Add online business credit card application flow

[Copilot]

Enables small business owners to apply for a Three Rivers Bank credit card entirely online. Adds a multi-step application form, backend persistence with encrypted sensitive fields, and "Apply Now" entry points on card listing and detail pages.

Backend

• New entity BusinessCreditCardApplication — stores all application fields; SSN and Tax ID columns sized for AES-encrypted Base64 output
• POST /api/applications — validates input (Spring @Valid), enforces rate limit (3/day per IP), validates applicant age (18+), encrypts SSN/Tax ID with AES-128/CBC + random IV before persistence, returns application ID and decision timeline
• Encryption key injected via ${APPLICATION_ENCRYPTION_KEY} (falls back to dev default); key bytes normalized to 16 bytes with UTF-8 charset

// AES/CBC with per-record random IV; IV prepended to ciphertext for storage
cipher.init(Cipher.ENCRYPT_MODE, keySpec, new IvParameterSpec(iv));
byte[] ivAndCiphertext = new byte[16 + encrypted.length];
System.arraycopy(iv, 0, ivAndCiphertext, 0, 16);
System.arraycopy(encrypted, 0, ivAndCiphertext, 16, encrypted.length);
return Base64.getEncoder().encodeToString(ivAndCiphertext);

Frontend

• /apply/:cardId — ApplicationFormPage: 5-step wizard (Business Info → Personal Info → Card Preferences → Terms & Conditions → Review)
  • React Hook Form + Yup; real-time field validation, required-field indicators
  • Progress bar tracks completed steps
  • Auto-saves to localStorage every 30s; SSN, Tax ID, and DOB are explicitly excluded from persistence
  • Review step masks sensitive fields (***-**-1234); "Edit" links jump back to specific steps
• /apply/:cardId/confirmation — ApplicationConfirmationPage: shows reference number, decision timeline ("5–7 business days"), print summary button
• "Apply Now" buttons wired on CardDetailsPage and CardComparisonPage (both grid and table views)
• applicationService.submitApplication() added to api.js

Security notes

• ECB mode avoided; CBC with random IV used instead
• Sensitive PII not stored in localStorage
• X-Forwarded-For used for IP rate limiting — assumes trusted reverse proxy in deployment

Original prompt

Apply for credit card

Work Item Details

Note: Please focus on the descriptions and information that provide context about the task requirements, functionality, and implementation details. Dates, priorities, and administrative metadata are less relevant for coding tasks.

Description

As a small business owner

I want to complete a secure online application for a Three Rivers Bank business credit card

So that I can access financing and rewards to support my business expenses without visiting a branch

Acceptance Criteria

1. Application Access

 "Apply Now" button is prominently displayed on card detail pages

 "Apply Now" button is available on card comparison page for each card

 Clicking "Apply Now" navigates to a dedicated application form page (/apply/{cardId})

 Selected card information is pre-populated and displayed at top of application form

2. Application Form - Business Information

 Business legal name (required, text field)

 Doing Business As (DBA) name (optional, text field)

 Business structure dropdown (required: Sole Proprietorship, LLC, Corporation, Partnership, Non-Profit)

 Tax ID / EIN (required, 9-digit format validation)

 Industry/Business type dropdown (required)

 Years in business (required, numeric)

 Number of employees (required, numeric)

 Annual business revenue (required, currency field with dropdown ranges)

 Business address fields (street, city, state, ZIP - all required)

 Business phone number (required, phone format validation)

 Business website (optional, URL validation)

3. Application Form - Personal Information (Business Owner)

 First and last name (required)

 Date of birth (required, 18+ validation)

 SSN (required, 9-digit format, encrypted on submission)

 Email address (required, email format validation)

 Home address (required - street, city, state, ZIP)

 Mobile phone (required, phone format validation)

 Percentage ownership (required, numeric 0-100)

 Title/Position (required, text field)

 Annual personal income (required, currency field)

4. Application Form - Card Preferences

 Requested credit limit dropdown (required: $5k, $10k, $25k, $50k, $100k+)

 Number of employee cards needed (optional, numeric 0-50)

 Authorized user information (expandable section, optional)

5. Form Validation & User Experience

 Real-time field validation with error messages

 Required field indicators (asterisks)

 Progress indicator showing completion percentage

 Ability to save progress and resume later

 Form auto-save every 30 seconds to browser storage

 Clear validation error messages in red text

 Success messages in green for completed sections

6. Terms & Conditions

 Display credit terms and conditions in expandable accordion

 Display privacy policy link

 "I agree" checkbox for terms (required to submit)

