From 4e6247151d6d2b4575a001b5c405af8527107778 Mon Sep 17 00:00:00 2001 From: aditya pichikala Date: Sun, 24 May 2026 15:26:10 +0530 Subject: [PATCH 1/2] fix: move CORS allowed origins to env variable - Replace hardcoded allowedOrigins array with ALLOWED_ORIGINS env var - Add backend/.env.example documenting all required env vars - Prevents production URLs from leaking into source control - Ensures proper CSRF protection with credentials: true --- backend/.env.example | 14 ++++++++++++++ backend/server.js | 11 ++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 backend/.env.example diff --git a/backend/.env.example b/backend/.env.example new file mode 100644 index 00000000..70a19cf4 --- /dev/null +++ b/backend/.env.example @@ -0,0 +1,14 @@ +# Server +PORT=5000 +NODE_ENV=development + +# MongoDB +MONGO_URI=mongodb://127.0.0.1:27017/github_tracker + +# Session +SESSION_SECRET=your_session_secret_here + +# CORS — comma-separated list of allowed frontend origins +# In production, set this to your actual frontend URL(s). +# If not set, defaults to http://localhost:5173 +ALLOWED_ORIGINS=http://localhost:5173 diff --git a/backend/server.js b/backend/server.js index 48d6ccfb..aaff4936 100644 --- a/backend/server.js +++ b/backend/server.js @@ -13,13 +13,18 @@ const logger = require('./logger'); const app = express(); -// CORS configuration -const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app']; +// CORS configuration — allowed origins are read from the ALLOWED_ORIGINS env var +// (comma-separated). Falls back to localhost for local development. +const allowedOrigins = process.env.ALLOWED_ORIGINS + ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()) + : ['http://localhost:5173']; + app.use(cors({ origin: function (origin, callback) { + // Allow requests with no origin (e.g. server-to-server, curl, mobile apps) if (!origin || allowedOrigins.indexOf(origin) !== -1) { callback(null, true); - } else{ + } else { callback(new Error('Blocked by CORS policy')); } }, From 312d69980ad50af07c4c3893d92fd05072683da9 Mon Sep 17 00:00:00 2001 From: aditya pichikala Date: Sun, 24 May 2026 15:42:12 +0530 Subject: [PATCH 2/2] fix: harden ALLOWED_ORIGINS parsing to avoid lockout on empty values --- backend/server.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/backend/server.js b/backend/server.js index aaff4936..6acec26f 100644 --- a/backend/server.js +++ b/backend/server.js @@ -15,9 +15,10 @@ const app = express(); // CORS configuration — allowed origins are read from the ALLOWED_ORIGINS env var // (comma-separated). Falls back to localhost for local development. -const allowedOrigins = process.env.ALLOWED_ORIGINS - ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()) - : ['http://localhost:5173']; +const parsedOrigins = process.env.ALLOWED_ORIGINS + ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()).filter(Boolean) + : []; +const allowedOrigins = parsedOrigins.length > 0 ? parsedOrigins : ['http://localhost:5173']; app.use(cors({ origin: function (origin, callback) {