fix(download-service): Update usage of accesstoken in jwt strategy and download service controllers

[snaerseljan]

Fix download service token usage

What

Instead of including the accessToken in the POST request body for the download-service controllers, we now extract it via the JWT strategy. The strategy pulls the token from the request headers and provides it through the authorization field in the user context.

Why

Preparation for BFF since no tokens will be exposed in the client.

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Simplified authorization process across multiple document retrieval methods by removing the need for access token parameters.

• Bug Fixes

  • Improved response header formatting for clarity and consistency in document retrieval responses.

• Chores

  • Removed several DTO classes related to access token validation for various document types, streamlining the overall structure.

These changes enhance user experience by simplifying access to documents while maintaining functionality.

[coderabbitai]

Walkthrough

The changes involve the removal of multiple data transfer objects (DTOs) that contained an __accessToken property used for authorization. Correspondingly, several controller methods have been updated to eliminate the need for these DTOs, simplifying their signatures by directly utilizing the user parameter for authorization. Additionally, minor adjustments have been made to response headers across various controllers, ensuring consistency in their formatting.

Changes

File Path	Change Summary
apps/download-service/src/app/modules/documents/...	Removed GetDocumentDto class; updated getPdf method to simplify authorization by removing the resource parameter.
apps/download-service/src/app/modules/education-documents/...	Removed GetEducationGraduationDocumentDto class; updated getEducationGraduationPDF method to simplify authorization by removing the resource parameter.
apps/download-service/src/app/modules/finance-documents/...	Removed GetFinanceDocumentDto class; updated getFinancePdf method to simplify authorization by removing the resource parameter.
apps/download-service/src/app/modules/health/payment-overview-documents...	Removed GetGetHealthPaymentDocumentDto class; updated getHealthPaymentOverviewPdf method to simplify authorization by removing the resource parameter.
apps/download-service/src/app/modules/regulation-documents/...	Removed GetRegulationDraftDocumentDto class; updated getDraftRegulationPdf method to simplify authorization by removing the resource parameter.
apps/download-service/src/app/modules/vehicles-documents/...	Removed GetVehicleHistoryDocumentDto class; updated getVehicleHistoryPdf and getVehicleOwnership methods to simplify authorization by removing the resource parameter.
apps/download-service/src/app/modules/work-machines-documents/...	Removed GetWorkMachineCollectionDocumentDto class; updated getWorkMachinesCollection method to simplify authorization by removing the resource parameter.

Possibly related PRs

• fix(AOSH): Fixing a few minor bugs on AOSH applications #14898: The EducationController and DocumentController both modified their method signatures to remove unnecessary parameters, similar to the changes made in the DocumentController in the main PR.
• feat(j-s): Subpoena PDF #16098: The addition of the getSubpoenaPdf method in the LimitedAccessFileController reflects a similar pattern of modifying controller methods to enhance functionality based on user context, akin to the changes in the DocumentController.
• fix(bulk-vehicle-mileage): Fixes #16210: The changes in the MileageDetails model to make fields optional reflect a similar trend of simplifying data structures, akin to the removal of the GetDocumentDto in the main PR.

Suggested reviewers

• unakb
• oddsson
• jonnigs

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (7)

apps/download-service/src/app/modules/finance-documents/document.controller.ts (1)

69-71: LGTM with a minor suggestion: Response header updates

The changes to the response headers maintain the same functional intent while using a more modern and consistent formatting. This is a good improvement.

Consider combining the Cache-Control headers for even cleaner code:

-      res.header('Cache-Control', 'no-cache')
-      res.header('Cache-Control', 'nmax-age=0')
+      res.header('Cache-Control', 'no-cache, max-age=0')

apps/download-service/src/app/modules/health/payment-overview-documents.controller.ts (1)

38-38: Response handling improvements with a minor suggestion

The changes in response handling are good:

1. The updated AuthMiddleware usage aligns with the new authorization approach.
2. The addition of 'Content-Type', 'Pragma', and 'Cache-Control' headers improves the response handling.

However, there's a minor redundancy in the 'Cache-Control' header setting.

Consider combining the 'Cache-Control' headers into a single line for clarity:

-      res.header('Cache-Control', 'no-cache')
-      res.header('Cache-Control', 'nmax-age=0')
+      res.header('Cache-Control', 'no-cache, max-age=0')

Also applies to: 65-68

libs/auth-nest-tools/src/lib/jwt.strategy.ts (1)

49-54: Approve changes with a minor suggestion for clarity

The changes effectively implement the new token handling mechanism, aligning with the PR objectives and preparing for the BFF architecture. The prioritization of the token from headers enhances security.

Consider adding a brief comment explaining the prioritization logic for better clarity:

// Prioritize token from headers, fallback to body for backward compatibility
const authorization =
  request.headers.authorization ||
  (bodyAuthorization && `Bearer ${bodyAuthorization}`) ||
  ''

apps/download-service/src/app/modules/education-documents/education-document.controller.ts (1)

75-78: LGTM: Response headers updated for consistency

The changes to the response headers improve consistency and readability. The Content-Type header is now set using the same method as other headers, which is good.

Consider combining the two Cache-Control headers for efficiency:

-      res.header('Cache-Control', 'no-cache')
-      res.header('Cache-Control', 'nmax-age=0')
+      res.header('Cache-Control', 'no-cache, max-age=0')

This change would reduce the number of header operations while maintaining the same caching behavior.

apps/download-service/src/app/modules/regulation-documents/regulation-documents.controller.ts (1)

81-81: Cache-Control header syntax corrected

The update to the 'Cache-Control' header syntax is correct and important for ensuring proper caching behavior.

For improved clarity and to future-proof the header, consider using a more specific directive:

-      res.header('Cache-Control', 'no-cache')
+      res.header('Cache-Control', 'no-store, must-revalidate')

This ensures that the response is not stored in any cache and must be revalidated with the server on each request.

apps/download-service/src/app/modules/vehicles-documents/vehicle-document.controller.ts (2)

Line range hint 38-55: LGTM: Authentication flow updated and response headers improved

The changes in the getVehicleHistoryPdf method successfully implement the new authentication flow, aligning with the PR objectives. The removal of the resource parameter and direct use of the user object with AuthMiddleware enhance security by not exposing tokens to the client side.

The response header updates improve consistency and security. However, there's a minor formatting issue in one header.

Consider updating the Content-Type header to use the same format as other headers:

-      res.header('Content-Type: application/pdf')
+      res.header('Content-Type', 'application/pdf')

---

Line range hint 1-102: Excellent implementation of new authentication flow and security improvements

The changes in this file successfully implement the new authentication flow, aligning perfectly with the PR objectives. Key improvements include:

1. Removal of the resource parameter, enhancing security by not exposing tokens to the client side.
2. Direct use of the user object with AuthMiddleware, simplifying the authentication process.
3. Consistent formatting of response headers across both methods.
4. Effective use of TypeScript for improved type safety.

The overall structure adheres to NextJS best practices for API routes, and the code remains well-organized and maintainable. These changes contribute significantly to preparing for the Backend for Frontend (BFF) architecture and enhancing overall security.

Consider documenting these changes in the project's architecture documentation to ensure that other developers understand the new authentication flow and its implications for the BFF architecture.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 50e0899 and 5d79592.

📒 Files selected for processing (13)

• apps/download-service/src/app/modules/education-documents/dto/getEducationGraduationDocument.ts (0 hunks)
• apps/download-service/src/app/modules/education-documents/education-document.controller.ts (2 hunks)
• apps/download-service/src/app/modules/finance-documents/document.controller.ts (3 hunks)
• apps/download-service/src/app/modules/finance-documents/dto/getFinanceDocument.dto.ts (1 hunks)
• apps/download-service/src/app/modules/health/dto/getHealthPaymentDocument.dto.ts (0 hunks)
• apps/download-service/src/app/modules/health/payment-overview-documents.controller.ts (3 hunks)
• apps/download-service/src/app/modules/regulation-documents/dto/getRegulationDraftDocument.dto.ts (0 hunks)
• apps/download-service/src/app/modules/regulation-documents/regulation-documents.controller.ts (3 hunks)
• apps/download-service/src/app/modules/vehicles-documents/dto/getVehicleHistoryDocument.dto.ts (0 hunks)
• apps/download-service/src/app/modules/vehicles-documents/vehicle-document.controller.ts (4 hunks)
• apps/download-service/src/app/modules/work-machines-documents/dto/getWorkMachineCollectionDocument.dto.ts (0 hunks)
• apps/download-service/src/app/modules/work-machines-documents/work-machines-documents.controller.ts (3 hunks)
• libs/auth-nest-tools/src/lib/jwt.strategy.ts (1 hunks)

💤 Files with no reviewable changes (5)

• apps/download-service/src/app/modules/education-documents/dto/getEducationGraduationDocument.ts
• apps/download-service/src/app/modules/health/dto/getHealthPaymentDocument.dto.ts
• apps/download-service/src/app/modules/regulation-documents/dto/getRegulationDraftDocument.dto.ts
• apps/download-service/src/app/modules/vehicles-documents/dto/getVehicleHistoryDocument.dto.ts
• apps/download-service/src/app/modules/work-machines-documents/dto/getWorkMachineCollectionDocument.dto.ts

🧰 Additional context used

📓 Path-based instructions (8)

apps/download-service/src/app/modules/education-documents/education-document.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

apps/download-service/src/app/modules/finance-documents/document.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

apps/download-service/src/app/modules/finance-documents/dto/getFinanceDocument.dto.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

apps/download-service/src/app/modules/health/payment-overview-documents.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

apps/download-service/src/app/modules/regulation-documents/regulation-documents.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

apps/download-service/src/app/modules/vehicles-documents/vehicle-document.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

apps/download-service/src/app/modules/work-machines-documents/work-machines-documents.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

libs/auth-nest-tools/src/lib/jwt.strategy.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (22)

apps/download-service/src/app/modules/finance-documents/dto/getFinanceDocument.dto.ts (2)

1-2: LGTM: Import statements are correct and concise.

The import statements are appropriate for the decorators used in the class. They follow a good practice of importing only what's necessary.

---

Line range hint 4-9: LGTM: DTO simplification aligns with PR objectives.

The removal of the __accessToken property from GetFinanceDocumentDto aligns well with the PR objectives to prepare for the BFF architecture and enhance security. The remaining annualDoc property is correctly decorated and typed.

To ensure consistency across the codebase, please verify that all controllers using this DTO have been updated accordingly. Run the following script to check for any remaining references to __accessToken:

apps/download-service/src/app/modules/work-machines-documents/work-machines-documents.controller.ts (4)

1-1: LGTM: Improved type import for User

The change to import User as a type is a good TypeScript practice. It ensures that the import is used only for type checking and not at runtime, which can lead to better performance and clearer code intentions.

---

31-35: LGTM: Improved method signature and security

The removal of the resource parameter from the method signature is a positive change. It aligns with the PR objectives of not exposing tokens in the request body and simplifies the method interface. The direct use of the user parameter for authentication enhances security by relying on the authenticated user information provided by the @CurrentUser() decorator.

---

58-60: Minor improvement: Response header formatting

The changes to the response headers improve the formatting consistency. The removal of colons in the header names is correct, as the header method expects separate name and value parameters.

---

Line range hint 1-64: LGTM: Good TypeScript usage and compatibility with NextJS

The code demonstrates good use of TypeScript, with proper type annotations and imports. While this is a NestJS controller, its structure and practices are compatible with NextJS API routes. The use of decorators for route and parameter handling, along with proper typing of request and response objects, aligns well with both NestJS and NextJS best practices for API development.

apps/download-service/src/app/modules/finance-documents/document.controller.ts (4)

1-9: LGTM: Enhanced type safety and security

The changes to the import statements and the addition of the IdsUserGuard and ScopesGuard align well with the PR objectives. The specific API scopes in the @Scopes decorator improve the security model by clearly defining the required permissions for accessing finance-related endpoints.

Also applies to: 25-26

---

48-55: LGTM: Simplified authorization logic

The changes in the financeService method calls align perfectly with the PR objectives. By directly passing the user object instead of creating a separate authUser object, the code becomes cleaner and more straightforward. This change effectively updates the usage of access tokens as intended.

---

Line range hint 1-77: Overall assessment: Well-implemented changes

The modifications in this file successfully address the PR objectives by updating the usage of access tokens and preparing for the Backend for Frontend (BFF) architecture. The changes enhance security, improve code clarity, and maintain backwards compatibility. The use of TypeScript for type safety and adherence to NextJS best practices is commendable.

A few minor suggestions have been made, but overall, the implementation is solid and ready for the next steps in the development process.

---

Line range hint 41-47: Verify internal logic changes

While the method signature remains unchanged, which is good for maintaining backwards compatibility, the AI summary indicates that there have been internal logic changes. Let's verify these changes to ensure they align with the PR objectives.

apps/download-service/src/app/modules/health/payment-overview-documents.controller.ts (3)

9-14: Import changes look good

The changes in imports align well with the PR objectives. The addition of ApiScope and AuditService supports enhanced security and auditing. The removal of Body import is consistent with the updated method signature.

---

33-37: Method signature update aligns with PR objectives

The removal of the @Body() resource: GetGetHealthPaymentDocumentDto parameter from the getHealthPaymentOverviewPdf method signature is a positive change. It aligns with the PR objectives of extracting the access token using JWT strategy instead of including it in the request body, enhancing security by not exposing tokens to the client side.

---

Line range hint 1-72: Good TypeScript usage, but clarification on framework context

The use of TypeScript for type safety throughout the file is commendable and aligns with the coding guidelines. However, it's important to note that this file is part of a NestJS backend application, not a NextJS frontend application. The NextJS-specific best practices mentioned in the coding guidelines don't apply in this context.

libs/auth-nest-tools/src/lib/jwt.strategy.ts (2)

61-61: Approve the update to the Auth object

The change correctly uses the newly constructed authorization variable, ensuring consistency with the earlier modifications and proper token handling.

---

Line range hint 1-76: Overall approval: Changes align with PR objectives and enhance security

The modifications to the JwtStrategy class effectively implement the new token handling mechanism, aligning perfectly with the PR objectives. Key points:

1. The changes prepare the system for the Backend for Frontend (BFF) architecture.
2. Security is enhanced by prioritizing tokens from request headers over those in the body.
3. Backward compatibility is maintained through the fallback mechanism.
4. The code adheres to TypeScript best practices and maintains reusability, as required for files in the libs directory.

These changes successfully address the goal of updating how the access token is handled within the download service controllers, moving away from including tokens in POST request bodies.

apps/download-service/src/app/modules/education-documents/education-document.controller.ts (2)

Line range hint 46-53: LGTM: Method signature updated correctly

The removal of the resource parameter and its @Body() decorator aligns with the PR objectives. The method now relies on the @CurrentUser() decorator to obtain the user information, which is the correct approach for handling authorization in the new implementation.

---

54-54: LGTM: User object correctly utilized for authorization

The direct use of the user object in the getStudentTrackPdf() method call is consistent with the PR objectives. This change effectively utilizes the JWT strategy to handle authorization, eliminating the need for a separate access token in the request body.

apps/download-service/src/app/modules/regulation-documents/regulation-documents.controller.ts (3)

8-10: Import changes look good

The updated imports align well with the PR objectives. The addition of AdminPortalScope, RegulationsService, and RegulationsAdminClientService supports the new implementation. The removal of Body from NestJS imports and the inferred removal of GetRegulationDraftDocumentDto are consistent with the changes in the method signature.

Also applies to: 15-17

---

47-48: Method signature update improves security

The removal of the resource parameter and direct use of the user object for authorization aligns perfectly with the PR objectives. This change enhances security by eliminating the need to pass the access token in the request body, which is a step towards the Backend for Frontend (BFF) architecture mentioned in the PR summary.

---

Line range hint 1-89: Overall changes align with NestJS best practices

While the coding guidelines mention NextJS best practices, it's important to note that this file is a NestJS controller, not a NextJS component. The changes made are appropriate for a NestJS application and follow NestJS best practices, including:

1. Proper use of decorators for route handling and parameter extraction.
2. Correct implementation of dependency injection in the constructor.
3. Appropriate error handling and response management.

The updates to the controller improve its security and align well with the PR objectives.

apps/download-service/src/app/modules/vehicles-documents/vehicle-document.controller.ts (2)

1-3: LGTM: Imports updated to support new authentication flow

The new imports for User, AuthMiddleware, and ApiScope are appropriate for the updated authentication mechanism. This change aligns well with the PR objectives and maintains good TypeScript practices.

---

Line range hint 77-98: LGTM: Consistent implementation of new authentication flow

The changes in the getVehicleOwnership method mirror those in getVehicleHistoryPdf, maintaining consistency across the controller. The updated authentication flow and response header formatting are well-implemented and align with the PR objectives.

The removal of the resource parameter and the use of AuthMiddleware with the user object enhance security by not exposing tokens to the client side. The response headers are now consistently formatted, improving code quality.

[codecov]

Codecov Report

Attention: Patch coverage is 56.45161% with 27 lines in your changes missing coverage. Please review.

Project coverage is 36.75%. Comparing base (4d38b65) to head (2328c9e).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...p/modules/finance-documents/document.controller.ts	44.44%	5 Missing ⚠️
...ucation-documents/education-document.controller.ts	55.55%	4 Missing ⚠️
...es/health/payment-overview-documents.controller.ts	55.55%	4 Missing ⚠️
...tional-licenses/occupational-license.controller.ts	0.00%	4 Missing ⚠️
.../vehicles-documents/vehicle-document.controller.ts	50.00%	4 Missing ⚠️
...es-documents/work-machines-documents.controller.ts	42.85%	4 Missing ⚠️
...ation-documents/regulation-documents.controller.ts	85.71%	1 Missing ⚠️
libs/auth-nest-tools/src/lib/jwt.strategy.ts	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16216      +/-   ##
==========================================
- Coverage   36.76%   36.75%   -0.01%     
==========================================
  Files        6785     6778       -7     
  Lines      139907   139805     -102     
  Branches    39776    39769       -7     
==========================================
- Hits        51442    51392      -50     
+ Misses      88465    88413      -52     

Flag	Coverage Δ
air-discount-scheme-backend	54.22% <0.00%> (-0.05%)	⬇️
air-discount-scheme-web	0.00% <ø> (ø)
api	3.37% <ø> (ø)
api-domains-air-discount-scheme	36.95% <0.00%> (-0.06%)	⬇️
api-domains-assets	26.71% <ø> (ø)
api-domains-auth-admin	48.77% <ø> (ø)
api-domains-communications	39.92% <0.00%> (-0.02%)	⬇️
api-domains-criminal-record	47.93% <ø> (ø)
api-domains-driving-license	44.48% <0.00%> (-0.04%)	⬇️
api-domains-education	31.74% <ø> (ø)
api-domains-health-insurance	34.78% <ø> (ø)
api-domains-mortgage-certificate	35.71% <0.00%> (-0.05%)	⬇️
api-domains-payment-schedule	41.22% <0.00%> (-0.07%)	⬇️
application-api-files	57.91% <ø> (ø)
application-core	71.29% <ø> (-0.33%)	⬇️
application-system-api	41.62% <0.00%> (-0.01%)	⬇️
application-template-api-modules	23.76% <0.00%> (+0.01%)	⬆️
application-templates-accident-notification	22.14% <ø> (ø)
application-templates-car-recycling	3.12% <ø> (ø)
application-templates-criminal-record	26.63% <ø> (ø)
application-templates-driving-license	18.70% <ø> (ø)
application-templates-estate	12.33% <ø> (ø)
application-templates-example-payment	25.41% <ø> (ø)
application-templates-financial-aid	14.34% <ø> (ø)
application-templates-general-petition	23.68% <ø> (ø)
application-templates-health-insurance	26.62% <ø> (ø)
application-templates-inheritance-report	6.45% <ø> (ø)
application-templates-marriage-conditions	15.23% <ø> (ø)
application-templates-mortgage-certificate	43.96% <ø> (ø)
application-templates-parental-leave	30.15% <ø> (+0.12%)	⬆️
application-types	6.71% <ø> (ø)
application-ui-components	1.28% <ø> (ø)
application-ui-shell	21.29% <ø> (ø)
auth-nest-tools	31.31% <75.00%> (+0.29%)	⬆️
auth-react	22.80% <ø> (ø)
clients-charge-fjs-v2	24.11% <ø> (ø)
clients-driving-license	40.73% <ø> (ø)
clients-driving-license-book	43.90% <0.00%> (-0.07%)	⬇️
clients-financial-statements-inao	49.25% <ø> (ø)
clients-license-client	1.83% <ø> (ø)
clients-middlewares	72.77% <ø> (ø)
clients-regulations	42.71% <ø> (ø)
clients-rsk-company-registry	29.76% <ø> (ø)
clients-rsk-personal-tax-return	38.00% <ø> (ø)
clients-smartsolutions	12.77% <ø> (ø)
clients-syslumenn	49.64% <0.00%> (-0.07%)	⬇️
cms	0.43% <ø> (ø)
cms-translations	39.05% <0.00%> (-0.02%)	⬇️
dokobit-signing	63.20% <ø> (ø)
download-service	44.09% <51.61%> (-0.71%)	⬇️
email-service	60.97% <ø> (ø)
feature-flags	90.97% <ø> (ø)
file-storage	53.48% <ø> (ø)
financial-aid-backend	56.53% <0.00%> (-0.06%)	⬇️
financial-aid-shared	19.03% <ø> (ø)
icelandic-names-registry-backend	54.55% <0.00%> (-0.14%)	⬇️
judicial-system-api	18.30% <ø> (ø)
judicial-system-audit-trail	69.10% <ø> (ø)
judicial-system-backend	55.29% <0.00%> (-0.01%)	⬇️
judicial-system-message	67.12% <ø> (ø)
judicial-system-message-handler	48.17% <ø> (ø)
judicial-system-scheduler	69.17% <ø> (ø)
license-api	42.62% <0.00%> (-0.03%)	⬇️
nest-audit	68.20% <ø> (ø)
nest-config	78.32% <ø> (ø)
nest-feature-flags	51.95% <0.00%> (-0.21%)	⬇️
nest-problem	46.34% <0.00%> (-0.15%)	⬇️
nest-swagger	51.71% <ø> (ø)
nova-sms	62.56% <ø> (ø)
portals-admin-regulations-admin	1.88% <ø> (ø)
portals-core	16.17% <ø> (ø)
reference-backend	50.41% <0.00%> (-0.16%)	⬇️
services-auth-admin-api	51.98% <0.00%> (-0.02%)	⬇️
services-auth-delegation-api	57.93% <0.00%> (+0.05%)	⬆️
services-auth-ids-api	51.88% <0.00%> (-0.02%)	⬇️
services-auth-personal-representative	45.52% <0.00%> (-0.05%)	⬇️
services-auth-personal-representative-public	41.60% <0.00%> (-0.06%)	⬇️
services-auth-public-api	49.37% <0.00%> (-0.02%)	⬇️
services-documents	61.17% <0.00%> (-0.12%)	⬇️
services-endorsements-api	55.22% <0.00%> (-0.05%)	⬇️
services-sessions	65.74% <0.00%> (-0.14%)	⬇️
services-university-gateway	48.52% <0.00%> (-0.05%)	⬇️
services-user-notification	47.04% <0.00%> (-0.05%)	⬇️
services-user-profile	62.26% <0.00%> (-0.15%)	⬇️
shared-components	27.68% <ø> (ø)
shared-form-fields	31.63% <ø> (ø)
skilavottord-ws	24.24% <ø> (ø)
web	1.83% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...e/src/app/modules/documents/document.controller.ts	52.17% <100.00%> (-3.83%)	⬇️
...ation-documents/regulation-documents.controller.ts	38.70% <85.71%> (-2.47%)	⬇️
libs/auth-nest-tools/src/lib/jwt.strategy.ts	92.00% <75.00%> (-3.46%)	⬇️
...ucation-documents/education-document.controller.ts	50.00% <55.55%> (-3.34%)	⬇️
...es/health/payment-overview-documents.controller.ts	46.15% <55.55%> (-2.13%)	⬇️
...tional-licenses/occupational-license.controller.ts	48.00% <0.00%> (-3.86%)	⬇️
.../vehicles-documents/vehicle-document.controller.ts	36.58% <50.00%> (-2.55%)	⬇️
...es-documents/work-machines-documents.controller.ts	46.15% <42.85%> (-2.13%)	⬇️
...p/modules/finance-documents/document.controller.ts	44.44% <44.44%> (-3.84%)	⬇️

... and 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4d38b65...2328c9e. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs 42bfcb7 🔗

✅ 74 Total Test Services: 0 Failed, 72 Passed
❄️ 1 with New Flaky
🔻 Test Sessions change in coverage: 24 decreased, 2 increased, 167 no change

Test Services

This report shows up to 10 services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
services-auth-delegation-api	0	0	1	256	0	3m 18.87s	1 increased (+0.17%)	Link
air-discount-scheme-backend	0	0	0	81	0	29.73s	N/A	Link
air-discount-scheme-web	0	0	0	2	0	8.44s	N/A	Link
api	0	0	0	4	0	2.74s	N/A	Link
api-domains-air-discount-scheme	0	0	0	6	0	17.81s	N/A	Link
api-domains-assets	0	0	0	3	0	11.28s	N/A	Link
api-domains-auth-admin	0	0	0	18	0	14.34s	N/A	Link
api-domains-communications	0	0	0	5	0	34.27s	1 decreased (-0.02%)	Link
api-domains-criminal-record	0	0	0	5	0	10.86s	1 no change	Link
api-domains-driving-license	0	0	0	23	0	30.56s	N/A	Link

🔻 Code Coverage Decreases vs Default Branch (24)

This report shows up to 5 code coverage decreases.

• nest-feature-flags - jest 57.72% (-0.32%) - Details
• download-service - jest 35.16% (-0.22%) - Details
• application-core - jest 79.36% (-0.21%) - Details
• icelandic-names-registry-backend - jest 60% (-0.14%) - Details
• reference-backend - jest 55.21% (-0.13%) - Details

[saevarma]

Nice! 🚀
But a bit scary change so we need to make sure that the front end code downloading the files keeps working. We need to test this well on dev.

[snaerseljan]

Nice! 🚀 But a bit scary change so we need to make sure that the front end code downloading the files keeps working. We need to test this well on dev.

Yes I have done the test now and this should be solid :)

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts (1)

56-59: LGTM: Improved HTTP header settings

The changes to the HTTP header settings are correct and improve the code quality:

1. The 'Content-Type' and 'Pragma' headers are now set correctly without the erroneous colon.
2. The 'Cache-Control' headers have been reformatted for consistency.

These changes align with best practices for setting HTTP headers.

Consider combining the two 'Cache-Control' headers into a single line for better readability:

res.header('Cache-Control', 'no-cache, max-age=0')

This change would maintain the same behavior while slightly reducing code duplication.

libs/auth-nest-tools/src/lib/jwt.strategy.spec.ts (1)

117-139: LGTM! Consider adding a negative test case.

The new test case effectively verifies the handling of the __accessToken field in the request body. It follows the established Arrange-Act-Assert pattern and adheres to the coding guidelines for TypeScript usage.

To further improve test coverage, consider adding a negative test case where the __accessToken is not present in the request body. This would ensure that the authorization property is not set when the token is missing.

