The /proxy handler in expressjs (https://gitlab.croptrust.org/genesys-pgr/genesys-ui/blob/master/server/middleware/httpProxy.ts#L18-25) checks request cookies for access_token and converts it to Authorization: Bearer ... HTTP header before forwarding the request to the API server.

Servlet

We need the API server to respect the access_token cookie, not just the Authorization HTTP request header. Maybe Spring Security libraries allow for this. If not, we need a servlet that is processed before OAuth auth servlets in the API that converts the cookie to the Authorization: Bearer ... header.

When this is implemented, we can remove the /proxy handler from genesys-new-ui project and update all HTTP links that start with /proxy/** to point to API URL directly.