From ed8308bb7b48baea45a87584f528e152f34916e3 Mon Sep 17 00:00:00 2001
From: Aditya Kadam <adityack477@gmail.com>
Date: Thu, 21 May 2026 21:02:26 +0530
Subject: [PATCH 1/3] fix(auth): sanitize login response to exclude password
 hash

---
 backend/models/User.js | 8 ++++++++
 backend/routes/auth.js | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/models/User.js b/backend/models/User.js
index eb506ed5..be084301 100644
--- a/backend/models/User.js
+++ b/backend/models/User.js
@@ -31,4 +31,12 @@ UserSchema.methods.comparePassword = async function (enteredPassword) {
   return bcrypt.compare(enteredPassword, this.password);
 };
 
+UserSchema.methods.toSafeObject = function () {
+  return {
+    id: this._id,
+    username: this.username,
+    email: this.email,
+  };
+};
+
 module.exports = mongoose.model("User", UserSchema);
\ No newline at end of file
diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 7c2cda78..af16162e 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -32,7 +32,7 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
 
 // Login route
 router.post("/login", validateRequest(loginSchema), passport.authenticate('local'), (req, res) => {
-    res.status(200).json( { message: 'Login successful', user: req.user } );
+    + res.status(200).json({ message: 'Login successful', user: req.user.toSafeObject() });
 });
 
 // Logout route

From 3f601cf41bac3c7add3ed00229c0d9c20776b1e8 Mon Sep 17 00:00:00 2001
From: Aditya Kadam <adityack477@gmail.com>
Date: Thu, 21 May 2026 21:12:10 +0530
Subject: [PATCH 2/3] fix(auth): error fix

---
 backend/routes/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index af16162e..d6162b73 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -32,7 +32,7 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
 
 // Login route
 router.post("/login", validateRequest(loginSchema), passport.authenticate('local'), (req, res) => {
-    + res.status(200).json({ message: 'Login successful', user: req.user.toSafeObject() });
+    res.status(200).json({ message: 'Login successful', user: req.user.toSafeObject() });
 });
 
 // Logout route

From 8d24698ce87eb4699302eabb1d5a2ba5d73a4823 Mon Sep 17 00:00:00 2001
From: Aditya Kadam <adityack477@gmail.com>
Date: Fri, 22 May 2026 10:37:15 +0530
Subject: [PATCH 3/3] fix(server): crash early if required env vars are missing

---
 backend/.env.example | 3 +++
 backend/server.js    | 9 +++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 backend/.env.example

diff --git a/backend/.env.example b/backend/.env.example
new file mode 100644
index 00000000..64da3224
--- /dev/null
+++ b/backend/.env.example
@@ -0,0 +1,3 @@
+#SESSION_SECRET=your_secret_here
+MONGO_URI=mongodb://localhost:27017/github_tracker
+PORT=5000
\ No newline at end of file
diff --git a/backend/server.js b/backend/server.js
index e9b43f83..c819ec15 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -16,6 +16,15 @@ const app = express();
 // CORS configuration
 app.use(cors('*'));
 
+const REQUIRED_ENV = ['SESSION_SECRET', 'MONGO_URI'];
+
+for (const key of REQUIRED_ENV) {
+  if (!process.env[key]) {
+    console.error(`[startup] Missing required environment variable: ${key}`);
+    process.exit(1);
+  }
+}
+
 // Middleware
 app.use(bodyParser.json());
 app.use(session({