Here's an example of how you could add a negative test case:

it('does not set authorization when __accessToken is missing', async () => {
  // Arrange
  const payload: JwtPayload = {
    nationalId: '1234567890',
    scope: ['test-scope-1'],
    client_id: 'test-client',
  }
  const request = {
    headers: {
      'user-agent': 'test user agent',
      'x-forwarded-for': '2.2.2.2, 3.3.3.3',
    },
    body: {},
  } as unknown as Request

  // Act
  const user = await jwtStrategy.validate(request, payload)

  // Assert
  expect(user.authorization).toBeUndefined()
})

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 51efd57 and 02b4c7e.

📒 Files selected for processing (9)

• apps/download-service/src/app/modules/documents/document.controller.ts (0 hunks)
• apps/download-service/src/app/modules/documents/dto/getDocument.dto.ts (0 hunks)
• apps/download-service/src/app/modules/education-documents/education-document.controller.ts (3 hunks)
• apps/download-service/src/app/modules/finance-documents/document.controller.ts (3 hunks)
• apps/download-service/src/app/modules/finance-documents/dto/getFinanceDocument.dto.ts (0 hunks)
• apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts (1 hunks)
• libs/api/domains/finance/src/lib/api-domains-finance.resolver.ts (1 hunks)
• libs/auth-nest-tools/src/lib/jwt.strategy.spec.ts (1 hunks)
• libs/auth-nest-tools/src/lib/jwt.strategy.ts (1 hunks)

💤 Files with no reviewable changes (3)

• apps/download-service/src/app/modules/documents/document.controller.ts
• apps/download-service/src/app/modules/documents/dto/getDocument.dto.ts
• apps/download-service/src/app/modules/finance-documents/dto/getFinanceDocument.dto.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/download-service/src/app/modules/education-documents/education-document.controller.ts
• apps/download-service/src/app/modules/finance-documents/document.controller.ts
• libs/auth-nest-tools/src/lib/jwt.strategy.ts

🧰 Additional context used

📓 Path-based instructions (3)

apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts (1)

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

libs/api/domains/finance/src/lib/api-domains-finance.resolver.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/auth-nest-tools/src/lib/jwt.strategy.spec.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (2)

apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts (1)

Line range hint 23-26: Verify the removal of DistrictCommissionersLicensesService

The DistrictCommissionersLicensesService has been removed from the constructor. This aligns with the PR objectives to update the usage of access tokens. However, please ensure that:

1. All functionalities previously using this service have been properly migrated or are no longer needed.
2. There are no remaining references to this service in the class methods.

To confirm there are no lingering references, run the following script:

If the script returns any results, please review and remove any remaining references.

✅ Verification successful

DistrictCommissionersLicensesService Removal Verified

All references to DistrictCommissionersLicensesService have been successfully removed from occupational-license.controller.ts.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any remaining references to DistrictCommissionersLicensesService in the file

# Test: Search for any usage of DistrictCommissionersLicensesService
rg --type typescript "DistrictCommissionersLicensesService" apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts

Length of output: 189

---

Script:

#!/bin/bash
# Description: Check for any remaining references to DistrictCommissionersLicensesService in the file

# Test: Search for any usage of DistrictCommissionersLicensesService with correct file type
rg --type ts "DistrictCommissionersLicensesService" apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts

Length of output: 146

---

Script:

#!/bin/bash
# Description: Check for any remaining references to DistrictCommissionersLicensesService in the file without specifying file type

# Test: Search for any usage of DistrictCommissionersLicensesService in the specified file
rg "DistrictCommissionersLicensesService" apps/download-service/src/app/modules/occupational-licenses/occupational-license.controller.ts

Length of output: 136

libs/api/domains/finance/src/lib/api-domains-finance.resolver.ts (1)

67-70: LGTM: Addition of downloadServiceURL to the response in getFinanceStatus.

The inclusion of the downloadServiceURL property enhances the response by providing a direct link for finance-related downloads. The construction of the URL using this.downloadServiceConfig.baseUrl appears correct.

[thordurhhh]

Lovely! Just tested, download on service-portal still good after this change.
🚀🚀