From 4ddd3684e163712235718e6bd690859406c0a1c0 Mon Sep 17 00:00:00 2001
From: Vexx <advikdivekar@gmail.com>
Date: Sat, 23 May 2026 20:21:07 +0530
Subject: [PATCH] Block cross-origin account enumeration by removing wildcard
 CORS

cors('*') allowed any cross-origin script to call /api/auth/signup
and read the full response, making it trivial to probe thousands of
emails and determine which are registered from the 400 vs 201 status.

Replace with an origin allowlist driven by ALLOWED_ORIGINS so only
the known frontend origin can read API responses. Add credentials:true
so session cookies flow correctly from the allowlisted frontend.

Fixes #446
---
 backend/.env.sample |  1 +
 backend/server.js   | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/backend/.env.sample b/backend/.env.sample
index 98f96881..7d4a2184 100644
--- a/backend/.env.sample
+++ b/backend/.env.sample
@@ -1,3 +1,4 @@
 PORT=5000
 MONGO_URI=mongodb://localhost:27017/githubTracker
 SESSION_SECRET=your-secret-key
+ALLOWED_ORIGINS=http://localhost:5173
diff --git a/backend/server.js b/backend/server.js
index 3f19f00b..37ed364e 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -11,8 +11,21 @@ require('./config/passportConfig');
 
 const app = express();
 
-// CORS configuration
-app.use(cors('*'));
+// CORS configuration — restrict to known frontend origins only
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || 'http://localhost:5173')
+    .split(',')
+    .map(o => o.trim());
+
+app.use(cors({
+    origin: (origin, callback) => {
+        if (!origin || allowedOrigins.includes(origin)) {
+            callback(null, true);
+        } else {
+            callback(new Error('Not allowed by CORS'));
+        }
+    },
+    credentials: true,
+}));
 
 // Middleware
 app.use(bodyParser.json());