "true" }, { "name": "nc_username", "value": "marc" }, { "name": "nc_token", "value": "hidden" }, { "name": "nc_session_id", "value": "hidden" }, { "name": "oc_sessionPassphrase", "value": "hidden" }, { "name": "occinstance", "value": "hidden" } ], "queryString": [ { "name": "patient", "value": "Patient/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5" }, { "name": "category", "value": "http://hl7.org/fhir/ValueSet/observation-category|vital-signs" }, { "name": "date", "value": "ge2019-09-25T22:00:00.568Z" }, { "name": "date", "value": "le2021-04-26T21:59:59.568Z" }, { "name": "code", "value": "http://loinc.org|34565-2" }, { "name": "_include", "value": "Observation:has-member" }, { "name": "_count", "value": "25" } ], "headersSize": 1031 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Date", "value": "Mon, 26 Apr 2021 13:52:47 GMT" }, { "name": "Server", "value": "Apache/2.4.38 (Debian)" }, { "name": "Expires", "value": "Thu, 19 Nov 1981 08:52:00 GMT" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache, no-store, must-revalidate" }, { "name": "Strict-Transport-Security", "value": "max-age=15552000" }, { "name": "Content-Language", "value": "en-US" }, { "name": "Content-Encoding", "value": "gzip" }, { "name": "Content-Security-Policy", "value": "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'" }, { "name": "Feature-Policy", "value": "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'" }, { "name": "X-Robots-Tag", "value": "none" }, { "name": "Referrer-Policy", "value": "no-referrer" }, { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "X-Download-Options", "value": "noopen" }, { "name": "X-Frame-Options", "value": "SAMEORIGIN" }, { "name": "X-Permitted-Cross-Domain-Policies", "value": "none" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "Content-Length", "value": "388" }, { "name": "Keep-Alive", "value": "timeout=5, max=100" }, { "name": "Connection", "value": "Keep-Alive" }, { "name": "Content-Type", "value": "application/fhir+json" } ], "cookies": [], "content": { "mimeType": "application/fhir+json", "size": 598, "text": "{\"resourceType\":\"Bundle\",\"id\":\"8239c210-d598-41d3-8927-74f87f28f901\",\"type\":\"searchset\",\"total\":0,\"link\":[{\"relation\":\"self\",\"url\":\"https:\\/\\/cloud.domain.eu\\/apps\\/ehr\\/fhir\\/Observation?_count=25&patient=Patient\\/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5&category=http:\\/\\/hl7.org\\/fhir\\/ValueSet\\/observation-category%7Cvital-signs&date=ge2019-09-25T22:00:00.568Z&date=le2021-04-26T21:59:59.568Z&code=http:\\/\\/loinc.org%7C34565-2&_include=Observation:has-member:Observation&_include=Observation:has-member:MolecularSequence&_include=Observation:has-member:QuestionnaireResponse&_page=1\"}]}" }, "redirectURL": "", "headersSize": 841, "bodySize": 1229 }, "cache": {}, "timings": { "blocked": 1, "dns": 7, "connect": 27, "ssl": 28, "send": 0, "wait": 114, "receive": 0 }, "time": 177, "_securityState": "secure", "serverIPAddress": "1.2.3.4", "connection": "443" }, { "pageref": "page_2", "startedDateTime": "2021-04-26T15:53:14.730+02:00", "request": { "bodySize": 513, "method": "POST", "url": "https://cloud.domain.eu/index.php/apps/ehr/fhir/Observation", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Host", "value": "cloud.domain.eu" }, { "name": "User-Agent", "value": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" }, { "name": "Accept", "value": "application/json, text/plain, */*" }, { "name": "Accept-Language", "value": "de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Content-Type", "value": "application/json;charset=utf-8" }, { "name": "Content-Length", "value": "513" }, { "name": "Origin", "value": "https://cloud.domain.eu" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Cookie", "value": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=marc; nc_token=hidden; nc_session_id=hidden; oc_sessionPassphrase=hidden; occinstance=hidden" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [ { "name": "__Host-nc_sameSiteCookielax", "value": "true" }, { "name": "__Host-nc_sameSiteCookiestrict", "value": "true" }, { "name": "nc_username", "value": "marc" }, { "name": "nc_token", "value": "hidden" }, { "name": "nc_session_id", "value": "hidden" }, { "name": "oc_sessionPassphrase", "value": "hidden" }, { "name": "occinstance", "value": "hidden" } ], "queryString": [], "headersSize": 855, "postData": { "mimeType": "application/json;charset=utf-8", "params": [], "text": "{\"resourceType\":\"Observation\",\"status\":\"final\",\"category\":[{\"coding\":[{\"system\":\"http://hl7.org/fhir/ValueSet/observation-category\",\"code\":\"vital-signs\",\"display\":\"Vital Signs\"}]}],\"code\":{\"coding\":[{\"system\":\"http://loinc.org\",\"code\":\"8302-2\",\"display\":\"Body height\"}],\"text\":\"Body height\"},\"subject\":{\"reference\":\"Patient/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5\"},\"effectiveDateTime\":\"2021-04-26T13:53:00.000Z\",\"valueQuantity\":{\"value\":175,\"unit\":\"cm\",\"system\":\"http://unitsofmeasure.org\",\"code\":\"cm\"}}" } }, "response": { "status": 302, "statusText": "Found", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Date", "value": "Mon, 26 Apr 2021 13:53:15 GMT" }, { "name": "Server", "value": "Apache/2.4.38 (Debian)" }, { "name": "Expires", "value": "Thu, 19 Nov 1981 08:52:00 