fix(middleware): move UseCors() before MapControllers(), add inline docs (#451)

[nanotaboada]

Summary

• Move UseCors() before MapControllers() in Program.cs to follow the standard ASP.NET Core middleware pipeline order
• Add a new Infrastructure service registration subsection separating cross-cutting concerns (health checks, CORS, rate limiting, Swagger) from the Controllers subsection
• Add descriptive phrases to all three top-level section banners (Web Application, Database Migration, Middlewares)
• Add inline comments explaining the purpose and ordering rationale of each middleware
• Document the dev-only CORS policy intent in both Program.cs and ServiceCollectionExtensions.AddCorsDefaultPolicy via a <remarks> XML doc block

Test plan

• dotnet build --configuration Release passes with 0 warnings
• dotnet test --settings .runsettings passes — 41/41 tests
• dotnet csharpier --check . passes

Closes #451

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Health endpoint now bypasses global rate limiting so availability probes are not blocked.

• Documentation

  • Improved developer guidance on middleware ordering and CORS behavior, clarifying intent for development vs production.

• Chores

  • Reorganized startup and infrastructure registration sections for clearer service/middleware separation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 05bd261f-7f98-4c7b-a862-59c62c1c4977

📥 Commits

Reviewing files that changed from the base of the PR and between 2774c66 and 4e2283b.

📒 Files selected for processing (2)

• CHANGELOG.md
• src/Dotnet.Samples.AspNetCore.WebApi/Program.cs

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Dotnet.Samples.AspNetCore.WebApi/Program.cs

---

Walkthrough

Reorders middleware and service-registration sections in Program.cs: moves CORS to run before controllers, maps health checks with rate-limiting disabled, and separates an Infrastructure registration block; updates AddCorsDefaultPolicy docs to state permissive CORS applies only in Development and documents middleware ordering in comments.

Changes

Cohort / File(s)	Summary
Program / Middleware src/Dotnet.Samples.AspNetCore.WebApi/Program.cs	Moved UseCors() to run before MapControllers() (inside dev block), added app.MapHealthChecks("/health").DisableRateLimiting(), reordered service/section comments and added inline middleware-ordering commentary.
Service collection docs src/Dotnet.Samples.AspNetCore.WebApi/Extensions/ServiceCollectionExtensions.cs	Expanded XML docs for AddCorsDefaultPolicy() to explicitly state permissive wildcard CORS is only registered in Development and not in Production; no code behavior changed.
Changelog CHANGELOG.md	Added entries documenting health checks bypassing rate limiter and middleware/CORS documentation changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client as Client
  participant App as ASP.NET Core App
  participant CORS as CORS Middleware
  participant RL as Rate Limiter
  participant HC as HealthChecks Endpoint
  participant Ctrl as Controllers

  Client->>App: HTTP request to /health
  App->>HC: Route to /health endpoint
  HC-->>App: Health checks response (bypasses Rate Limiter)
  App-->>Client: 200 OK

  Client->>App: HTTP request to /api/...
  App->>CORS: Apply CORS policy (Dev-only permissive)
  CORS-->>App: CORS decisions
  App->>RL: Rate limiting
  RL-->>App: Allow / Throttle
  App->>Ctrl: Invoke controller endpoint
  Ctrl-->>App: Response
  App-->>Client: Response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Move UseCors() before MapControllers() [#451]	✅
Document MapHealthChecks("/health") exemption from rate limiting [#451]	✅
No regressions [#451]	❓	Runtime verification (integration/manual) required to confirm no behavioral regressions introduced.

Possibly related PRs

• refactor: extract service registrations to ServiceCollectionExtensions #270: Overlaps on Program.cs middleware ordering and ServiceCollectionExtensions CORS docs edits.
• feat: rate limiting configuration with IP-based partitioning #269: Modifies health-check and rate-limiting wiring in Program.cs similarly.
• feature/dependabot-groups #211: Related changes to middleware ordering and Swagger/CORS setup.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title exceeds the 80-character limit (83 characters) despite meeting Conventional Commits format and being descriptive of the main changes.	Reduce the title to 80 characters or fewer. Consider shortening to: 'fix(middleware): reorder CORS before MapControllers (#451)' (57 characters).

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cors-middleware-order

• 🛠️ sync documentation: Commit on current branch
• 🛠️ sync documentation: Create PR
• 🛠️ enforce http error handling: Commit on current branch
• 🛠️ enforce http error handling: Create PR
• 🛠️ idiomatic review: Commit on current branch
• 🛠️ idiomatic review: Create PR
• 🛠️ verify api contract: Commit on current branch
• 🛠️ verify api contract: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Dotnet.Samples.AspNetCore.WebApi/Program.cs`:
- Around line 92-100: The health-check endpoint is mapped but not exempted from
the global rate limiter; update the MapHealthChecks call to disable rate
limiting for that endpoint (e.g., call
app.MapHealthChecks("/health").DisableRateLimiting() or apply
DisableRateLimiting metadata) so the health probe truly "always succeed
regardless of rate-limiting thresholds"; ensure the
Microsoft.AspNetCore.RateLimiting namespace is imported if needed and keep
app.UseRateLimiter() as-is.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6c10da27-eac6-4730-b7ce-0fbe68ee199f

📥 Commits

Reviewing files that changed from the base of the PR and between 7de7b87 and 2774c66.

📒 Files selected for processing (3)

• CHANGELOG.md
• src/Dotnet.Samples.AspNetCore.WebApi/Extensions/ServiceCollectionExtensions.cs
• src/Dotnet.Samples.AspNetCore.WebApi/Program.cs

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud