Merge branch 'main' into feature/github-api-rate-limit-ui

Author: mehul-m-prajapati

SECURITY.md

@@ -0,0 +1,120 @@
+# 🔒 Security Policy
+
+Thank you for helping keep **GitHub Tracker** and its community safe.
+
+We take security vulnerabilities seriously and appreciate responsible disclosure from contributors, users, and security researchers.
+
+Please report security issues responsibly and avoid public disclosure until the issue has been resolved.
+
+---
+
+# 📌 Supported Versions
+
+The following table outlines the versions of the project currently receiving security updates and maintenance support.
+
+| Version | Supported |
+| ------- | --------- |
+| Current development version | ✅ |
+| Older versions | ❌ |
+
+We recommend always using the latest version of the project to benefit from recent security fixes and improvements.
+
+---
+
+# 🚨 Reporting a Vulnerability
+
+If you discover a security vulnerability within this project, please report it responsibly.
+
+## Please Do NOT
+
+- Open a public GitHub issue for security vulnerabilities
+- Publicly disclose the vulnerability before it has been reviewed
+- Share exploit details publicly without prior coordination
+
+---
+
+# 📬 How to Report
+
+Please report vulnerabilities by contacting the maintainers through one of the following methods:
+
+- Open a private GitHub Security Advisory (if enabled)
+- Contact repository maintainers through GitHub Discussions or direct GitHub communication
+- Provide detailed reproduction steps and supporting information
+
+When submitting a report, please include:
+
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact
+- Screenshots or proof-of-concept (if applicable)
+- Suggested fixes or mitigation ideas (optional)
+
+---
+
+# 🔍 What to Expect
+
+After a vulnerability report is submitted:
+
+1. The maintainers will review the report
+2. The issue will be validated and assessed
+3. A fix or mitigation strategy will be prepared
+4. Security patches may be released if necessary
+5. Responsible disclosure coordination will be followed before public release
+
+We aim to acknowledge valid security reports within a reasonable timeframe.
+
+---
+
+# 🛡 Responsible Disclosure Guidelines
+
+To help protect users and contributors, we request that you:
+
+- Act in good faith
+- Avoid accessing or modifying data that does not belong to you
+- Avoid disrupting repository services or workflows
+- Provide sufficient details for reproduction
+- Allow maintainers reasonable time to investigate and resolve issues
+
+---
+
+# 🔐 Security Best Practices for Contributors
+
+Contributors are encouraged to follow secure development practices:
+
+- Keep dependencies updated
+- Avoid committing secrets or API keys
+- Validate and sanitize user input
+- Follow secure authentication practices
+- Review dependencies for known vulnerabilities
+
+---
+
+# 📦 Dependency Security
+
+This project uses modern JavaScript and Node.js tooling including:
+
+- React + Vite
+- Node.js + Express
+- TailwindCSS
+- Axios
+- MongoDB / Mongoose
+
+Contributors should regularly audit dependencies using:
+
+```bash
+npm audit
+```
+
+To automatically fix non-breaking vulnerabilities:
+
+```bash
+npm audit fix
+```
+
+---
+
+# 🤝 Security Acknowledgements
+
+We appreciate responsible security disclosures and value the efforts of contributors helping improve the security and reliability of this project.
+
+Thank you for helping make **GitHub Tracker** safer for everyone. 🚀

backend/.env.example

@@ -0,0 +1,14 @@
+# Server
+PORT=5000
+NODE_ENV=development
+
+# MongoDB
+MONGO_URI=mongodb://127.0.0.1:27017/github_tracker
+
+# Session
+SESSION_SECRET=your_session_secret_here
+
+# CORS — comma-separated list of allowed frontend origins
+# In production, set this to your actual frontend URL(s).
+# If not set, defaults to http://localhost:5173
+ALLOWED_ORIGINS=http://localhost:5173