GMT" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache, no-store, must-revalidate" }, { "name": "Strict-Transport-Security", "value": "max-age=15552000" }, { "name": "Content-Language", "value": "en-US" }, { "name": "Content-Encoding", "value": "gzip" }, { "name": "Content-Security-Policy", "value": "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'" }, { "name": "Feature-Policy", "value": "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'" }, { "name": "X-Robots-Tag", "value": "none" }, { "name": "Referrer-Policy", "value": "no-referrer" }, { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "X-Download-Options", "value": "noopen" }, { "name": "X-Frame-Options", "value": "SAMEORIGIN" }, { "name": "X-Permitted-Cross-Domain-Policies", "value": "none" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "Location", "value": "https://cloud.domain.eu/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1" }, { "name": "ETag", "value": "W/\"1\"" }, { "name": "Last-Modified", "value": "Mon, 26 Apr 2021 13:53:15 GMT" }, { "name": "Content-Length", "value": "22" }, { "name": "Keep-Alive", "value": "timeout=5, max=100" }, { "name": "Connection", "value": "Keep-Alive" }, { "name": "Content-Type", "value": "application/json; charset=utf-8" } ], "cookies": [], "content": { "mimeType": "application/fhir+json", "size": 644, "comment": "Keine Response-Bodies enthalten" }, "redirectURL": "https://cloud.domain.eu/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1", "headersSize": 1032, "bodySize": 1438 }, "cache": {}, "timings": { "blocked": 1, "dns": 344, "connect": 33, "ssl": 37, "send": 0, "wait": 126, "receive": 0 }, "time": 541, "_securityState": "secure", "serverIPAddress": "1.2.3.4", "connection": "443" }, { "pageref": "page_2", "startedDateTime": "2021-04-26T15:53:15.280+02:00", "request": { "bodySize": 0, "method": "GET", "url": "https://cloud.domain.eu/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Host", "value": "cloud.domain.eu" }, { "name": "User-Agent", "value": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" }, { "name": "Accept", "value": "application/json, text/plain, */*" }, { "name": "Accept-Language", "value": "de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Cookie", "value": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=marc; nc_token=hidden; nc_session_id=hidden; oc_sessionPassphrase=hidden; occinstance=hidden" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [ { "name": "__Host-nc_sameSiteCookielax", "value": "true" }, { "name": "__Host-nc_sameSiteCookiestrict", "value": "true" }, { "name": "nc_username", "value": "marc" }, { "name": "nc_token", "value": "hidden" }, { "name": "nc_session_id", "value": "hidden" }, { "name": "oc_sessionPassphrase", "value": "hidden" }, { "name": "occinstance", "value": "hidden" } ], "queryString": [], "headersSize": 805 }, "response": { "status": 404, "statusText": "Not Found", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Date", "value": "Mon, 26 Apr 2021 13:53:15 GMT" }, { "name": "Server", "value": "Apache/2.4.38 (Debian)" }, { "name": "Expires", "value": "Thu, 19 Nov 1981 08:52:00 GMT" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache, no-store, must-revalidate" }, { "name": "Strict-Transport-Security", "value": "max-age=15552000" }, { "name": "Content-Language", "value": "en-US" }, { "name": "Content-Encoding", "value": "gzip" }, { "name": "Content-Security-Policy", "value": "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'" }, { "name": "Feature-Policy", "value": "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'" }, { "name": "X-Robots-Tag", "value": "none" }, { "name": "Referrer-Policy", "value": "no-referrer" }, { "name": "X-Content-Type-Options", "value": "nosniff" }, { "name": "X-Download-Options", "value": "noopen" }, { "name": "X-Frame-Options", "value": "SAMEORIGIN" }, { "name": "X-Permitted-Cross-Domain-Policies", "value": "none" }, { "name": "X-XSS-Protection", "value": "1; mode=block" }, { "name": "ETag", "value": "W/\"1\"" }, { "name": "Last-Modified", "value": "Mon, 26 Apr 2021 13:53:15 GMT" }, { "name": "Content-Length", "value": "406" }, { "name": "Keep-Alive", "value": "timeout=5, max=99" }, { "name": "Connection", "value": "Keep-Alive" }, { "name": "Content-Type", "value": "application/fhir+json" } ], "cookies": [], "content": { "mimeType": "application/fhir+json", "size": 644, "text": "{\"resourceType\":\"Observation\",\"id\":\"1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8\",\"meta\":{\"versionId\":\"1\",\"lastUpdated\":\"2021-04-26T13:53:15.235364Z\"},\"status\":\"final\",\"category\":[{\"coding\":[{\"system\":\"http:\\/\\/hl7.org\\/fhir\\/ValueSet\\/observation-category\",\"code\":\"vital-signs\",\"display\":\"Vital Signs\"}]}],\"code\":{\"coding\":[{\"system\":\"http:\\/\\/loinc.org\",\"code\":\"8302-2\",\"display\":\"Body height\"}],\"text\":\"Body height\"},\"subject\":{\"reference\":\"Patient\\/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5\"},\"effectiveDateTime\":\"2021-04-26T13:53:00Z\",\"valueQuantity\":{\"value\":175,\"unit\":\"cm\",\"system\":\"http:\\/\\/unitsofmeasure.org\",\"code\":\"cm\"}}" }, "redirectURL": "", "headersSize": 906, "bodySize": 1312 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 103, "receive": 0 }, "time": 103, "_securityState": "secure", "serverIPAddress": "1.2.3.4", "connection": "443" } ] } } ```

