CORS Configuration for HELP1097 API Services

[vishwab1]

📋 Description

JIRA ID: AMM-1246

Please provide a summary of the change and the motivation behind it. Include relevant context and details.

---

✅ Type of Change

• 🐞 Bug fix (non-breaking change which resolves an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 🔥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 🛠 Refactor (change that is neither a fix nor a new feature)
• ⚙️ Config change (configuration file or build script updates)
• 📚 Documentation (updates to docs or readme)
• 🧪 Tests (adding new or updating existing tests)
• 🎨 UI/UX (changes that affect the user interface)
• 🚀 Performance (improves performance)
• 🧹 Chore (miscellaneous changes that don't modify src or test files)

---

ℹ️ Additional Information

Please describe how the changes were tested, and include any relevant screenshots, logs, or other information that provides additional context.

Summary by CodeRabbit

• New Features

  • Centralized CORS (Cross-Origin Resource Sharing) configuration added, allowing dynamic control of permitted origins via environment properties.
  • CORS support now includes customizable allowed origins, methods, and headers for all endpoints.

• Refactor

  • CORS handling moved from individual controller annotations to a global configuration, simplifying endpoint management.
  • Improved handling of preflight (OPTIONS) requests for better browser compatibility.

• Chores

  • Updated configuration files to include new CORS-related properties.

[coderabbitai]

Walkthrough

This update centralizes CORS (Cross-Origin Resource Sharing) configuration by introducing a global CORS setup via a new CorsConfig class and property files. All @CrossOrigin annotations are removed from controller methods, and CORS logic is added to the JWT validation filter. Configuration files are updated to support dynamic CORS origins.

Changes

Files/Groups	Change Summary
src/main/environment/common_ci.properties, common_example.properties	Added cors.allowed-origins property for CORS configuration.
src/main/java/com/iemr/helpline1097/config/CorsConfig.java	Added new global CORS configuration class implementing WebMvcConfigurer.
Controller files (controller/beneficiarycall/Service1097HistoryController.java, etc.)	Removed all @CrossOrigin() annotations from controller methods; minor formatting changes in some files.
src/main/java/com/iemr/helpline1097/utils/FilterConfig.java	Injected allowedOrigins property and updated filter registration to use it; set filter order to highest.
src/main/java/com/iemr/helpline1097/utils/JwtUserIdValidationFilter.java	Added CORS handling based on allowed origins and updated constructor; removed @Component annotation.

Sequence Diagram(s)

sequenceDiagram
    participant Browser
    participant Filter (JwtUserIdValidationFilter)
    participant Spring (CorsConfig)
    participant Controller

    Browser->>Filter: Sends HTTP request with Origin header
    alt OPTIONS preflight
        Filter->>Filter: Check if Origin is allowed
        alt Origin allowed
            Filter->>Browser: Respond 200 OK with CORS headers
        else Origin not allowed
            Filter->>Browser: Respond 200 OK without CORS headers
        end
    else Non-OPTIONS request
        Filter->>Filter: Check if Origin is allowed
        alt Origin allowed
            Filter->>Spring: Pass request with CORS headers
        else Origin not allowed
            Filter->>Spring: Pass request without CORS headers
        end
        Spring->>Controller: Dispatch to endpoint
        Controller->>Browser: Return response
    end

Loading

Suggested reviewers

• ravishanigarapu

Poem

In the warren of code, a rabbit did hop,
Tidying up CORS from bottom to top.
No more annotations, just one global rule,
With origins set smartly—now isn’t that cool?
So hop on, dear devs, with requests from afar,
The CORS gates are open—no matter where you are!
🐇🌐

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (2)

src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackSeverity.java (1)

46-52: Missing injection for FeedbackTypeService.
The feedbackTypeService field is never wired, which will cause an NPE in getFeedbackType(). Add an @Autowired setter or field injection:

+ @Autowired
+ public void setFeedbackTypeService(FeedbackTypeService feedbackTypeService) {
+     this.feedbackTypeService = feedbackTypeService;
+ }

src/main/java/com/iemr/helpline1097/controller/beneficiarycall/Service1097HistoryController.java (1)

148-151: Potential negative pageNo when client sends 0
pageNo = requestObject.has("pageNo") ? (requestObject.getInt("pageNo") - 1) : 0;
If the caller legitimately passes 0, this yields -1, which could break downstream paging logic. Clamp to 0 after the subtraction:

-int pageNo = requestObject.has("pageNo") ? (requestObject.getInt("pageNo") - 1) : 0;
+int pageNo = requestObject.has("pageNo") ? Math.max(requestObject.getInt("pageNo") - 1, 0) : 0;

Also applies to: 149-151

🧹 Nitpick comments (8)

src/main/java/com/iemr/helpline1097/controller/co/services/CategoryController.java (1)

47-49: Fix typo in summary and method name.
The operation summary and method name currently read "categries". Correct to "categories" for clarity and consistency:

- @Operation(summary = "Get all categries")
- public String getAllCategries() {
+ @Operation(summary = "Get all categories")
+ public String getAllCategories() {

src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackSeverity.java (2)

