Feature/signaturerelease

[ravishanigarapu]

📋 Description

JIRA ID: AMM-1807

Please provide a summary of the change and the motivation behind it. Include relevant context and details.

---

✅ Type of Change

• 🐞 Bug fix (non-breaking change which resolves an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 🔥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 🛠 Refactor (change that is neither a fix nor a new feature)
• ⚙️ Config change (configuration file or build script updates)
• 📚 Documentation (updates to docs or readme)
• 🧪 Tests (adding new or updating existing tests)
• 🎨 UI/UX (changes that affect the user interface)
• 🚀 Performance (improves performance)
• 🧹 Chore (miscellaneous changes that don't modify src or test files)

---

ℹ️ Additional Information

Please describe how the changes were tested, and include any relevant screenshots, logs, or other information that provides additional context.

Summary by CodeRabbit

• New Features

  • Added endpoint to activate/deactivate user signatures.
  • Employee listings now include signature status and failed attempt count.

• Bug Fixes

  • Employee-by-designation responses now return proper JSON with only intended fields.
  • File downloads are more reliable with correct filename encoding, accurate content length, and clearer error messages.
  • Supervisor and deleted flags handle nulls more consistently in API responses.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Replaces stringified responses with Gson JSON in EmployeeMasterController. Adds signature status enrichment in EmployeeMasterServiceImpl. Introduces a POST endpoint to activate/deactivate user signatures and adjusts file download headers in EmployeeSignatureController. Adds transient signatureStatus and persisted failedAttempt to M_User1. Updates M_User getters for null-safety and type alignment.

Changes

Cohort / File(s)	Summary
Employee Signature API & download handling src/main/java/com/iemr/admin/controller/employeemaster/EmployeeSignatureController.java, src/main/java/com/iemr/admin/service/employeemaster/EmployeeSignatureService.java, src/main/java/com/iemr/admin/service/employeemaster/EmployeeSignatureServiceImpl.java	Adds POST /signature1/activateOrdeActivateSignature to toggle signature active/deleted state; implements updateUserSignatureStatus(String) parsing JSON and persisting flag; refactors file download to URL-encode filename, build Content-Disposition manually, and use local byte[] for body/length; improved error logging.
Employee Master enrichment & JSON response src/main/java/com/iemr/admin/controller/employeemaster/EmployeeMasterController.java, src/main/java/com/iemr/admin/service/employeemaster/EmployeeMasterServiceImpl.java, src/main/java/com/iemr/admin/data/employeemaster/M_User1.java	Controller now serializes employee lists via Gson including only @Expose fields. Service enriches each user with signatureStatus based on EmployeeSignature isDeleted. Data model adds @Transient @Expose String signatureStatus and @Column(name="failed_attempt", insertable=false) Integer failedAttempt.
User model null-safety src/main/java/com/iemr/admin/data/user/M_User.java	Changes isIsSupervisor() return type to Boolean; updates isDeleted() to use Boolean.TRUE.equals(Deleted) for null-safety.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant Controller as EmployeeSignatureController
  participant Service as EmployeeSignatureServiceImpl
  participant Repo as EmployeeSignatureRepo
  Client->>Controller: POST /signature1/activateOrdeActivateSignature (JSON: userID, active)
  Controller->>Service: updateUserSignatureStatus(json)
  Service->>Service: Parse JSON (userID, active)
  Service->>Repo: findOneByUserID(userID)
  Repo-->>Service: EmployeeSignature or null
  Service->>Service: Set isDeleted = !active (if entity exists)
  Service->>Repo: save(entity)
  Repo-->>Service: Updated entity
  Service-->>Controller: EmployeeSignature
  Controller-->>Client: OutputResponse (JSON)
  note over Controller,Service: New/modified flow

Loading

sequenceDiagram
  autonumber
  actor Client
  participant Ctl as EmployeeMasterController
  participant Svc as EmployeeMasterServiceImpl
  participant ERepo as EmployeeSignatureRepo
  Client->>Ctl: GET /employee/byDesignation
  Ctl->>Svc: getEmployeeByDesiganationID(...)
  Svc->>Svc: Fetch List<M_User1>
  loop for each user
    Svc->>ERepo: findOneByUserID(user.userID)
    ERepo-->>Svc: EmployeeSignature or null
    Svc->>Svc: Set user.signatureStatus (Active/InActive/null)
  end
  Svc-->>Ctl: List<M_User1>
  Ctl-->>Client: JSON via Gson (@Expose only)
  note over Ctl,Svc: Serialization/enrichment updated

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Httpheader content disposition changed #100: Similar changes to EmployeeSignatureController’s Content-Disposition header and URL-encoding for downloads.
• Feature/signaturerelease #103: Overlaps on filename encoding in EmployeeSignatureController and the M_User getter signature adjustment.
• 3.3.0 #90: Touches EmployeeMasterServiceImpl; related to service-layer enhancements around employee data.

