USACE · vairav · Nov 13, 2025 · Nov 13, 2025 · Dec 8, 2025 · Dec 8, 2025
diff --git a/cwms-data-api/src/main/java/cwms/cda/api/TimeSeriesController.java b/cwms-data-api/src/main/java/cwms/cda/api/TimeSeriesController.java
@@ -18,6 +18,8 @@
 import cwms.cda.data.dto.TimeSeries;
 import cwms.cda.formatters.ContentType;
 import cwms.cda.formatters.Formats;
+import cwms.cda.helpers.AuthorizationContextHelper;
+import cwms.cda.helpers.AuthorizationFilterHelper;
 import cwms.cda.helpers.DateUtils;
 import io.javalin.apibuilder.CrudHandler;
 import io.javalin.core.util.Header;
@@ -389,6 +391,14 @@ public void getAll(@NotNull Context ctx) {
         try (final Timer.Context ignored = markAndTime(GET_ALL)) {
             DSLContext dsl = getDslContext(ctx);
 
+            AuthorizationContextHelper authHelper = new AuthorizationContextHelper(ctx);
+            AuthorizationFilterHelper authFilter = new AuthorizationFilterHelper(ctx);
+
+            if (authHelper.isAuthorizationHeaderPresent()) {
+                logger.log(Level.INFO, "Authorization context - User: {0}, Offices: {1}, Roles: {2}",
+                    new Object[]{authHelper.getUsername(), authHelper.getOffices(), authHelper.getRoles()});
+            }
+
             TimeSeriesDao dao = getTimeSeriesDao(dsl);
             String format = ctx.queryParamAsClass(FORMAT, String.class).getOrDefault("");
             String names = requiredParam(ctx, NAME);
@@ -440,6 +450,14 @@ public void getAll(@NotNull Context ctx) {
                 }
 
                 String office = requiredParam(ctx, OFFICE);
+
+                if (authHelper.isAuthorizationHeaderPresent() && !authHelper.hasOfficeAccess(office)) {
+                    String errorMsg = String.format("User %s does not have access to office %s. Allowed offices: %s",
+                        authHelper.getUsername(), office, authHelper.getOffices());
+                    logger.log(Level.WARNING, errorMsg);
+                    throw new IllegalArgumentException(errorMsg);
+                }
+
                 TimeSeriesRequestParameters requestParameters = new TimeSeriesRequestParameters.Builder()
                         .withNames(names)
                         .withOffice(office)
@@ -450,7 +468,14 @@ public void getAll(@NotNull Context ctx) {
                         .withShouldTrim(trim.getOrDefault(true))
                         .withIncludeEntryDate(includeEntryDate)
                         .build();
-                TimeSeries ts = dao.getTimeseries(cursor, pageSize, requestParameters);
+
+                TimeSeries ts;
+                if (dao instanceof TimeSeriesDaoImpl && authFilter.hasAuthorizationContext()) {
+                    ts = ((TimeSeriesDaoImpl) dao).getRequestedTimeSeries(cursor, pageSize, requestParameters, null, authFilter);
+                    logger.log(Level.FINE, "Applied authorization filtering at DAO level");
+                } else {
+                    ts = dao.getTimeseries(cursor, pageSize, requestParameters);
+                }
 
                 results = Formats.format(contentType, ts);
 
@@ -475,6 +500,19 @@ public void getAll(@NotNull Context ctx) {
                 }
 
                 String office = ctx.queryParam(OFFICE);
+
+                if (authHelper.isAuthorizationHeaderPresent()) {
+                    if (office == null || office.isEmpty()) {
+                        office = authHelper.buildOfficeFilter();
+                        logger.log(Level.INFO, "No office specified, applying user office filter: {0}", office);
+                    } else if (!authHelper.hasOfficeAccess(office)) {
+                        String errorMsg = String.format("User %s does not have access to office %s. Allowed offices: %s",
+                            authHelper.getUsername(), office, authHelper.getOffices());
+                        logger.log(Level.WARNING, errorMsg);
+                        throw new IllegalArgumentException(errorMsg);
+                    }
+                }
+
                 results = dao.getTimeseries(format, names, office, units, datum, beginZdt, endZdt, tz);
                 ctx.status(HttpServletResponse.SC_OK);
                 ctx.result(results);

diff --git a/cwms-data-api/src/main/java/cwms/cda/data/dao/TimeSeriesDaoImpl.java b/cwms-data-api/src/main/java/cwms/cda/data/dao/TimeSeriesDaoImpl.java
@@ -39,6 +39,7 @@
 import cwms.cda.data.dto.filteredtimeseries.FilteredTimeSeries;
 import cwms.cda.formatters.FormattingException;
 import cwms.cda.formatters.xml.XMLv1;
+import cwms.cda.helpers.AuthorizationFilterHelper;
 import cwms.cda.helpers.DateUtils;
 import java.math.BigDecimal;
 import java.math.BigInteger;
@@ -243,6 +244,11 @@ public FilteredTimeSeries getTimeseries(String page, int pageSize, TimeSeriesReq
 
     protected TimeSeries getRequestedTimeSeries(String page, int pageSize, @NotNull TimeSeriesRequestParameters requestParameters,
                                        @Nullable FilteredTimeSeriesParameters fp) {
+        return getRequestedTimeSeries(page, pageSize, requestParameters, fp, null);
+    }
+
+    protected TimeSeries getRequestedTimeSeries(String page, int pageSize, @NotNull TimeSeriesRequestParameters requestParameters,
+                                       @Nullable FilteredTimeSeriesParameters fp, @Nullable AuthorizationFilterHelper authFilter) {
 
         String names = requestParameters.getNames();
         String office = requestParameters.getOffice();
@@ -374,6 +380,23 @@ protected TimeSeries getRequestedTimeSeries(String page, int pageSize, @NotNull
             filterConditions = getFilterCondition(fp, resolver);
         }
 
+        if (authFilter != null && authFilter.hasAuthorizationContext()) {
+            Field<String> officeField = valid.field("office_id", String.class);
+
+            Condition embargoFilter = authFilter.getEmbargoFilter(dataEntryDate, officeField);
+            if (embargoFilter != null) {
+                filterConditions = filterConditions.and(embargoFilter);
+                logger.log(Level.FINE, "Applied embargo filter to timeseries query");
+            }
+
+            Condition timeWindowFilter = authFilter.getTimeWindowFilter(dataEntryDate,
+                Timestamp.from(beginTime.toInstant()));
+            if (timeWindowFilter != null) {
+                filterConditions = filterConditions.and(timeWindowFilter);
+                logger.log(Level.FINE, "Applied time window filter to timeseries query");
+            }
+        }
+
         Field<Integer> totalField;
         if (total != null) {
             totalField = DSL.val(total).as("TOTAL");