I asked my fhir server at https://fhir.domain.eu/fhir-server/api/v4/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1, so basically the same query, it returns 200 for the xml data.

manual calls ```json { "log": { "version": "1.2", "creator": { "name": "Firefox", "version": "87.0" }, "browser": { "name": "Firefox", "version": "87.0" }, "pages": [ { "startedDateTime": "2021-04-26T16:10:52.218+02:00", "id": "page_1", "title": "https://fhir.domain.eu/fhir-server/api/v4/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1", "pageTimings": { "onContentLoad": 134, "onLoad": 142 } } ], "entries": [ { "pageref": "page_1", "startedDateTime": "2021-04-26T16:10:52.218+02:00", "request": { "bodySize": 0, "method": "GET", "url": "https://fhir.domain.eu/fhir-server/api/v4/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Host", "value": "fhir.domain.eu" }, { "name": "User-Agent", "value": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" }, { "name": "Accept-Language", "value": "de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Authorization", "value": "Basic hidden" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [], "queryString": [], "headersSize": 569 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Date", "value": "Mon, 26 Apr 2021 14:10:52 GMT" }, { "name": "Server", "value": "Apache/2.4.38 (Debian)" }, { "name": "ETag", "value": "W/\"1-gzip\"" }, { "name": "Last-Modified", "value": "Mon, 26 Apr 2021 13:53:15 GMT" }, { "name": "Content-Type", "value": "application/xml" }, { "name": "Content-Language", "value": "en-US" }, { "name": "Vary", "value": "Accept-Encoding" }, { "name": "Content-Encoding", "value": "gzip" }, { "name": "Content-Length", "value": "408" }, { "name": "Keep-Alive", "value": "timeout=5, max=100" }, { "name": "Connection", "value": "Keep-Alive" } ], "cookies": [], "content": { "mimeType": "application/xml", "size": 805, "text": "" }, "redirectURL": "", "headersSize": 332, "bodySize": 740 }, "cache": {}, "timings": { "blocked": 1, "dns": 7, "connect": 27, "ssl": 34, "send": 0, "wait": 43, "receive": 0 }, "time": 112, "_securityState": "secure", "serverIPAddress": "1.2.3.4", "connection": "443" } ] } } ```
ayselafsar commented 3 years ago