Suggested reviewers

• helenKaryamsetty
• drtechie

Pre-merge checks (1 warning, 2 inconclusive)

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.25% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title Check	❓ Inconclusive	The current title “Feature/signaturerelease” follows a branch naming convention rather than summarizing the primary functionality or change introduced by this pull request, making it generic and not easily understood when scanning PR history. It does not clearly convey the main feature or area of impact.	Rename the pull request title to a concise sentence that captures the main change, for example “Add user signature activation endpoint and status enrichment for EmployeeMaster”, to clearly communicate the purpose of the PR.
Description Check	❓ Inconclusive	The pull request description remains the template placeholder and has not been updated to summarize the actual changes, motivations, or testing performed, so it is too generic to provide meaningful context about this feature.	Update the description section with a clear summary of what was changed, why these changes were made (referencing JIRA AMM-1807), the type of change, and how the changes were tested, including any relevant details or examples.

Poem

A nibble of bytes, a hop through the stack,
Signatures flip—Active, InActive—no slack.
Gson hums softly, exposing what's due,
Headers now tidy, encoded and true.
I thump in approval, ears held high—
Reviewed in a blink, then off I fly! 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/signaturerelease

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ravishanigarapu]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/main/java/com/iemr/admin/data/user/M_User.java (1)

86-118: Constructor bug: field never set (shadowed assignment)

userID = userID; assigns the parameter to itself; the field remains default. Set the instance field explicitly.

Apply this diff:

-        userID = userID;
+        this.userID = userID;

src/main/java/com/iemr/admin/data/employeemaster/M_User1.java (1)

89-89: Sensitive data leakage via @expose

@Expose on Aadhaar, PAN, Password, and AgentPassword will serialize these in API responses (see controller change to Gson with excludeFieldsWithoutExposeAnnotation). Remove or set serialize=false.

Apply this diff:

-   @Expose
+   @Expose(deserialize = true, serialize = false)
    @Column(name="AadhaarNo")
    private String aadhaarNo;

-   @Expose
+   @Expose(deserialize = true, serialize = false)
    @Column(name="PAN")
    private String pAN;

-   @Expose
+   @Expose(deserialize = true, serialize = false)
    @Column(name="Password")
    private String password;

-   @Expose
+   @Expose(deserialize = true, serialize = false)
    @Column(name="AgentPassword")
    private String agentPassword;

If other PII fields must be hidden (e.g., EmailID, ContactNo), extend accordingly.

Also applies to: 92-92, 111-111, 120-120

🧹 Nitpick comments (4)

src/main/java/com/iemr/admin/data/user/M_User.java (1)

266-268: Null-safe wrapper return is fine; consider getter naming

Returning Boolean avoids NPEs. However, isIsSupervisor() is awkward for a wrapper; consider getIsSupervisor() or isSupervisor() for bean-compatibility.

src/main/java/com/iemr/admin/data/employeemaster/M_User1.java (1)

205-208: signatureStatus as String invites drift; prefer enum or boolean

Avoid magic strings ("Active"/"InActive"). Use an enum like SignatureStatus { ACTIVE, INACTIVE } or a Boolean signatureActive to make states type-safe and consistent.

src/main/java/com/iemr/admin/service/employeemaster/EmployeeSignatureService.java (1)

32-33: Document input contract or accept a typed DTO

Method takes raw JSON String. Add Javadoc describing expected schema ({"userID": long, "active": boolean}) or switch to a small DTO for validation.

Would you like a small ActivateSignatureRequest DTO and interface update?

src/main/java/com/iemr/admin/service/employeemaster/EmployeeMasterServiceImpl.java (1)

1094-1109: Avoid N+1 queries and harden null checks

• Current loop does one query per user. Batch-fetch signatures by user IDs and map by userID.
• Use null-safe deleted check to avoid NPEs on legacy rows.

