Swagger json automation #152
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughAdds a GitHub Actions workflow to build the API under a dedicated "swagger" profile, fetch and validate /v3/api-docs, and open a PR to update AMRIT-Docs; introduces a swagger Spring profile with dedicated properties, adds H2 runtime dependency, and adjusts security so OpenAPI endpoints are exposed in the swagger profile; README badge added. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant GH as GitHub Actions
participant Repo as API Repo
participant API as Running API (port 9090)
participant Validator as jq/validator
participant Docs as AMRIT-Docs Repo
GH->>Repo: checkout (full history) & build (Maven, skip tests)
GH->>API: start with profile="swagger"
GH->>API: poll GET /v3/api-docs
API-->>GH: 200 + Swagger JSON
GH->>Validator: validate JSON & ensure non-empty paths
Validator-->>GH: validation result
GH->>API: stop process
GH->>Docs: checkout, copy mmu-api.json -> docs/swagger, create PR
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@src/main/resources/application-swagger.properties`:
- Around line 12-13: The properties file currently contains hardcoded
credentials (serverUserName and serverPassword) which is insecure; update
application-swagger.properties to read these values from environment variables
instead by replacing the literal values with property placeholders that
reference env vars (e.g., use ${ENV_VAR_NAME:default} style), document the
expected ENV names for serverUserName and serverPassword, and ensure any
defaults are non-sensitive or empty so production credentials must be supplied
via the environment or secret management.
- Around line 40-48: Remove the duplicate spring.jpa.hibernate.ddl-auto property
by deleting the earlier occurrence so only a single declaration of
spring.jpa.hibernate.ddl-auto=create-drop remains; locate the duplicated key
(spring.jpa.hibernate.ddl-auto) that appears before the Redis properties
(spring.redis.host/port) and remove that first instance, keeping the later
declaration together with spring.jpa.show-sql=true.
🧹 Nitpick comments (4)
src/main/java/com/iemr/mmu/utils/mapper/SwaggerSecurityConfig.java (2)
1-1: Consider relocating to a more appropriate package.This security configuration class is placed in the
utils.mapperpackage, which typically contains object mapping utilities. A package likecom.iemr.mmu.configorcom.iemr.mmu.securitywould better reflect its purpose.
15-19: Use the newer Spring Security 6.x lambda DSL.The
csrf().disable()andauthorizeRequests()methods are deprecated in Spring Security 6.x (used by Spring Boot 3.2.2). While the current code remains functional, these APIs may be removed in future versions.♻️ Proposed fix using the lambda DSL
`@Bean` public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http - .csrf().disable() - .authorizeRequests().anyRequest().permitAll(); + .csrf(csrf -> csrf.disable()) + .authorizeHttpRequests(auth -> auth.anyRequest().permitAll()); return http.build(); }.github/workflows/swagger-json.yml (2)
14-17: Consider using shallow clone for the API repo.
fetch-depth: 0fetches the entire Git history, which adds overhead but isn't needed here since the workflow only builds the current state. Consider removing it or using the default shallow clone to speed up the checkout.♻️ Proposed change
- name: Checkout API repo (full history) uses: actions/checkout@v4 - with: - fetch-depth: 0
89-100: Workflow appears truncated - verify completeness.The workflow file ends without closing markers for the
bodyfield. Ensure the file is complete with proper YAML structure. If additional content is intended in the PR body, it should be included.Additionally, consider adding a
delete-branch: trueoption to automatically clean up the branch after the PR is merged.♻️ Optional: Add delete-branch option
- name: Create Pull Request uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.DOCS_REPO_TOKEN }} path: amrit-docs branch: auto/swagger-update-${{ github.run_id }}-${{ github.run_attempt }} base: main commit-message: "chore(docs): auto-update MMU-API swagger" title: "chore(docs): auto-update MMU-API swagger" + delete-branch: true body: | This PR automatically updates MMU-API Swagger JSON from the latest main branch build.
| serverUserName=admin | ||
| serverPassword=admin |
There was a problem hiding this comment.
Avoid hardcoded credentials in configuration files.
Hardcoded serverUserName=admin and serverPassword=admin values pose a security risk. Even in a documentation/swagger profile, these credentials could be accidentally exposed or misused. Use environment variables with safe defaults instead.
