feat(cors): Global CORS Configuration for AMRIT API Services

[kevalkanp1011]

📋 Description

JIRA ID:

This PR introduces a global CORS configuration for the AMRIT platform API services, in alignment with requirements. The goal is to enhance cross-origin request handling by removing controller-level CORS annotations and setting up centralized, environment-based CORS policies.

---

✅ Type of Change

• 🐞 Bug fix (non-breaking change which resolves an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 🔥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 🛠 Refactor (change that is neither a fix nor a new feature)
• ⚙️ Config change (configuration file or build script updates)
• 📚 Documentation (updates to docs or readme)
• 🧪 Tests (adding new or updating existing tests)
• 🎨 UI/UX (changes that affect the user interface)
• 🚀 Performance (improves performance)
• 🧹 Chore (miscellaneous changes that don't modify src or test files)

---

ℹ️ Additional Information

Please describe how the changes were tested, and include any relevant screenshots, logs, or other information that provides additional context.

Summary by CodeRabbit

• New Features

  • Introduced a configurable setting for allowed origins, enabling dynamic control over cross-origin requests.

• Chores

  • Removed default cross-origin allowances from multiple API endpoints, which may impact access from external applications unless properly configured.

[coderabbitai]

Walkthrough

This pull request introduces a new CORS configuration approach. It adds the property cors.allowed-origins to two property files (one with an environment variable placeholder and one with localhost defaults) and a new CorsConfig class implementing WebMvcConfigurer to centralize CORS settings. Simultaneously, it removes the @CrossOrigin annotations from multiple controller classes, shifting CORS control from per-controller annotations to the centralized configuration. Additionally, a new DynamicCorsFilter class is added to dynamically handle CORS headers and preflight requests based on allowed origins.

Changes

File(s)	Change Summary
src/main/environment/ecd_ci.properties src/main/environment/ecd_example.properties	Added new property cors.allowed-origins (@CORS_ALLOWED_ORIGINS@ placeholder in ci, http://localhost:8084 default in example) to manage allowed CORS origins.
src/main/java/com/iemr/ecd/config/CorsConfig.java	Added CorsConfig class implementing WebMvcConfigurer to apply global CORS configuration using the cors.allowed-origins property.
src/main/java/com/iemr/ecd/utils/DynamicCorsFilter.java	Added DynamicCorsFilter class extending OncePerRequestFilter to dynamically set CORS headers and handle preflight OPTIONS requests based on allowed origins.
Multiple controller files under src/main/java/com/iemr/ecd/controller/...	Removed @CrossOrigin annotations from many controller classes and methods to disable per-controller CORS configuration in favor of centralized management.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant DynamicCorsFilter
    participant CorsConfig
    participant Controller

    Client->>DynamicCorsFilter: Send HTTP request with Origin header
    DynamicCorsFilter->>DynamicCorsFilter: Check if Origin is allowed
    alt Origin allowed
        DynamicCorsFilter->>Client: Set Access-Control-Allow-Origin header
        alt OPTIONS preflight request
            DynamicCorsFilter->>Client: Respond with 200 OK (no further processing)
        else Other HTTP methods
            DynamicCorsFilter->>CorsConfig: Forward request
            CorsConfig->>Controller: Apply CORS settings and forward request
            Controller-->>Client: Return response
        end
    else Origin not allowed
        DynamicCorsFilter->>CorsConfig: Forward request without CORS headers
        CorsConfig->>Controller: Forward request
        Controller-->>Client: Return response
    end

Loading

Possibly related issues

• [C4GT Community]: Global CORS Configuration for AMRIT API Services AMRIT#47: The changes related to adding a new global CORS configuration property help address the need for centralized CORS settings across API services.

Poem

I'm a little rabbit, hopping through the code,
Cleaning up annotations with a swift, nimble mode.
New CORS settings in properties and config so fine,
Centralizing access, one neat design.
With every removal and addition, I smile with delight –
Carrots and clean code, my future is bright!
🐇🥕

Tip

⚡️ Faster reviews with caching

• CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.

Enjoy the performance boost—your workflow just got faster.

