chore: before pushing to prod

[lakshayman]

Date: 02 Jan 2026

Developer Name: @lakshayman

---

Description

This PR includes several improvements and fixes to the feature flag backend:

1. JWT Authentication Improvements: Enhanced JWT token validation with better error logging and handling of public key whitespace issues. Added detailed logging to help debug SSM parameter retrieval and public key parsing failures.

2. Infrastructure Setup: Added DynamoDB table setup script (setup-dynamodb-tables.sh) and comprehensive post-deployment setup documentation (POST_DEPLOYMENT_SETUP.md) to streamline deployment and testing processes.

3. IAM Policy Fixes: Moved IAM policies from manual configuration to template.yaml for better infrastructure-as-code practices and easier management.

4. Pipeline Fixes: Resolved CI/CD pipeline issues to ensure smooth deployments.

5. Code Refactoring: Migrated shared code to AWS Lambda Layer architecture (from previous PR refactor: migrate shared code to AWS Lambda Layer #165), improving code reusability and maintainability.

Key Changes:

• Enhanced JWT middleware with comprehensive error logging
• Added public key whitespace trimming to handle SSM parameter formatting issues
• Created setup scripts for local DynamoDB table creation
• Improved error messages for better debugging experience
• Updated test scripts with ngrok URL support for local development

Documentation Updated?

• Yes
• No

Added POST_DEPLOYMENT_SETUP.md with comprehensive deployment and testing instructions. Updated test scripts and documentation.

Under Feature Flag

• Yes
• No

These are infrastructure and authentication improvements, not feature changes.

Database Changes

• Yes
• No

Added setup script for DynamoDB tables (setup-dynamodb-tables.sh). No schema changes to existing tables.

Breaking Changes

• Yes
• No

No breaking changes. All changes are backward compatible.

Development Tested?

• Yes
• No

Tested locally and in production:

• JWT authentication with new public key
• Feature flag creation and retrieval
• User feature flag mapping
• All API endpoints verified working

Screenshots

JWT Authentication Success

✅ Testing GET all feature flags:
[
    {
        "id": "97b35949-edb0-4c79-afb9-7d6e56fe44b5",
        "name": "test-feature-flag",
        "description": "A test feature flag created via API",
        "status": "ENABLED",
        ...
    }
]

Test Coverage

API Testing Results

All endpoints tested and verified:

• ✅ Health check endpoint
• ✅ JWT authentication working
• ✅ Create feature flag
• ✅ Get all feature flags
• ✅ Create user feature flag mapping
• ✅ Get user feature flags

Additional Notes

• JWT Authentication: Fixed issues with public key retrieval from SSM Parameter Store by adding whitespace trimming and comprehensive error logging. This helps identify issues during initialization.

• Error Logging: Added detailed logging at each step of JWT initialization to help debug authentication failures:

  • SSM parameter name being accessed
  • Success/failure of parameter retrieval
  • PEM decoding status
  • Public key parsing errors

• Setup Scripts: The setup-dynamodb-tables.sh script automates DynamoDB table creation for local development and testing.

• Documentation: POST_DEPLOYMENT_SETUP.md provides step-by-step instructions for:

  • Setting up DynamoDB tables
  • Configuring SSM parameters
  • Testing API endpoints
  • Troubleshooting common issues

• Testing: All changes have been tested in production environment with successful JWT authentication and feature flag operations.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The pull request introduces comprehensive post-deployment setup documentation and infrastructure enhancements. Key changes include GitHub Actions workflow version upgrades, DynamoDB table initialization setup, IAM policy additions to Lambda functions, enhanced JWT logging with defensive null checks, and a post-deployment guide for configuration and verification.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/pipeline.yaml	Upgrades GitHub Actions to newer versions (checkout v4→v5, slug v3→v5, setup-go v5→v6, aws-actions/configure-aws-credentials v1→v4, actions/upload-artifact & actions/download-artifact to v6). Replaces deprecated set-output with $GITHUB_OUTPUT environment file for branch name. Updates Python to v3.11 and SAM CLI setup to v2 with installer.
Documentation & Setup POST_DEPLOYMENT_SETUP.md, setup-dynamodb-tables.sh	Introduces new post-deployment guide with DynamoDB table creation (featureFlag, featureFlagUserMapping, requestLimit), SSM parameter verification, API health checks, and troubleshooting. Adds Bash script for automated table setup with PAY_PER_REQUEST billing and initial seed data.
JWT Security Enhancements layer/jwt/jwt.go	Adds extensive runtime logging for SSM key fetch, PEM decoding, PKIX parsing, and RSA assertion. Introduces defensive null checks for parameter retrieval. Adds key value trimming and min helper function for safe substring logging.
Infrastructure Permissions template.yaml	Adds IAM policies across multiple Lambda functions (CorsLambda, HealthCheckFunction, RateLimiterFunction, ResetLimitFunction, GetFeatureFlagFunction, CreateFeatureFlagFunction, UpdateFeatureFlagFunction, GetAllFeatureFlagFunction, GetUserFeatureFlagFunction, GetUserFeatureFlagsFunction, CreateUserFeatureFlagFunction, UpdateUserFeatureFlagFunction). Policies grant DynamoDB CRUD access to three tables and SSM parameter read access to public keys. RateLimiterFunction receives additional lambda:PutFunctionConcurrency permission.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant Lambda as Lambda Functions
    participant DynamoDB as DynamoDB<br/>(featureFlag,<br/>featureFlagUserMapping,<br/>requestLimit)
    participant SSM as Parameter Store<br/>(Public Keys)
    
    User->>Lambda: 1. Deploy application
    Lambda->>DynamoDB: 2. Create tables<br/>(setup-dynamodb-tables.sh)
    DynamoDB-->>Lambda: Tables created & initialized
    
    User->>SSM: 3. Verify/Create SSM<br/>parameters (PROD/STAGING<br/>public keys)
    SSM-->>User: Parameters ready
    
    Lambda->>SSM: 4. Fetch JWT public key<br/>(with logging & defensive checks)
    SSM-->>Lambda: Return key (trimmed)
    Lambda->>Lambda: 5. Parse & verify key<br/>(PEM → PKIX → RSA)
    Lambda-->>Lambda: JWT utils initialized
    
    User->>Lambda: 6. Test API endpoints<br/>(health check,<br/>feature-flag operations)
    Lambda->>DynamoDB: 7. Execute operations<br/>(read/write requests<br/>with IAM permissions)
    DynamoDB-->>Lambda: Return results
    Lambda-->>User: Success response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hoppity-hop, the infrastructure grows,
New tables spring up where the database flows,
With logging so bright and permissions so tight,
The feature flags dance in serverless delight!
🎉✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The PR title 'chore: before pushing to prod' is vague and does not clearly convey the specific changes in the PR, using generic language without describing the actual work.	Provide a more descriptive title that highlights the main changes, such as 'chore: add JWT logging, DynamoDB setup, and IAM policies' or 'chore: improve infrastructure setup and authentication logging.'

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description is comprehensive, well-structured, and clearly relates to the changeset including JWT improvements, DynamoDB setup, IAM policies, pipeline fixes, and documentation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

template.yaml (1)

190-410: Remove unused DynamoDB table permissions from functions.

Functions are over-provisioned with permissions to tables they don't access:

• getFeatureFlagById and getAllFeatureFlags: Remove DynamoDBCrudPolicy for featureFlagUserMapping
• getUserFeatureFlag and getUserFeatureFlags: Remove DynamoDBCrudPolicy for featureFlag
• createFeatureFlag and updateFeatureFlag: Remove DynamoDBCrudPolicy for featureFlagUserMapping
• createUserFeatureFlag and updateUserFeatureFlag: Remove DynamoDBCrudPolicy for featureFlag

All functions require write access to requestLimit (not read-only) because CheckRequestAllowed actively decrements the rate limit counter with PutItem operations.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9061a24 and a978723.