Apply this minimal safety tweak:

-            if (null != signature) {
-                if (signature.getDeleted()) {
+            if (signature != null) {
+                if (Boolean.TRUE.equals(signature.getDeleted())) {
                     user.setSignatureStatus("InActive");
                 } else {
                     user.setSignatureStatus("Active");
                 }
             } else {
                 user.setSignatureStatus(null);
             }

Optional batching sketch (repo needs findByUserIDIn):

List<Integer> ids = getEmpByDesiganation.stream().map(M_User1::getUserID).toList();
Map<Integer, EmployeeSignature> byUser = employeeSignatureRepo.findByUserIDIn(ids)
    .stream().collect(Collectors.toMap(es -> es.getUserID().intValue(), es -> es));
for (M_User1 user : getEmpByDesiganation) { /* read from byUser */ }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e3a304 and 838d3db.

📒 Files selected for processing (7)

• src/main/java/com/iemr/admin/controller/employeemaster/EmployeeMasterController.java (2 hunks)
• src/main/java/com/iemr/admin/controller/employeemaster/EmployeeSignatureController.java (4 hunks)
• src/main/java/com/iemr/admin/data/employeemaster/M_User1.java (1 hunks)
• src/main/java/com/iemr/admin/data/user/M_User.java (2 hunks)
• src/main/java/com/iemr/admin/service/employeemaster/EmployeeMasterServiceImpl.java (4 hunks)
• src/main/java/com/iemr/admin/service/employeemaster/EmployeeSignatureService.java (1 hunks)
• src/main/java/com/iemr/admin/service/employeemaster/EmployeeSignatureServiceImpl.java (2 hunks)

🔇 Additional comments (5)

src/main/java/com/iemr/admin/data/user/M_User.java (1)

274-276: Good null-safe deleted flag

Boolean.TRUE.equals(Deleted) avoids NPE; this is correct.

src/main/java/com/iemr/admin/data/employeemaster/M_User1.java (1)

212-218: Accessors look fine

Getters/setters align with the new transient field.

src/main/java/com/iemr/admin/service/employeemaster/EmployeeMasterServiceImpl.java (1)

195-197: Repo wiring LGTM

Autowiring EmployeeSignatureRepo is consistent with usage below.

src/main/java/com/iemr/admin/controller/employeemaster/EmployeeSignatureController.java (2)

104-107: Sensible media type fallback

Fallback to APPLICATION_OCTET_STREAM on parse errors is appropriate.

---

109-116: Byte-streaming change LGTM

Using the raw byte[] with accurate contentLength is correct.

[coderabbitai]

⚠️ Potential issue

PII/credential exposure risk in JSON serialization

Using GsonBuilder().excludeFieldsWithoutExposeAnnotation() will serialize all @Expose fields in M_User1, including password, agentPassword, aadhaarNo, pAN (currently annotated). This will leak sensitive data in API responses.

Two safe options:

• Remove/mark @Expose(serialize = false) on sensitive fields (preferred; see proposed diffs in M_User1).
• Or locally exclude known-sensitive fields here:

-            Gson gson = new GsonBuilder()
-                    .excludeFieldsWithoutExposeAnnotation()
-                    .create();
+            Gson gson = new GsonBuilder()
+                    .excludeFieldsWithoutExposeAnnotation()
+                    .addSerializationExclusionStrategy(new com.google.gson.ExclusionStrategy() {
+                        public boolean shouldSkipField(com.google.gson.FieldAttributes f) {
+                            String n = f.getName();
+                            return "password".equals(n)
+                                   || "agentPassword".equals(n)
+                                   || "aadhaarNo".equals(n)
+                                   || "pAN".equals(n);
+                        }
+                        public boolean shouldSkipClass(Class<?> c) { return false; }
+                    })
+                    .create();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Gson gson = new GsonBuilder()
	.excludeFieldsWithoutExposeAnnotation() // Only serialize fields with @Expose
	.create();
	String json = gson.toJson(employeeBydesiganation);
	response.setResponse(json);
	Gson gson = new GsonBuilder()
	.excludeFieldsWithoutExposeAnnotation() // Only serialize fields with @Expose
	.addSerializationExclusionStrategy(new com.google.gson.ExclusionStrategy() {
	@Override
	public boolean shouldSkipField(com.google.gson.FieldAttributes f) {
	String n = f.getName();
	return "password".equals(n)
	|| "agentPassword".equals(n)
	|| "aadhaarNo".equals(n)
	|| "pAN".equals(n);
	}
	@Override
	public boolean shouldSkipClass(Class<?> c) {
	return false;
	}
	})
	.create();
	String json = gson.toJson(employeeBydesiganation);
	response.setResponse(json);