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/main/java/com/iemr/ecd/config/CorsConfig.java (1)

20-20: Consider documenting the exposed headers

The explicit exposure of "Authorization" and "Jwttoken" headers is important for authentication and security purposes. Consider adding a brief comment explaining why these specific headers need to be exposed.

-                .exposedHeaders("Authorization", "Jwttoken") // Explicitly expose headers if needed
+                .exposedHeaders("Authorization", "Jwttoken") // Exposing auth headers needed for client authentication

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14a571c and 5cbb1d5.

📒 Files selected for processing (23)

• src/main/environment/ecd_ci.properties (1 hunks)
• src/main/environment/ecd_example.properties (1 hunks)
• src/main/java/com/iemr/ecd/config/CorsConfig.java (1 hunks)
• src/main/java/com/iemr/ecd/controller/associate/AutoPreviewDialingController.java (1 hunks)
• src/main/java/com/iemr/ecd/controller/associate/BeneficiaryCallHistoryController.java (1 hunks)
• src/main/java/com/iemr/ecd/controller/associate/BeneficiaryRegistrationController.java (2 hunks)
• src/main/java/com/iemr/ecd/controller/associate/CallClosureController.java (1 hunks)
• src/main/java/com/iemr/ecd/controller/callallocation/CallAllocationController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/callallocation/CallConfigurationController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/dataupload/DataTemplateController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/dataupload/DataUploadController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/masters/MastersController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/outboundworklist/CallStatisticsController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/outboundworklist/OutBoundWorklistController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/AgentQualityAuditorMappingController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/ChartsController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/GradeConfigurationController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/QualityAuditController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/QualityAuditQuestionConfigurationController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/QualityAuditSectionConfigurationController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/quality/SampleSelectionConfigurationController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/questionare/EcdQuestionareController.java (0 hunks)
• src/main/java/com/iemr/ecd/controller/reports/ReportController.java (21 hunks)

💤 Files with no reviewable changes (15)

• src/main/java/com/iemr/ecd/controller/masters/MastersController.java
• src/main/java/com/iemr/ecd/controller/callallocation/CallConfigurationController.java
• src/main/java/com/iemr/ecd/controller/questionare/EcdQuestionareController.java
• src/main/java/com/iemr/ecd/controller/quality/ChartsController.java
• src/main/java/com/iemr/ecd/controller/outboundworklist/OutBoundWorklistController.java
• src/main/java/com/iemr/ecd/controller/quality/QualityAuditQuestionConfigurationController.java
• src/main/java/com/iemr/ecd/controller/outboundworklist/CallStatisticsController.java
• src/main/java/com/iemr/ecd/controller/callallocation/CallAllocationController.java
• src/main/java/com/iemr/ecd/controller/quality/GradeConfigurationController.java
• src/main/java/com/iemr/ecd/controller/quality/SampleSelectionConfigurationController.java
• src/main/java/com/iemr/ecd/controller/dataupload/DataUploadController.java
• src/main/java/com/iemr/ecd/controller/dataupload/DataTemplateController.java
• src/main/java/com/iemr/ecd/controller/quality/AgentQualityAuditorMappingController.java
• src/main/java/com/iemr/ecd/controller/quality/QualityAuditController.java
• src/main/java/com/iemr/ecd/controller/quality/QualityAuditSectionConfigurationController.java

🔇 Additional comments (10)

src/main/environment/ecd_ci.properties (1)

31-31: Verify CORS configuration for CI environment

The cors.allowed-origins property is set to an empty value, which may prevent cross-origin requests in the CI environment. This could block frontend applications from accessing the API.

Consider defining appropriate origins or using wildcard patterns based on your CI environment requirements. If the API is not intended to receive cross-origin requests in CI, this is acceptable.

src/main/environment/ecd_example.properties (1)

20-20: LGTM! Appropriate CORS configuration for local development.

The configuration allows requests from any port on localhost and 127.0.0.1, which is suitable for local development environments.

src/main/java/com/iemr/ecd/controller/associate/BeneficiaryCallHistoryController.java (1)

46-46: LGTM! Removed CrossOrigin annotation for global configuration.

Removing the @CrossOrigin() annotation from this controller is appropriate when moving to a centralized CORS configuration approach.

src/main/java/com/iemr/ecd/controller/reports/ReportController.java (1)

88-88: LGTM! Removed CrossOrigin annotations for global configuration.

Removing all @CrossOrigin annotations from these report endpoints is appropriate when moving to a centralized CORS configuration approach.

Also applies to: 112-112, 137-137, 161-161, 186-186, 211-211, 236-236, 261-261, 286-286, 311-311, 337-337, 362-362, 387-387, 412-412, 437-437, 462-462, 487-487, 512-512, 537-537, 562-562, 587-587

src/main/java/com/iemr/ecd/controller/associate/CallClosureController.java (1)

46-46: Removal of @crossorigin aligns with centralized CORS strategy

The @crossorigin annotation has been removed as part of migrating to a centralized CORS configuration approach.

src/main/java/com/iemr/ecd/controller/associate/AutoPreviewDialingController.java (1)

49-49: Removal of @crossorigin aligns with centralized CORS strategy

The @crossorigin annotation has been removed as part of migrating to a centralized CORS configuration approach.

src/main/java/com/iemr/ecd/config/CorsConfig.java (1)

1-25: Good implementation of centralized CORS configuration

The new CorsConfig class provides a centralized approach to CORS management with configurable origins through application properties. The configuration is comprehensive, covering all necessary CORS aspects.

src/main/java/com/iemr/ecd/controller/associate/BeneficiaryRegistrationController.java (3)

48-48: Removal of @crossorigin aligns with centralized CORS strategy

The @crossorigin annotation has been removed as part of migrating to a centralized CORS configuration approach.

---

59-59: Minor formatting improvement

The alignment of the @RequestHeader parameter has been improved for better readability.

---

65-65: Removal of @crossorigin aligns with centralized CORS strategy

The @crossorigin annotation has been removed as part of migrating to a centralized CORS configuration approach.

[drtechie]

Can you put the value as @CORS_ALLOWED_ORIGINS@

[kevalkanp1011]

Okay

[sonarqubecloud]

Quality Gate failed

Failed conditions
22.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

src/main/java/com/iemr/ecd/utils/DynamicCorsFilter.java (1)

26-29: Add error handling and optimize origin checking for better performance.

The current implementation doesn't handle invalid origins explicitly and performs a list conversion on each request which may impact performance for high traffic applications.

Consider these improvements:

1. Initialize a HashSet in a @PostConstruct method for faster lookups
2. Add logging for rejected origins to aid debugging

@Component
public class DynamicCorsFilter extends OncePerRequestFilter {

    @Value("${cors.allowed-origins}")
    private String[] allowedOrigins;
+   
+   private Set<String> allowedOriginsSet;
+   
+   @PostConstruct
+   public void init() {
+       allowedOriginsSet = new HashSet<>(Arrays.asList(allowedOrigins));
+   }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain)
            throws ServletException, IOException {

        String origin = request.getHeader("Origin");
-       if (origin != null && Arrays.asList(allowedOrigins).contains(origin)) {
+       if (origin != null && allowedOriginsSet.contains(origin)) {
            response.setHeader("Access-Control-Allow-Origin", origin);
+       } else if (origin != null) {
+           logger.debug("Rejected CORS request from origin: " + origin);
        }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ccd86fb and 5ac4273.

📒 Files selected for processing (3)

• src/main/environment/ecd_example.properties (1 hunks)
• src/main/java/com/iemr/ecd/config/CorsConfig.java (1 hunks)
• src/main/java/com/iemr/ecd/utils/DynamicCorsFilter.java (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/main/environment/ecd_example.properties
• src/main/java/com/iemr/ecd/config/CorsConfig.java

🔇 Additional comments (2)

src/main/java/com/iemr/ecd/utils/DynamicCorsFilter.java (2)

1-13: Appropriate import statements and package declaration for CORS filter functionality.

The import statements correctly include necessary classes for HTTP servlet handling, Spring annotations, and Java utilities needed by the filter.

---

14-19: Good approach using Spring Component and Value injection for CORS configuration.

