Daily backups and bug hunting

[totallynotmanas]

This PR prepares the secure-health-api for production deployment on AWS by addressing previously missing endpoints, hardening security configurations, and introducing critical data management features required for a healthcare application.

Key Features & Enhancements

1. Security & Configuration Hardening

• Externalized Configurations: Abstracted hardcoded CORS origins, server.port, ddl-auto, and show-sql to application.properties (configurable via environment variables).
• Global Exception Handling: Replaced scattered try-catch blocks with a centralized @RestControllerAdvice. It now returns standardized JSON ErrorResponse objects for MethodArgumentNotValidException, AccessDeniedException, JWT validation errors, and custom expected business logic exceptions.
• Declarative Security: Removed manual string-based Role-Based Access Control (RBAC) checks and replaced them entirely with Spring Security @PreAuthorize("hasAuthority('ROLE')") annotations across all controllers.

2. Completed API Endpoints

• User Profile (GET /api/auth/me): Added an endpoint to safely extract the authenticated user's profile from the JWT rather than relying on frontend local storage parsing.
• Resource Lookups by ID: Added GET /{id} endpoints for Appointments, MedicalRecords, Prescriptions, and LabResults.
• Appointment Insights: Added GET /api/appointments/status/{status} and GET /api/appointments/stats for robust dashboard reporting.

3. Patient Consent Management

• Introduced a full privacy module allowing PATIENT users to explicitly grant or revoke granular data access (MEDICAL_RECORDS, VITAL_SIGNS, ALL, etc.) to specific healthcare providers.
• Supports expiry dates, revocation tracking, and duplicate prevention. Added a hasConsent() utility method for cross-service authorization checks.

4. Encrypted File Uploads

• Added uploadUrl to MedicalRecord and created FileStorageService.
• Encryption at Rest: Uploaded files (images, PDFs, documents) are encrypted using AES-256-GCM before being stored on disk. Decryption occurs on-the-fly during secure retrieval.
• Key is configurable via APP_ENCRYPTION_KEY.

5. Automated Data Archival & Backups

• Daily Backups: Implemented BackupService using @Scheduled to execute compressed pg_dump snapshots. Supports auto-cleanup of old backups based on a configurable retention period.
• Inactive User Archival: Added ArchivalService which runs weekly. Users with no login activity past the configurable threshold (default: 365 days) are moved to an archived_users snapshot table and marked inactive in the login table. Tracking is powered by a new lastLoginAt timestamp.

6. Automated Admin Seeding & Health Checks

• Data Initializer: Added a CommandLineRunner that executes on first boot to seed a default, environment-configurable ADMIN account if the table is empty.
• Actuator Endpoints: Integrated spring-boot-starter-actuator to expose /actuator/health (for AWS ALB Health Checks) and /actuator/prometheus (for performance metrics scraping).

Environment Variables Introduced

Ensure the following variables are injected into your deployment environment:

• APP_ADMIN_EMAIL / APP_ADMIN_PASSWORD (Initial admin seeding)
• APP_ENCRYPTION_KEY (MUST BE 32-byte base64 encoded for AES-256)
• UPLOAD_DIR / BACKUP_DIR
• BACKUP_RETENTION / ARCHIVAL_INACTIVITY_DAYS
• CORS_ALLOWED_ORIGINS

Verification

• Backend compiles cleanly (mvn clean compile).
• Database schema generation checked successfully against PostgreSQL.
• Verified Prometheus logging spam fix (Spring Security log level bumped from TRACE to INFO).

[diya-bhat]

Looks perf