📒 Files selected for processing (5)

• .github/workflows/pipeline.yaml
• POST_DEPLOYMENT_SETUP.md
• layer/jwt/jwt.go
• setup-dynamodb-tables.sh
• template.yaml

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/pipeline.yaml

22-22: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 LanguageTool

POST_DEPLOYMENT_SETUP.md

[style] ~63-~63: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...t` Table After creating the table, you need to add an initial value: ```bash aws dyna...

(REP_NEED_TO_VB)

🪛 markdownlint-cli2 (0.18.1)

POST_DEPLOYMENT_SETUP.md

184-184: Trailing spaces
Expected: 0 or 2; Actual: 1

(MD009, no-trailing-spaces)

🪛 Shellcheck (0.11.0)

setup-dynamodb-tables.sh

[info] 22-22: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 39-39: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 54-54: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 64-64: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 68-68: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 72-72: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 85-85: Double quote to prevent globbing and word splitting.

(SC2086)

🔇 Additional comments (8)

.github/workflows/pipeline.yaml (3)

17-25: LGTM! Modern GitHub Actions syntax.

The upgrade to use $GITHUB_OUTPUT instead of the deprecated set-output command is correct and aligns with current GitHub Actions best practices. The action version upgrades are also appropriate.

---

55-129: LGTM! Comprehensive GitHub Actions upgrades.

The workflow upgrades are well-coordinated:

• AWS credentials action upgraded to v4 for improved security
• Artifact upload/download actions upgraded to v6 (consistent versions)
• Python setup upgraded to v6 with Python 3.11
• SAM CLI setup upgraded to v2 with installer approach

These changes modernize the CI/CD pipeline appropriately.

---

34-36: No issues found. Go version 1.25.1 is a valid, released version as of January 2026 (the latest patch in the 1.25 series is 1.25.5). The specified version in the workflow is acceptable.

Likely an incorrect or invalid review comment.

layer/jwt/jwt.go (3)

88-117: Excellent defensive coding and observability improvements!

The enhancements significantly improve debuggability:

• Comprehensive logging at each initialization step aids troubleshooting
• TrimSpace on line 94 addresses SSM parameter formatting issues (trailing whitespace)
• Safe substring using min() on line 98 prevents panics when logging truncated keys
• Defensive nil checks ensure robust error handling
• Security is maintained by only logging sanitized/truncated information

These changes directly address the production JWT authentication issues mentioned in the PR objectives.

---

119-148: Strong defensive programming with SSM parameter handling.

The nil checks on lines 141-144 are essential defensive measures:

• Handles edge case where Parameter or Value might be nil
• Provides clear error message for debugging
• TrimSpace on line 146 ensures consistency with public key trimming

The enhanced logging throughout this function will significantly aid in diagnosing SSM-related issues in production.

---

150-155: LGTM! Simple and effective helper.

The min() helper prevents potential panics when taking substrings for logging. The implementation is straightforward and appropriate for integer comparison.

POST_DEPLOYMENT_SETUP.md (1)

1-91: Comprehensive and well-structured documentation!

The post-deployment guide provides excellent coverage:

• Dual approach (script-based and manual) accommodates different user preferences
• Clear explanations of required DynamoDB tables and their schemas
• Verification commands help users confirm successful setup
• Aligns perfectly with the setup-dynamodb-tables.sh script

template.yaml (1)

1-416: Strong infrastructure-as-code migration!

Moving IAM policies from manual configuration into template.yaml significantly improves:

• Infrastructure reproducibility and version control
• Consistency across environments (PROD/DEV)
• Alignment with AWS best practices

The policy structure is well-organized and parameter names correctly match those referenced in layer/jwt/jwt.go and POST_DEPLOYMENT_SETUP.md.