The class is correctly annotated as a Spring @Component and extends OncePerRequestFilter which ensures the filter is applied only once per request. Using @Value to inject allowed origins from configuration is a good practice for externalized configuration.

[coderabbitai]

🛠️ Refactor suggestion

Add a unit test to verify CORS behavior.

This filter contains critical security-related logic for handling cross-origin requests. Adding comprehensive unit tests would ensure it functions correctly across different scenarios.

Consider adding tests that verify:

1. Allowed origins are properly accepted
2. Disallowed origins are properly rejected
3. Preflight requests are handled correctly
4. Non-preflight requests proceed through the filter chain

Would you like me to propose a unit test implementation for this class?

[coderabbitai]

⚠️ Potential issue

Incomplete preflight request handling.

For OPTIONS requests (preflight), the filter returns a 200 OK status but doesn't set the required CORS response headers that browsers expect in preflight responses (Access-Control-Allow-Methods, Access-Control-Allow-Headers, etc.). This could cause preflight requests to fail.

Consider updating the implementation to include all necessary CORS headers for preflight requests:

if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
    response.setStatus(HttpServletResponse.SC_OK);
+   response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+   response.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept");
+   response.setHeader("Access-Control-Max-Age", "3600");
+   response.setHeader("Access-Control-Allow-Credentials", "true");
} else {
    filterChain.doFilter(request, response);
}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
	response.setStatus(HttpServletResponse.SC_OK);
	} else {
	filterChain.doFilter(request, response);
	}
	}
	if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
	response.setStatus(HttpServletResponse.SC_OK);
	response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
	response.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept");
	response.setHeader("Access-Control-Max-Age", "3600");
	response.setHeader("Access-Control-Allow-Credentials", "true");
	} else {
	filterChain.doFilter(request, response);
	}

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Missing additional CORS headers in the response.

While the filter correctly sets the Access-Control-Allow-Origin header based on allowed origins, it doesn't set other important CORS headers like Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Allow-Credentials. This might be intentional if these are set in the CorsConfig class mentioned in the PR summary, but worth verifying.

---

🏁 Script executed:

#!/bin/bash
# Check if there are other places in the codebase where CORS headers are set
rg -A 5 "Access-Control-Allow" --type java

Length of output: 1183

---

🏁 Script executed:

#!/bin/bash
# Locate and display the CorsConfig class to verify if it sets other CORS headers
rg -n "class CorsConfig" --type java
rg -A10 "class CorsConfig" --type java

Length of output: 1130

---

Consolidate CORS settings and include credentials
We verified that CorsConfig (src/main/java/com/iemr/ecd/config/CorsConfig.java) already registers allowed origins, methods, and headers via

registry.addMapping("/**")
        .allowedOrigins(allowedOrigins)
        .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
        .allowedHeaders("*");

but it omits allowCredentials(true). At the same time, DynamicCorsFilter (src/main/java/com/iemr/ecd/utils/DynamicCorsFilter.java) only sets Access-Control-Allow-Origin (and status for OPTIONS) and will override any other headers set by Spring’s CORS support. To avoid inconsistent or missing CORS response headers, please:

• Add .allowCredentials(true) to the CorsConfig mapping.
• Either remove the custom filter and rely solely on CorsConfig, or update DynamicCorsFilter#doFilterInternal to also set:
  • Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
  • Access-Control-Allow-Headers: <value> (e.g. * or echo Access-Control-Request-Headers)
  • Access-Control-Allow-Credentials: true

Example diffs:

--- a/src/main/java/com/iemr/ecd/config/CorsConfig.java
@@ public void addCorsMappings(CorsRegistry registry) {
-       .allowedHeaders("*");
+       .allowedHeaders("*")
+      .allowCredentials(true);

--- a/src/main/java/com/iemr/ecd/utils/DynamicCorsFilter.java
@@ doFilterInternal(...){
     if (origin != null && Arrays.asList(allowedOrigins).contains(origin)) {
         response.setHeader("Access-Control-Allow-Origin", origin);
+        response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
+        response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
+        response.setHeader("Access-Control-Allow-Credentials", "true");
     }