 "I consent to credit check" checkbox (required to submit)

 Electronic signature field (typed name confirmation)

7. Application Submission

 "Review Application" button navigates to review page showing all entered data

 "Edit" links on review page to return to specific sections

 "Submit Application" button on review page (only active after all validations pass)

 Loading spinner during submission

 Submission sends data to backend API endpoint (POST /api/applications)

 Application data stored in database with timestamp and unique application ID

8. Confirmation & Follow-up

 Success page displays after submission with application reference number

 Confirmation email sent to applicant's email address

 Expected timeline for decision displayed (e.g., "Decision in 5-7 business days")

 Option to download/print application summary PDF

 "Apply for Another Card" button returns to card comparison page

9. Security & Compliance

 All sensitive data (SSN, Tax ID) encrypted in transit (HTTPS)

 Sensitive fields masked (show last 4 digits only)

 CSRF token protection on form submission

 Rate limiting on application submissions (max 3 per day per IP)

 Session timeout after 30 minutes of inactivity with warning at 25 minutes

 Compliance with CCPA/GDPR data handling requirements

10. Mobile Responsiveness

 Application form fully functional on mobile devices (375px width)

 Touch-friendly input fields and buttons

 Mobile-optimized dropdowns and date pickers

 Form sections collapse/expand appropriately on small screens

11. Accessibility (WCAG 2.1 AA)

 All form fields have proper labels and ARIA attributes

 Keyboard navigation supported throughout form

 Screen reader announcements for validation errors

 Color contrast ratios meet WCAG standards

 Focus indicators visible on all interactive elements

12. Backend Integration

 New database table BusinessCreditCardApplication with all form fields

 REST endpoint POST /api/applications accepts application JSON

 Input valid...

Work item: AB#859
Created via Azure DevOps

[Copilot]

Pull request overview

Adds an end-to-end online business credit card application flow to the Three Rivers Bank demo: new “Apply Now” entry points in the UI, a multi-step application wizard + confirmation screen, and a backend POST /api/applications endpoint that persists applications while encrypting sensitive fields.

Changes:

• Frontend: Adds /apply/:cardId wizard and /apply/:cardId/confirmation, plus “Apply Now” buttons from card detail/comparison pages and a submit API helper.
• Backend: Introduces BusinessCreditCardApplication persistence model, repository, service logic (validation + rate limiting + encryption), and controller endpoint.
• Config/deps: Adds encryption key config and frontend form/validation dependencies (react-hook-form/yup).

Show a summary per file

File	Description
frontend/src/services/api.js	Adds applicationService.submitApplication() for posting application payloads.
frontend/src/pages/CardDetailsPage.jsx	Wires “Apply Now” CTA to navigate to the application route.
frontend/src/pages/CardComparisonPage.jsx	Adds “Apply Now” buttons in both grid and table views.
frontend/src/pages/ApplicationFormPage.jsx	New 5-step application wizard with validation and draft auto-save.
frontend/src/pages/ApplicationConfirmationPage.jsx	New confirmation page displaying reference/status/timeline and print action.
frontend/src/App.jsx	Registers new /apply/:cardId and confirmation routes.
frontend/package.json	Adds react-hook-form, yup, and @hookform/resolvers dependencies.
frontend/package-lock.json	Locks new dependency tree for the application form stack.
backend/src/main/resources/application.yml	Adds app.encryption.key configuration (env var with default).
backend/src/main/java/com/threeriversbank/service/ApplicationService.java	Implements submit + validation + encryption + persistence.
backend/src/main/java/com/threeriversbank/repository/ApplicationRepository.java	Adds JPA repository + rate-limit count query.
backend/src/main/java/com/threeriversbank/model/entity/BusinessCreditCardApplication.java	New JPA entity to store applications (with encrypted Tax ID/SSN).
backend/src/main/java/com/threeriversbank/model/dto/ApplicationRequestDto.java	New request DTO with Bean Validation constraints.
backend/src/main/java/com/threeriversbank/model/dto/ApplicationResponseDto.java	New response DTO returned to the frontend confirmation page.
backend/src/main/java/com/threeriversbank/controller/ApplicationController.java	New POST /api/applications endpoint + client IP extraction.

Copilot's findings

Files not reviewed (1)

• frontend/package-lock.json: Language not supported

• Files reviewed: 14/15 changed files
• Comments generated: 12