Skip to content

Return 404 for mis-cased FHIR resource type segments#5530

Merged
mikaelweave merged 4 commits into
mainfrom
agent/fix-miscased-resource-type
May 15, 2026
Merged

Return 404 for mis-cased FHIR resource type segments#5530
mikaelweave merged 4 commits into
mainfrom
agent/fix-miscased-resource-type

Conversation

@mikaelweave

@mikaelweave mikaelweave commented Apr 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

This PR fixes two related case-sensitivity bugs surfaced by requests like
GET /patient/{id} (lowercase resource type):

  1. 405 instead of 404 for mis-cased resource types. - not fhir spec
  2. Capability cache poisoning. - once you go 405, you can't run a valid query for the resource

Reproduction

Bug 1: mis-cased resource type returns 405

  1. Start the server.
  2. Issue GET https://localhost:44348/patient/123 (lowercase) — or PUT, DELETE, POST.
  3. Current behavior: 405.
  4. Expected behavior: 404.

Bug 2: lowercase request poisons later correctly-cased requests

  1. Start the server.
  2. Issue DELETE https://localhost:44348/patient/123.
  3. Issue DELETE https://localhost:44348/Patient/123.
  4. Current behavior: the second request can return 405 from
    ValidateCapabilityPreProcessor and continues to do so for the lifetime of the process.
  5. Expected behavior: only the lowercase request should fail.

Related Work Items

AB#190027

mikaelweave and others added 2 commits April 29, 2026 12:16
@mikaelweave
Refactor ConcurrentDictionary to use StringComparer.Ordinal for evalu…
1a16e0e 
…ated queries and enhance capability statement tests for patient resource interactions.
@mikaelweave
Return 404 for mis-cased FHIR resource type segments
d32a6bd 
FHIR resource type names are case-sensitive. Previously a request like
GET /patient/{id} would match the route via case-insensitive comparison
in ResourceTypesRouteConstraint, then fail action selection and return
405 Method Not Allowed. Per spec it should be 404 Not Found.

Make ResourceTypesRouteConstraint match resource types case-sensitively
so unknown/mis-cased segments produce a uniform framework 404 across
all verbs (GET/PUT/DELETE/POST). CompartmentResourceTypesRouteConstraint
delegates to the same constraint and inherits the fix.

Adds unit tests covering mis-cased paths and per-verb behavior, plus an
E2E test asserting 404 for lowercase/mixed-case resource type segments.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mikaelweave mikaelweave requested a review from a team as a code owner April 29, 2026 20:40
@mikaelweave mikaelweave added this to the FY26\Q4\2Wk\2Wk22 milestone Apr 29, 2026
@mikaelweave mikaelweave added Bug Bug bug bug. No-ADR ADR not needed Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs No-PaaS-breaking-change labels Apr 29, 2026
@codecov-commenter

codecov-commenter commented Apr 29, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@fc47539). Learn more about missing BASE report.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #5530   +/-   ##
=======================================
  Coverage        ?   77.11%           
=======================================
  Files           ?      983           
  Lines           ?    35996           
  Branches        ?     5467           
=======================================
  Hits            ?    27758           
  Misses          ?     6896           
  Partials        ?     1342
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

mikaelweave and others added 2 commits April 29, 2026 16:35
@mikaelweave
Add PATCH coverage to mis-cased resource type tests
4577f54 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mikaelweave
Use type-level path in routing constraint test so POST is valid
8a7e7de 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mikaelweave mikaelweave changed the title Return 404 for mis-cased FHIR resource type segments and fix capability cache poisoning Return 404 for mis-cased FHIR resource type segments Apr 30, 2026
feordin
feordin reviewed May 5, 2026
View reviewed changes
Comment thread src/Microsoft.Health.Fhir.Api/Features/Routing/ResourceTypesRouteConstraint.cs
@mikaelweave mikaelweave merged commit b696902 into main May 15, 2026
51 of 52 checks passed
@mikaelweave mikaelweave deleted the agent/fix-miscased-resource-type branch May 15, 2026 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@feordin feordin feordin approved these changes

Assignees

No one assigned

Labels

Azure Healthcare APIs Label denotes that the issue or PR is relevant to the FHIR service in the Azure Healthcare APIs Bug Bug bug bug. No-ADR ADR not needed No-PaaS-breaking-change

Projects

None yet

Milestone

FY26\Q4\2Wk\2Wk22

Development

Successfully merging this pull request may close these issues.

3 participants

@mikaelweave @codecov-commenter @feordin