backend/config/passportConfig.js

@@ -7,7 +7,7 @@ passport.use(
         { usernameField: "email" },
         async (email, password, done) => {
             try {
-                const user = await User.findOne( {email} );
+                const user = await User.findOne( {email} ).select("+password");;
                 if (!user) {
                     return done(null, false, { message: 'Email is invalid '});
                 }
@@ -20,7 +20,8 @@ passport.use(
                 return done(null, {
                     id : user._id.toString(),
                     username: user.username,
-                    email: user.email
+                    email: user.email,
+                    token: user.token
                 });
             } catch (err) {
                 return done(err);
@@ -38,7 +39,10 @@ passport.serializeUser((user, done) => {
 passport.deserializeUser(async (id, done) => {
     try {
         const user = await User.findById(id);
-        done(null, user);
+        if (!user) {
+            return done(null, false);
+        }
+        done(null,user);
     } catch (err) {
         done(err, null);
     }

backend/models/User.js

@@ -16,11 +16,16 @@ const UserSchema = new mongoose.Schema({
     type: String,
     required: true,
   },
+  token: {
+    type: String,
+    unique: true,
+    sparse: true,
+  },
 });
 
 // ✅ FIXED: no next()
-UserSchema.pre('save', async function () {
-  if (!this.isModified('password')) return;
+UserSchema.pre("save", async function () {
+  if (!this.isModified("password")) return;
 
   const salt = await bcrypt.genSalt(10);
   this.password = await bcrypt.hash(this.password, salt);
@@ -31,4 +36,5 @@ UserSchema.methods.comparePassword = async function (enteredPassword) {
   return bcrypt.compare(enteredPassword, this.password);
 };
 
-module.exports = mongoose.model("User", UserSchema);
+module.exports = mongoose.model("User", UserSchema);
+

backend/routes/auth.js

@@ -35,6 +35,24 @@ router.post("/login", validateRequest(loginSchema), passport.authenticate('local
     res.status(200).json( { message: 'Login successful', user: req.user } );
 });
 
+// Save GitHub token route
+router.post("/token", async (req, res) => {
+    if (!req.isAuthenticated()) {
+        return res.status(401).json({ message: 'Not authenticated' });
+    }
+    const { token } = req.body;
+    if (!token) {
+        return res.status(400).json({ message: 'Token is required' });
+    }
+    try {
+        await User.findByIdAndUpdate(req.user._id, { token });
+        req.user.token = token;
+        res.status(200).json({ success: true, message: 'Token saved successfully' });
+    } catch (err) {
+        res.status(500).json({ message: 'Error saving token', error: err.message });
+    }
+});
+
 // Logout route
 router.get("/logout", (req, res) => {
 

backend/server.js

@@ -13,13 +13,19 @@ const logger = require('./logger');
 
 const app = express();
 
-// CORS configuration
-const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
+// CORS configuration — allowed origins are read from the ALLOWED_ORIGINS env var
+// (comma-separated). Falls back to localhost for local development.
+const parsedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()).filter(Boolean)
+    : [];
+const allowedOrigins = parsedOrigins.length > 0 ? parsedOrigins : ['http://localhost:5173'];
+
 app.use(cors({
     origin: function (origin, callback) {
+        // Allow requests with no origin (e.g. server-to-server, curl, mobile apps)
         if (!origin || allowedOrigins.indexOf(origin) !== -1) {
             callback(null, true);
-        } else{
+        } else {
             callback(new Error('Blocked by CORS policy'));
         }
     },

backend/validators/authValidator.js

@@ -6,8 +6,8 @@ const signupSchema = z.object({
         .min(3, "Username must be at least 3 characters long")
         .max(30, "Username must be at most 30 characters long")
         .regex(/^[a-zA-Z0-9_]+$/, "Username can only contain letters, numbers, and underscores")
-        ,
-    
+    ,
+
     email: z.string()
         .trim()
         .toLowerCase()
@@ -18,7 +18,7 @@ const signupSchema = z.object({
         .min(8, "Password must be at least 8 characters long")
         .max(100, "Password must be at most 100 characters long")
         .regex(
-            /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]+$/,
+            /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}+$/,
             'Password must contain uppercase, lowercase, number, and special character'
         ),
 });