🔒 Proposed fix using environment variables
-serverUserName=admin
-serverPassword=admin
+serverUserName=${SERVER_USERNAME:swagger-user}
+serverPassword=${SERVER_PASSWORD:}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| serverUserName=admin | |
| serverPassword=admin | |
| serverUserName=${SERVER_USERNAME:swagger-user} | |
| serverPassword=${SERVER_PASSWORD:} |
🤖 Prompt for AI Agents
In `@src/main/resources/application-swagger.properties` around lines 12 - 13, The
properties file currently contains hardcoded credentials (serverUserName and
serverPassword) which is insecure; update application-swagger.properties to read
these values from environment variables instead by replacing the literal values
with property placeholders that reference env vars (e.g., use
${ENV_VAR_NAME:default} style), document the expected ENV names for
serverUserName and serverPassword, and ensure any defaults are non-sensitive or
empty so production credentials must be supplied via the environment or secret
management.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@src/main/resources/application-swagger.properties`:
- Line 55: The property jwt.secret currently falls back to a hardcoded default
("default-swagger-secret-change-me"), which must be removed; update the
jwt.secret entry (jwt.secret=${JWT_SECRET_KEY}) to eliminate the default
fallback and ensure the application validates at startup (e.g., in your
bootstrap or configuration loader) that JWT_SECRET_KEY is present and non-empty,
failing fast with a clear error if not; reference the jwt.secret property in
application-swagger.properties and add the startup validation in your
configuration/bootstrap code (where you read JWT_SECRET_KEY).
| logging.level.root=INFO | ||
|
|
||
| # Use environment variable for JWT secret | ||
| jwt.secret=${JWT_SECRET_KEY:default-swagger-secret-change-me} |
There was a problem hiding this comment.
Do not ship a default JWT secret.
A hardcoded fallback secret enables predictable tokens if the env var isn’t set. Default to empty (or fail fast) so secrets must be supplied via environment/secret manager.
🔐 Proposed fix
-jwt.secret=${JWT_SECRET_KEY:default-swagger-secret-change-me}
+jwt.secret=${JWT_SECRET_KEY:}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| jwt.secret=${JWT_SECRET_KEY:default-swagger-secret-change-me} | |
| jwt.secret=${JWT_SECRET_KEY:} |
🤖 Prompt for AI Agents
In `@src/main/resources/application-swagger.properties` at line 55, The property
jwt.secret currently falls back to a hardcoded default
("default-swagger-secret-change-me"), which must be removed; update the
jwt.secret entry (jwt.secret=${JWT_SECRET_KEY}) to eliminate the default
fallback and ensure the application validates at startup (e.g., in your
bootstrap or configuration loader) that JWT_SECRET_KEY is present and non-empty,
failing fast with a clear error if not; reference the jwt.secret property in
application-swagger.properties and add the startup validation in your
configuration/bootstrap code (where you read JWT_SECRET_KEY).
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@src/main/java/com/iemr/mmu/utils/mapper/SwaggerSecurityConfig.java`:
- Around line 14-19: The SwaggerSecurityConfig currently uses
anyRequest().permitAll() and duplicates `@EnableWebSecurity` with SecurityConfig;
update it to only permit Swagger endpoints (restrict to paths like
/swagger-ui/**, /v3/api-docs/**, /swagger-ui.html) and require authentication
for all other requests by replacing anyRequest().permitAll() with an allowlist
for those Swagger paths and then .anyRequest().authenticated(); also resolve the
duplicate `@EnableWebSecurity` by consolidating config or, minimally, annotate the
two SecurityFilterChain beans with explicit order: add `@Order`(1) to
SwaggerSecurityConfig.securityFilterChain and `@Order`(2) to
SecurityConfig.securityFilterChain so the Swagger allowlist is evaluated first
and the main SecurityConfig applies afterwards.
src/main/java/com/iemr/mmu/utils/mapper/SwaggerSecurityConfig.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@src/main/java/com/iemr/mmu/utils/mapper/SecurityConfig.java`:
- Around line 42-45: In SecurityConfig remove "/v3/api-docs/**" from the
requestMatchers(...) permitAll() list so the default (no-@Profile) security
configuration no longer exposes the OpenAPI spec to unauthenticated users; leave
the SwaggerSecurityConfig (swagger profile) as the place that permits API docs
access and ensure SecurityConfig.requestMatchers(...) only contains the intended
public endpoints (e.g., "/user/**").
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/main/java/com/iemr/mmu/utils/mapper/SecurityConfig.java (1)
11-11:⚠️ Potential issue | 🟡 MinorUnused import:
CookieCsrfTokenRepository.
CookieCsrfTokenRepositoryis no longer referenced anywhere in this file since the cookie-based CSRF configuration was removed. This import should be cleaned up.Proposed fix
-import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
- Move Swagger access to swagger profile for CI automation - Remove public exposure of /v3/api-docs from default security config - Clean up CSRF config for stateless JWT API
|
2 participants
Summary by CodeRabbit
New Features
Documentation
Chores