diff --git a/cwms-data-api/src/main/java/cwms/cda/helpers/AuthorizationContextHelper.java b/cwms-data-api/src/main/java/cwms/cda/helpers/AuthorizationContextHelper.java
@@ -0,0 +1,159 @@
+package cwms.cda.helpers;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.javalin.http.Context;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class AuthorizationContextHelper {
+    private static final Logger LOGGER = Logger.getLogger(AuthorizationContextHelper.class.getName());
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+    private static final String AUTH_CONTEXT_HEADER = "x-cwms-auth-context";
+
+    private final Map<String, Object> authContext;
+    private final Map<String, Object> userContext;
+    private final Map<String, Object> constraints;
+
+    public AuthorizationContextHelper(Context ctx) {
+        this.authContext = parseAuthContextHeader(ctx);
+        this.userContext = extractUserContext(authContext);
+        this.constraints = extractConstraints(authContext);
+    }
+
+    private Map<String, Object> parseAuthContextHeader(Context ctx) {
+        String headerValue = ctx.header(AUTH_CONTEXT_HEADER);
+        if (headerValue == null || headerValue.isEmpty()) {
+            LOGGER.log(Level.FINE, "No authorization context header found");
+            return Collections.emptyMap();
+        }
+
+        try {
+            return OBJECT_MAPPER.readValue(headerValue, Map.class);
+        } catch (Exception e) {
+            LOGGER.log(Level.WARNING, "Failed to parse authorization context header", e);
+            return Collections.emptyMap();
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    private Map<String, Object> extractUserContext(Map<String, Object> authContext) {
+        if (authContext.containsKey("user")) {
+            return (Map<String, Object>) authContext.get("user");
+        }
+        return Collections.emptyMap();
+    }
+
+    @SuppressWarnings("unchecked")
+    private Map<String, Object> extractConstraints(Map<String, Object> authContext) {
+        if (authContext.containsKey("constraints")) {
+            return (Map<String, Object>) authContext.get("constraints");
+        }
+        return Collections.emptyMap();
+    }
+
+    public String getUserId() {
+        return (String) userContext.getOrDefault("id", null);
+    }
+
+    public String getUsername() {
+        return (String) userContext.getOrDefault("username", null);
+    }
+
+    public String getEmail() {
+        return (String) userContext.getOrDefault("email", null);
+    }
+
+    @SuppressWarnings("unchecked")
+    public List<String> getRoles() {
+        Object roles = userContext.get("roles");
+        if (roles instanceof List) {
+            return (List<String>) roles;
+        }
+        return Collections.emptyList();
+    }
+
+    @SuppressWarnings("unchecked")
+    public List<String> getOffices() {
+        Object offices = userContext.get("offices");
+        if (offices instanceof List) {
+            return (List<String>) offices;
+        }
+        return Collections.emptyList();
+    }
+
+    public String getPrimaryOffice() {
+        return (String) userContext.getOrDefault("primary_office", null);
+    }
+
+    public String getPersona() {
+        return (String) userContext.getOrDefault("persona", null);
+    }
+
+    public String getRegion() {
+        return (String) userContext.getOrDefault("region", null);
+    }
+
+    public String getAllowedOfficesConstraint() {
+        return (String) constraints.getOrDefault("allowed_offices", null);
+    }
+
+    public boolean isEmbargoExempt() {
+        Object exempt = constraints.get("embargo_exempt");
+        return exempt != null && (boolean) exempt;
+    }
+
+    public String getTimezone() {
+        return (String) constraints.getOrDefault("timezone", null);
+    }
+
+    public boolean hasRole(String role) {
+        return getRoles().contains(role);
+    }
+
+    public boolean hasOfficeAccess(String office) {
+        if (office == null) {
+            return false;
+        }
+        List<String> userOffices = getOffices();
+        return userOffices.contains(office);
+    }
+
+    public String buildOfficeFilter() {
+        String allowedOffices = getAllowedOfficesConstraint();
+        if (allowedOffices != null && !allowedOffices.isEmpty()) {
+            if ("*".equals(allowedOffices)) {
+                return null;
+            }
+            return allowedOffices;
+        }
+
+        List<String> offices = getOffices();
+        if (offices.isEmpty()) {
+            return null;
+        }
+
+        return String.join(",", offices);
+    }
+
+    public boolean isAuthorizationHeaderPresent() {
+        return !authContext.isEmpty();
+    }
+
+    public Map<String, Object> getFullContext() {
+        return Collections.unmodifiableMap(authContext);
+    }
+
+    @Override
+    public String toString() {
+        return "AuthorizationContextHelper{" +
+                "userId='" + getUserId() + '\'' +
+                ", username='" + getUsername() + '\'' +
+                ", offices=" + getOffices() +
+                ", roles=" + getRoles() +
+                ", persona='" + getPersona() + '\'' +
+                '}';
+    }
+}