55-58: Fix operation summary for severity endpoint.
The getSeverity() method summary is "Get feedback type". It should be "Get feedback severity":

- @Operation(summary = "Get feedback type")
+ @Operation(summary = "Get feedback severity")

---

49-52: Normalize setter method name.
Rename SetFeedbackSeverityService to setFeedbackSeverityService (lowercase 's') to comply with Java naming conventions:

- public void SetFeedbackSeverityService(FeedbackSeverityService feedbackSeverityService) {
+ public void setFeedbackSeverityService(FeedbackSeverityService feedbackSeverityService) {

src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackController.java (1)

115-116: Guard against null before logging
Adding a null check prevents logging null results. Consider also handling the null case in the response body if that represents an error or absence of data.

src/main/java/com/iemr/helpline1097/controller/co/beneficiary/BeneficiaryController.java (1)

97-102: Duplicate JSON-deserialise block – consider local helper to reduce copy-paste
Both saveBenCalServiceCatSubcatMapping and saveBenCalServiceCOCatSubcatMapping now share the exact three-line ObjectMapper → array → asList pattern. Factoring this into a small private utility will keep future fixes in one place and shorten methods.

src/main/java/com/iemr/helpline1097/controller/beneficiarycall/Service1097HistoryController.java (1)

111-113: Minor nit – objectMapper.readValue can be single-line; current split is purely stylistic
No functional change, just pointing out that the wrapped line could be reverted for readability.

src/main/java/com/iemr/helpline1097/utils/JwtUserIdValidationFilter.java (2)

8-8: Remove unused org.springframework.stereotype.Component import

The class is no longer annotated with @Component.
Keeping this import will raise an “unused import” compile warning (and most build setups treat warnings as errors).

-import org.springframework.stereotype.Component;

---

25-31: Pre-compute allowed origin patterns once

isOriginAllowed() re-splits the comma-separated list on every request, adding avoidable GC pressure to a hot path.
Compute the regex patterns in the constructor and store them in an immutable List<Pattern>.

-private final String allowedOrigins;
+private final List<Pattern> allowedOriginPatterns;
 ...
-public JwtUserIdValidationFilter(JwtAuthenticationUtil jwtAuthenticationUtil, String allowedOrigins) {
-    this.jwtAuthenticationUtil = jwtAuthenticationUtil;
-    this.allowedOrigins = allowedOrigins;
+public JwtUserIdValidationFilter(JwtAuthenticationUtil jwtAuthenticationUtil, String allowedOrigins) {
+    this.jwtAuthenticationUtil = jwtAuthenticationUtil;
+    this.allowedOriginPatterns = Arrays.stream(allowedOrigins.split(","))
+        .map(String::trim)
+        .map(this::toRegex)
+        .map(Pattern::compile)
+        .toList();
 }

This removes string-processing per request and clarifies intent.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f422472 and 98b6e5a.

📒 Files selected for processing (17)

• src/main/environment/common_ci.properties (1 hunks)
• src/main/environment/common_example.properties (1 hunks)
• src/main/java/com/iemr/helpline1097/config/CorsConfig.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/beneficiarycall/Service1097HistoryController.java (3 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/beneficiary/BeneficiaryController.java (3 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/callhandling/CalltypeController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackController.java (4 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackRequestController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackSeverity.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/services/CategoryController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/services/CommonController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/services/DesignationController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/co/services/InstitutionController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/everwell/EverwellGuidelinesController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/controller/version/VersionController.java (1 hunks)
• src/main/java/com/iemr/helpline1097/utils/FilterConfig.java (1 hunks)
• src/main/java/com/iemr/helpline1097/utils/JwtUserIdValidationFilter.java (5 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

src/main/java/com/iemr/helpline1097/config/CorsConfig.java (1)

src/main/java/com/iemr/helpline1097/utils/FilterConfig.java (1)

• Configuration (9-28)

src/main/java/com/iemr/helpline1097/utils/FilterConfig.java (1)

src/main/java/com/iemr/helpline1097/config/CorsConfig.java (1)

• Configuration (9-28)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (java)

🔇 Additional comments (20)

src/main/environment/common_ci.properties (1)

40-42: Ensure consistency across environment configuration files.
The new cors.allowed-origins property is added here. Verify that the same property exists in common_example.properties (and any other env-specific files) with a sensible default value and that its expected format (e.g., comma-separated origins) is documented.

src/main/java/com/iemr/helpline1097/controller/co/services/DesignationController.java (1)

26-28: Confirm removal of method-level CORS annotations.
All @CrossOrigin imports and annotations have been removed. Ensure that the global CorsConfig now applies CORS settings (allowed origins, headers including Authorization, credentials, and preflight handling) to this endpoint.

src/main/java/com/iemr/helpline1097/controller/co/services/InstitutionController.java (1)

24-28: Verify global CORS mapping covers this endpoint.
With the per-controller @CrossOrigin removed, confirm that CorsConfig registers the /api/helpline1097/co/get/institutions path (GET) for the correct origins, headers, methods, and credentials, and handles OPTIONS preflight.

src/main/java/com/iemr/helpline1097/controller/co/services/CategoryController.java (1)

30-34: Confirm removal of CrossOrigin import and annotation.
Ensure the global CORS configuration now handles POST requests to /api/helpline1097/v1/get/category, including preflight OPTIONS, allowed headers (e.g., Authorization), and credentials support.

src/main/environment/common_example.properties (1)

42-42: Verify wildcard origin pattern usage
Spring’s allowedOrigins doesn't support port wildcards (e.g., http://localhost:*). If you need to allow dynamic ports, switch to using allowedOriginPatterns in your CorsConfig or enumerate explicit origins.

src/main/java/com/iemr/helpline1097/controller/co/callhandling/CalltypeController.java (1)

27-27: Removed redundant @CrossOrigin import
Per-controller CORS annotations are now centralized in CorsConfig, so this import can be dropped.
Please verify that the global CORS configuration covers /call/** endpoints as intended.

src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackRequestController.java (1)

27-27: Removed unused @CrossOrigin import
CORS is handled globally; this import is no longer needed.
Confirm that /iEMR/** routes are included in your CorsConfig mappings.

src/main/java/com/iemr/helpline1097/controller/co/services/CommonController.java (1)

29-29: Dropped obsolete @CrossOrigin import
Centralized CORS configuration replaces per-controller annotations, so this import can be removed.
Ensure /api/helpline1097/co/get/** is covered by the global CORS policy.

src/main/java/com/iemr/helpline1097/controller/co/feedback/FeedbackController.java (4)

29-29: Removed stale @CrossOrigin import
Method-level CORS annotations have been removed in favor of the centralized configuration.
Verify that /co/** endpoints are correctly exposed under the new CORS setup.

---

76-76: Eliminated method-level CORS annotation
The @CrossOrigin on the “Get feedback list” endpoint was removed to unify CORS logic.

---

93-93: Removed per-method CORS annotation
The @CrossOrigin on the “Get feedback by post” endpoint is no longer needed.

---

108-108: Dropped CORS annotation on save endpoint
Central CORS configuration now covers the “Save beneficiary feedback” route.

src/main/java/com/iemr/helpline1097/controller/version/VersionController.java (1)

29-33: @CrossOrigin import removal looks correct
The cleanup is in line with the new global CORS strategy – nothing else to flag here.

src/main/java/com/iemr/helpline1097/controller/everwell/EverwellGuidelinesController.java (1)

24-30: Import pruning is fine; verify controller still covered by global CORS
Now that per-method CORS annotations are gone, ensure cors.allowed-origins is populated in every active profile; otherwise pre-flight requests will fail before reaching this controller.

src/main/java/com/iemr/helpline1097/controller/co/beneficiary/BeneficiaryController.java (1)

29-33: CrossOrigin import removal approved
No issues detected.

src/main/java/com/iemr/helpline1097/controller/beneficiarycall/Service1097HistoryController.java (1)

31-35: Import removal fine
No concerns here.

src/main/java/com/iemr/helpline1097/utils/FilterConfig.java (2)

20-24: Double-CORS handling – verify header duplication
The filter now sets CORS headers while CorsConfig registers a WebMvcConfigurer doing the same. Duplicate Access-Control-Allow-Origin headers may get written, depending on servlet container behaviour. Confirm only one component commits the header (filter can skip if Spring already handled it).

---

24-25: Good call elevating filter order
Placing JWT/CORS logic at HIGHEST_PRECEDENCE ensures pre-auth OPTIONS requests succeed before Spring Security kicks in.

src/main/java/com/iemr/helpline1097/config/CorsConfig.java (1)

22-24: ```shell
#!/bin/bash

1. Inspect allowed headers in CorsConfig

echo "=== CorsConfig.allowedHeaders ==="
rg -n ".allowedHeaders" -C2 src/main/java/com/iemr/helpline1097/config/CorsConfig.java

2. Locate the JwtUserIdValidationFilter implementation(s)

echo "=== JwtUserIdValidationFilter file(s) ==="
rg -l "class JwtUserIdValidationFilter" -g "src/main/java/com/iemr/helpline1097/**/*.java"

3. For each filter file, check which headers it advertises

for f in $(rg -l "class JwtUserIdValidationFilter" -g "src/main/java/com/iemr/helpline1097/**/*.java"); do
echo
echo "=== Inspecting $f ==="
rg -n "Access-Control-Allow-Headers" -C2 "$f"
rg -n "Jwttoken" -C2 "$f"
rg -n "Accept" -C2 "$f"
done

</details>
<details>
<summary>src/main/java/com/iemr/helpline1097/utils/JwtUserIdValidationFilter.java (1)</summary>

`44-52`: **Header list diverges from `CorsConfig`**

The response advertises `Accept` and `Jwttoken`, headers not allowed by `CorsConfig`.  
Please keep the two components consistent (single constant or shared config) to avoid failed pre-flights.

</details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->