fix(online): thread-safe fileMap with TTL cleanup, SLF4J logging, and Content-Length header

[vikas0686]

What changed?

1. Thread-safe fileMap with 24h TTL cleanup (GenApiService): Replaced static HashMap with ConcurrentHashMap to
   prevent data races under concurrent requests. Added a @Scheduled cleanup task (runs every hour) that evicts
   entries older than 24 hours and deletes their associated temp files. Without this, the map and temp files on disk
   grew unbounded for the lifetime of the server — a memory and disk leak on any long-running instance. Added
   null-check guard in downloadFile so expired/missing entries return a clean 404 NOT_FOUND with message "File not
   found or has expired" instead of an NPE.
2. Replace System.out.println with SLF4J logger: All System.out.println calls in GenApiService replaced with
   LOGGER.debug/warn, consistent with the rest of the codebase.
3. Add Content-Length header to download response: The header was commented out in downloadFile(). Since
   ByteArrayResource holds the full content in memory, the size is always known — wired in via
   .contentLength(resource.contentLength()).

Why?

• HashMap under concurrent requests can corrupt state or silently lose entries.
• Unbounded fileMap growth was a memory and disk leak with no cleanup path.
• System.out.println bypasses the logging framework, making log levels and destinations uncontrollable.
• Missing Content-Length breaks clients that rely on it for progress bars or payload validation.

Breaking changes?

None. Generated links are valid for 24 hours. If a user requests a download after expiry, they receive a 404 with
a descriptive message.

Tests added:

• fileMapIsConcurrentHashMap — asserts map type via reflection.
• cleanExpiredFilesRemovesOldEntries — verifies TTL eviction (entry set 25h in the past).
• downloadExpiredFileReturns404 — asserts clean 404 for missing/expired file IDs.
• concurrentGenerationDoesNotLoseEntries — 5 concurrent threads, all get unique codes.
• downloadHasContentLengthHeader — asserts Content-Length is present and > 0.

Suggestion for follow-up:

Currently the API response (ResponseCode) does not communicate the expiry window to callers. Consider adding an
expiresIn field to the response:

   {
     "code": "d40029be-...",
     "link": "http://.../api/gen/download/d40029be-...",
     "expiresIn": "24 hours"
   }

This would make the time-limited nature of the link explicit to API consumers without requiring them to read the
documentation.

Thanks for the the review and feedback

---

Summary by cubic

Enforces a 24h TTL for generated downloads with hourly cleanup, switches to SLF4J logging, and adds the Content-Length header. Uses a thread-safe file map and retains entries if temp dir deletion fails so cleanup can retry; missing/expired links now return 404.

• Bug Fixes

  • Replaced static HashMap with ConcurrentHashMap in GenApiService and added hourly @Scheduled cleanup that evicts >24h entries and deletes temp dirs; retain entry when deletion fails to retry later.
  • Enforced TTL in downloadFile; missing/expired file IDs return 404 "File not found or has expired".
  • Added contentLength(resource.contentLength()) so downloads include the Content-Length header.
  • Tests: service tests for eviction, retain-on-delete-failure, keeping recent entries, 404s, and concurrent generation; controller test for Content-Length.

• Refactors

  • Switched System.out.println calls to SLF4J logger.
  • Added createdAt on Generated (defaults to now) to support TTL checks.

^{Written for commit 709a677. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 3 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

2 issues found across 4 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 4 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

2 issues found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="modules/openapi-generator-online/src/test/java/org/openapitools/codegen/online/service/GenApiServiceTest.java">

<violation number="1" location="modules/openapi-generator-online/src/test/java/org/openapitools/codegen/online/service/GenApiServiceTest.java:72">
P3: Cleanup is not guaranteed if the assertion fails, so this test can leak state into the shared GenApiService and leave temporary files behind.</violation>

<violation number="2" location="modules/openapi-generator-online/src/test/java/org/openapitools/codegen/online/service/GenApiServiceTest.java:108">
P2: Uses a live GitHub URL in a concurrent test, making the suite network-dependent and potentially hang if the remote fetch stalls.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Uses a live GitHub URL in a concurrent test, making the suite network-dependent and potentially hang if the remote fetch stalls.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At modules/openapi-generator-online/src/test/java/org/openapitools/codegen/online/service/GenApiServiceTest.java, line 108:

<comment>Uses a live GitHub URL in a concurrent test, making the suite network-dependent and potentially hang if the remote fetch stalls.</comment>

<file context>
@@ -0,0 +1,151 @@
+    public void downloadExpiredEntryReturns404() throws Exception {
+        String result = mockMvc.perform(post("/api/gen/clients/java")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"openAPIUrl\": \"" + OPENAPI_URL + "\"}"))
+                .andExpect(status().isOk())
+                .andReturn().getResponse().getContentAsString();
</file context>

[cubic-dev-ai]

P3: Cleanup is not guaranteed if the assertion fails, so this test can leak state into the shared GenApiService and leave temporary files behind.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At modules/openapi-generator-online/src/test/java/org/openapitools/codegen/online/service/GenApiServiceTest.java, line 72:

<comment>Cleanup is not guaranteed if the assertion fails, so this test can leak state into the shared GenApiService and leave temporary files behind.</comment>

<file context>
@@ -0,0 +1,151 @@
+
+        genApiService.cleanExpiredFiles();
+
+        assertNotNull(genApiService.getFileEntry("test-deletion-fail-key"), "Entry should be retained when deletion fails");
+
+        // cleanup
</file context>