OHDSI · csafreen · May 26, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
@@ -116,6 +116,8 @@ RUN --mount=type=secret,id=PLUGINS_REGISTRY set -eu; \
     echo "@data2evidence:registry=$REG" > .npmrc; \
     npm install @data2evidence/d2e-atlas --no-save; \
     mv "node_modules/@data2evidence/d2e-atlas" /usr/src/bundled-plugins/d2e-atlas; \
+    npm install @data2evidence/d2e-fhir-server --no-save; \
+    mv "node_modules/@data2evidence/d2e-fhir-server" /usr/src/bundled-plugins/d2e-fhir-server; \
     rm -rf "$WORK"
 
 ENV PLUGINS_DEV_PATH=/usr/src/bundled-plugins:/usr/src/plugins

@@ -44,6 +44,23 @@ export async function authn(c: Context, next: Function) {
     return;
   }
 
+  const isFhirServerRoute = c.req.path.startsWith("/fhir-server/");
+  if (isFhirServerRoute) {
+    const token = extractFhirCookieToken(c);
+    if (!token) {
+      return new Response("Unauthorized", { status: 401 });
+    }
+    try {
+      await jwtVerify(token, JWKS);
+    } catch (err: any) {
+      logger.error(`authn: fhir-server token validation failed: ${err}`);
+      return new Response("Authentication Token not valid", { status: 401 });
+    }
+    c.set("logtoSubject", getTokenSubject(token));
+    await next();
+    return;
+  }
+
   const token = extractToken(c);
 
   if (!token) {
@@ -61,6 +78,18 @@ export async function authn(c: Context, next: Function) {
   await next();
 }
 
+function extractFhirCookieToken(c: Context): string | null {
+  const cookieHeader = c.req.header("cookie") ?? c.req.raw.headers.get("cookie") ?? "";
+  for (const cookie of cookieHeader.split(";")) {
+    const trimmed = cookie.trim();
+    if (trimmed.startsWith("fhirtoken=")) {
+      const val = trimmed.slice("fhirtoken=".length).trim();
+      return val.startsWith("Bearer ") ? val.slice(7) : val || null;
+    }
+  }
+  return null;
+}
+
 function extractToken(c: Context): string | null {
   const regex = /\b(Bearer|bearer|token)\b/;
 
@@ -79,9 +108,6 @@ function extractToken(c: Context): string | null {
     for (const cookie of cookies) {
       if (cookie.startsWith("authtoken=")) {
         return cookie.split("=")[1];
-      } else if (cookie.startsWith("fhirtoken=")) {
-        const val = cookie.split("=")[1];
-        return val.split(" ")[1] || null;
       }
     }
   }