After a bit of investigation in your network, Location header was set to https://cloud.domain.eu/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1, but your environment runs on https://cloud.domain.eu/index.php/apps/ehr, so it misses index.php in the url. Looks like $this->urlGenerator->getAbsoluteURL here sets it without index.php

That is why you got 404. It should be fixed, but that does not explain your original issue with FHIR url.

makuser commented 3 years ago

After a bit of investigation in your network, Location header was set to https://cloud.domain.eu/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1, but your environment runs on https://cloud.domain.eu/index.php/apps/ehr, so it misses index.php in the url. Looks like $this->urlGenerator->getAbsoluteURL here sets it without index.php

Wow, that really does not make any sense, except if the nextcloud router somehow injects the 404, because it expects the URL to contain index.php..... So strange?

the API proxy seems to return a 404 on the newly created Observation history, even though it even returns the actual history item...

https://cloud.domain.eu/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1 is reachable, returns the Observation object, but with a 404 code.

https://cloud.domain.eu/index.php/apps/ehr/fhir/Observation/1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8/_history/1 is also reachable, returns the same Observation object, just with a 200 code instead of 404.

What the hell 🤣

{"resourceType":"Observation","id":"1790e74a1e3-b8128d96-6e7d-43ec-b604-2bd9fc9921f8","meta":{"versionId":"1","lastUpdated":"2021-04-26T13:53:15.235364Z"},"status":"final","category":[{"coding":[{"system":"http:\/\/hl7.org\/fhir\/ValueSet\/observation-category","code":"vital-signs","display":"Vital Signs"}]}],"code":{"coding":[{"system":"http:\/\/loinc.org","code":"8302-2","display":"Body height"}],"text":"Body height"},"subject":{"reference":"Patient\/178ff57cb00-7227c644-e66d-45ad-8559-e71fe34960f5"},"effectiveDateTime":"2021-04-26T13:53:00Z","valueQuantity":{"value":175,"unit":"cm","system":"http:\/\/unitsofmeasure.org","code":"cm"}}

On a side note: I wanted to remove the index.php from my NC URLs forever, but never found the time to figure out how. I am already rewriting all index.php/* URLs properly, so that in theory I could access everything without index.php (such as the ehr observation resource above), I would just have to tell NC that it can actually omit that file from the path.... Looks like I'll be figuring this out after all and finally set it up today :)

makuser commented 3 years ago

Well would you look at that 😆 😆 I set htaccess.RewriteBase to '/' and regenerated my htaccess with occ maintenance:update:htaccess and now the ehr app works properly, as the URL in the Location now fits the resource that returns a 200. Great!

I would still consider this a bug, since apps should work either way, but at least you now found the origin of the bug.

ayselafsar commented 3 years ago

Great to hear that it worked for you. I also reproduced it with index.php in nextcloud url. We will fix it asap.

Thanks for your help identifying this issue.

MaxGitHubAccount commented 3 years ago

I also had a problem with the ContentSecurityPolicy. Using apache it was resolved telling fhir via the reverse proxy to still use https / 443:

RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

as in https://github.com/Kailona/ehr/issues/51

makuser commented 3 years ago

I also had a problem with the ContentSecurityPolicy. Using apache it was resolved telling fhir via the reverse proxy to still use https / 443:

RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

as in #51

Very interesting you were able to solve it with that options, as the config I posted in #51, which contains those two options, is indeed the actual config that led me to experience the bug in the first place.

MaxGitHubAccount commented 3 years ago

Before applying those two settings I saw in the browser that links where called with http only which was blocked.

  • © Githubissues.
  • Githubissues is a development platform for aggregating issues.