build: enable http

[jo-elimu]

Temporarily enable http until SSL gets configured for the backend: elimu-ai/webapp#1694

Summary by CodeRabbit

• New Features
  • Introduced enhanced network security settings that define how connections are handled, including managing certificate trust and cleartext traffic.
  • Updated network endpoint configuration to support revised connectivity behavior with improved examples.

[coderabbitai]

Walkthrough

This update modifies three areas of the project. In the Android manifest, an attribute is added linking to a network security configuration file. In the BaseApplication class, the getBaseUrl() method is updated to use the HTTP protocol and revised example URLs in its documentation. Additionally, a new network security configuration file is introduced to permit cleartext traffic and designate system certificates as trust anchors. No changes were made to the exported or public entity declarations.

Changes

File(s)	Change Summary
app/.../AndroidManifest.xml app/.../res/xml/network_security_config.xml	Added network security configuration: the Android manifest now includes the attribute android:networkSecurityConfig, and a new XML file defines cleartext traffic settings and uses system certificates as trust anchors.
app/.../analytics/BaseApplication.java	Updated the getBaseUrl() method: documentation comments now show new example URLs, and the protocol has been switched from HTTPS to HTTP.

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 692470a and 61d3193.

📒 Files selected for processing (3)

• app/src/main/AndroidManifest.xml (1 hunks)
• app/src/main/java/ai/elimu/analytics/BaseApplication.java (1 hunks)
• app/src/main/res/xml/network_security_config.xml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build (windows-latest, 17)

🔇 Additional comments (4)

app/src/main/AndroidManifest.xml (1)

10-10: Network security configuration added correctly.

This addition links to the XML network security configuration file which will allow HTTP traffic as intended by the PR. This is the standard approach for customizing network security settings in Android applications.

app/src/main/res/xml/network_security_config.xml (1)

1-9:

✅ Verification successful

Security warning: Cleartext traffic permitted.

While this configuration correctly enables HTTP traffic as intended by the PR, it poses security risks as data transmitted over HTTP is not encrypted and vulnerable to interception. Since this is mentioned as a temporary measure until SSL is configured (per PR description), ensure to:

1. Add a TODO comment indicating this is temporary
2. Create a follow-up ticket to implement proper SSL
3. Set a timeline for removing this cleartext permission

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
+    <!-- TODO: Temporary solution until SSL is configured (see issue #1694) -->
+    <!-- SECURITY RISK: Remove this configuration once HTTPS is implemented -->
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

---

Security Warning: Cleartext Traffic Enabled

The current network security configuration permits cleartext HTTP traffic, which poses a security risk when transmitting unencrypted data. Since this is only a temporary measure until SSL is configured, please ensure that you complete the following actions:

• Add a TODO comment: Insert a comment in the XML file noting that this configuration is temporary and referencing the appropriate follow-up issue (e.g., issue #1694).
• Create a follow-up ticket: Document and track the transition to an HTTPS-only configuration.
• Set a removal timeline: Define when this temporary configuration should be removed once SSL is fully implemented.

The diff snippet below illustrates the recommended additions:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
+    <!-- TODO: Temporary solution until SSL is configured (see issue #1694) -->
+    <!-- SECURITY RISK: Remove this configuration once HTTPS is implemented -->
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

app/src/main/java/ai/elimu/analytics/BaseApplication.java (2)

45-47: Verify REST API compatibility with HTTP.

Make sure the backend REST API is configured to accept HTTP requests. Some APIs enforce HTTPS and reject plaintext HTTP connections.

---

40-40:

❓ Verification inconclusive

Security consideration: HTTP protocol usage.

Changing from HTTPS to HTTP successfully implements the PR objective of temporarily enabling HTTP. However, this change exposes the application to security risks like man-in-the-middle attacks.

---

🏁 Script executed:

#!/bin/bash
# Check if there are any network calls in the codebase that handle sensitive data
echo "Checking for potential sensitive data transmitted over HTTP:"
rg -A 3 -B 3 "password|token|credential|auth|login|signin" --type java

Length of output: 203

---

Security Risk: Temporary HTTP Usage in BaseApplication.java

The updated code now constructs the URL with "http://" to meet the temporary PR objective. However, this adjustment still exposes the application to potential man-in-the-middle attacks if sensitive data is ever transmitted using this connection. The automated check for keywords related to sensitive data (such as passwords, tokens, or credentials) returned no matches, but this result alone may not be conclusive.

• Action Required: Please manually verify that no sensitive credentials or tokens are being transmitted over this HTTP connection in any network call within the codebase.
• Long-Term Reminder: Ensure that HTTPS is re-enabled as soon as possible to maintain the security integrity of the application.