🤖 Prompt for AI Agents

In
src/main/java/com/iemr/admin/controller/employeemaster/EmployeeMasterController.java
around lines 1053-1057, the code uses
GsonBuilder().excludeFieldsWithoutExposeAnnotation() which will still serialize
any @Expose fields (including sensitive ones like password, agentPassword,
aadhaarNo, pAN) and leak PII; fix by either 1) updating the M_User1 model to
mark sensitive fields with @Expose(serialize = false) (preferred) so they are
never serialized, or 2) alter this controller to create a Gson instance with an
ExclusionStrategy (or use GsonBuilder().addSerializationExclusionStrategy(...))
that explicitly excludes those sensitive field names/types before calling
toJson; apply the change consistently and run related API tests to confirm
sensitive fields are omitted from responses.

[coderabbitai]

🛠️ Refactor suggestion

Use RFC-5987-safe filename; avoid URLEncoder in headers

URLEncoder produces + for spaces (form encoding), which is invalid for filename*. Use ContentDisposition builder with charset to set both safely.

Apply this diff:

-            String fileName = URLEncoder.encode(userSignID.getFileName(), StandardCharsets.UTF_8);
-
-            responseHeaders.set(HttpHeaders.CONTENT_DISPOSITION,
-                "attachment; filename=\"" + fileName + "\"; filename*=UTF-8''" + fileName);
+            ContentDisposition cd = ContentDisposition.attachment()
+                    .filename(userSignID.getFileName(), StandardCharsets.UTF_8)
+                    .build();
+            responseHeaders.setContentDisposition(cd);

Also handle userSignID == null by returning 404.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In
src/main/java/com/iemr/admin/controller/employeemaster/EmployeeSignatureController.java
around lines 97 to 101, replace the URLEncoder-based header construction and add
a null check: first, if userSignID == null return
ResponseEntity.status(HttpStatus.NOT_FOUND).build(); otherwise build a
ContentDisposition via
ContentDisposition.attachment().filename(userSignID.getFileName(),
StandardCharsets.UTF_8).build() and set it on
responseHeaders.setContentDisposition(contentDisposition) (or
responseHeaders.set(HttpHeaders.CONTENT_DISPOSITION,
contentDisposition.toString())); remove URLEncoder usage so filename* is
RFC-5987-safe and both plain and encoded filename forms are handled by the
ContentDisposition builder.

[coderabbitai]

⚠️ Potential issue

Auth missing and overexposing response

• Endpoint lacks headers = "Authorization" while other endpoints require it. This allows unauthenticated status toggles.
• Returning full EmployeeSignature (potentially including BLOB) is heavy and may leak data. Return a minimal DTO.

Apply this diff:

-    @RequestMapping(value = "/activateOrdeActivateSignature", method = { RequestMethod.POST }, produces = {
-            "application/json" })
+    @RequestMapping(value = "/activateOrdeActivateSignature", headers = "Authorization",
+            method = { RequestMethod.POST }, produces = { "application/json" })
     public String ActivateUser(@RequestBody String activateUser, HttpServletRequest request) {
         OutputResponse response = new OutputResponse();
         try {
-            EmployeeSignature empSignature = employeeSignatureServiceImpl.updateUserSignatureStatus(activateUser);
-            response.setResponse(empSignature.toString());
+            EmployeeSignature empSignature = employeeSignatureServiceImpl.updateUserSignatureStatus(activateUser);
+            boolean active = empSignature.getDeleted() == null ? false : !empSignature.getDeleted();
+            response.setResponse("{\"userID\":" + empSignature.getUserID() + ",\"active\":" + active + "}");
         } catch (Exception e) {
             logger.error("Active or Deactivate User Signature failed with exception " + e.getMessage(), e);
             response.setError(e);
         }
         return response.toString();
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@Operation(summary = "Active or DeActive user Signature")
	@RequestMapping(value = "/activateOrdeActivateSignature", method = { RequestMethod.POST }, produces = {
	"application/json" })
	public String ActivateUser(@RequestBody String activateUser, HttpServletRequest request) {
	OutputResponse response = new OutputResponse();
	try {
	EmployeeSignature empSignature = employeeSignatureServiceImpl.updateUserSignatureStatus(activateUser);
	response.setResponse(empSignature.toString());
	} catch (Exception e) {
	logger.error("Active or Deactivate User Signature failed with exception " + e.getMessage(), e);
	response.setError(e);
	}
	return response.toString();
	}
	@Operation(summary = "Active or DeActive user Signature")
	@RequestMapping(
	value = "/activateOrdeActivateSignature",
	headers = "Authorization",
	method = { RequestMethod.POST },
	produces = { "application/json" }
	)
	public String ActivateUser(@RequestBody String activateUser, HttpServletRequest request) {
	OutputResponse response = new OutputResponse();
	try {
	EmployeeSignature empSignature =
	employeeSignatureServiceImpl.updateUserSignatureStatus(activateUser);
	boolean active =
	empSignature.getDeleted() == null
	? false
	: !empSignature.getDeleted();
	response.setResponse(
	"{\"userID\":"
	empSignature.getUserID()
	",\"active\":"
	active
	"}"
	);
	} catch (Exception e) {
	logger.error(
	"Active or Deactivate User Signature failed with exception " + e.getMessage(),
	e
	);
	response.setError(e);
	}
	return response.toString();
	}

[coderabbitai]

⚠️ Potential issue

NPE when signature record is absent; add not-found handling

findOneByUserID may return null; subsequent setDeleted will NPE. Validate existence and fail fast (or upsert), and simplify flag toggle.

Apply this diff:

-    EmployeeSignature signature = employeeSignatureRepo.findOneByUserID(userID);
-    if (active) {
-        signature.setDeleted(false);
-    } else {
-        signature.setDeleted(true);
-    }
-    return employeeSignatureRepo.save(signature);
+    EmployeeSignature signature = employeeSignatureRepo.findOneByUserID(userID);
+    if (signature == null) {
+        throw new IllegalArgumentException("No signature found for userID: " + userID);
+    }
+    signature.setDeleted(!active);
+    return employeeSignatureRepo.save(signature);

Optional: accept a DTO and validate schema; consider auditing modifiedBy.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@Override
	public EmployeeSignature updateUserSignatureStatus(String activateUser) {
	JSONObject obj = new JSONObject(activateUser);
	Long userID = obj.getLong("userID");
	//String role = obj.getString("role");
	boolean active = obj.getBoolean("active");
	EmployeeSignature signature = employeeSignatureRepo.findOneByUserID(userID);
	if (active) {
	signature.setDeleted(false);
	} else {
	signature.setDeleted(true);
	}
	return employeeSignatureRepo.save(signature);
	}
	@Override
	public EmployeeSignature updateUserSignatureStatus(String activateUser) {
	JSONObject obj = new JSONObject(activateUser);
	Long userID = obj.getLong("userID");
	//String role = obj.getString("role");
	boolean active = obj.getBoolean("active");
	EmployeeSignature signature = employeeSignatureRepo.findOneByUserID(userID);
	if (signature == null) {
	throw new IllegalArgumentException("No signature found for userID: " + userID);
	}
	signature.setDeleted(!active);
	return employeeSignatureRepo.save(signature);
	}

🤖 Prompt for AI Agents

In
src/main/java/com/iemr/admin/service/employeemaster/EmployeeSignatureServiceImpl.java
around lines 71 to 84, the code assumes
employeeSignatureRepo.findOneByUserID(userID) always returns a non-null
EmployeeSignature which causes an NPE when no record exists; modify the method
to check the repository result before using it and handle the not-found case
(either throw a clear exception like EntityNotFoundException with a helpful
message or create a new EmployeeSignature for an upsert), replace the redundant
if/else with a single setDeleted(!active) call, and then save and return the
entity; also validate the incoming JSON fields (userID and active) before use
and consider setting modifiedBy/modifiedAt if audit fields exist.

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud