configured dynamic port and cors middleware for production

[KoderOP]

Related Issue

• Closes: 🚀 Feature: Configure and run node server using heroku or vercel or digital ocean and connect it with Frontend #48 🎉

---

Description

Configured the Node.js backend server to support seamless production deployments.

Key changes include Dynamic Port Selection & Enhanced CORS Setup

###How this was verified

• Successfully deployed and built the backend application on Render.
• Connected frontend and verified by running on localhost and inspecting

Summary by CodeRabbit

• Chores
  • Updated CORS handling to use an allowlist-based policy with credential support, restricting access to approved origins.
  • Enhanced server port configuration to utilize environment variables with a fallback default value.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	ffaf58f
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a0f7d3d5dabef0007314a4f
😎 Deploy Preview	https://deploy-preview-384--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Backend server configuration is hardened with a CORS allowlist policy replacing the permissive wildcard, and server startup gains environment-aware port selection with fallback default for cloud deployment compatibility.

Changes

Server Security and Deployment Configuration

Layer / File(s)	Summary
CORS allowlist enforcement backend/server.js	Wildcard CORS policy is removed and replaced with origin callback validation against allowedOrigins, enabling credentials: true and rejecting unrecognized origins with a CORS error.
Deployment port configuration backend/server.js	Server derives listening port from process.env.PORT with default 5000, storing in PORT variable and using it consistently in app.listen and startup logging.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through the CORS request,
With allowlists now, security's blessed!
The port finds its home in the ENV,
Deployment's now smooth, cloud-ready heaven! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: dynamic port configuration and CORS middleware setup for production deployment.
Linked Issues check	✅ Passed	The PR addresses issue #48's objective to configure the Node server for production hosting by implementing dynamic port selection and CORS setup required for deployment.
Out of Scope Changes check	✅ Passed	All changes in backend/server.js directly support the production deployment configuration objective; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description covers the related issue, provides key changes, and includes verification details with screenshots, but lacks a formal 'Type of Change' section and has minor formatting issues.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thank you @KoderOP for your contribution. Please make sure your PR follows https://github.com/GitMetricsLab/github_tracker/blob/main/CONTRIBUTING.md#-pull-request-guidelines

[coderabbitai]

🧹 Nitpick comments (1)

backend/server.js (1)

17-17: ⚡ Quick win

Hardcoded origins limit deployment flexibility.

For production deployments across different hosting providers (per issue #48), hardcoding origins requires code changes for each environment. Consider loading allowed origins from an environment variable:

-const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
+const allowedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(',')
+    : ['http://localhost:5173'];

Also, verify https://github-spy.etlify.app is the correct domain—did you mean netlify.app?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/server.js` at line 17, Replace the hardcoded allowedOrigins array
with a configurable solution: read a new environment variable (e.g.,
process.env.ALLOWED_ORIGINS) and parse it (comma- or semicolon-separated) into
the allowedOrigins array used by your CORS setup (fall back to the existing
localhost and the production domain if the env var is absent); update any
references to the existing allowedOrigins variable and ensure you validate/trim
entries. Also confirm and correct the production domain string (change
"https://github-spy.etlify.app" to the intended "https://github-spy.netlify.app"
if that was the typo) so the default fallback is accurate.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@backend/server.js`:
- Line 17: Replace the hardcoded allowedOrigins array with a configurable
solution: read a new environment variable (e.g., process.env.ALLOWED_ORIGINS)
and parse it (comma- or semicolon-separated) into the allowedOrigins array used
by your CORS setup (fall back to the existing localhost and the production
domain if the env var is absent); update any references to the existing
allowedOrigins variable and ensure you validate/trim entries. Also confirm and
correct the production domain string (change "https://github-spy.etlify.app" to
the intended "https://github-spy.netlify.app" if that was the typo) so the
default fallback is accurate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 459b1ceb-8744-4215-a95b-874039bbf362

📥 Commits

Reviewing files that changed from the base of the PR and between 9d34c19 and ffaf58f.

📒 Files selected for processing (1)

• backend/server.js

[mehul-m-prajapati]

already done

[KoderOP]

Just to clarify the timeline: this issue was completely open when I picked it up and submitted the PR. It was closed only after my submission was already in. If the feature was implemented elsewhere in parallel, I understand, but I wanted to bring this up to ensure there wasn't a misunderstanding regarding the contribution order.

…

On Sat, May 23, 2026 at 5:44 PM Mehul Prajapati ***@***.***> wrote: *mehul-m-prajapati* left a comment (GitMetricsLab/github_tracker#384) <#384 (comment)> already done — Reply to this email directly, view it on GitHub <#384 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BMLNHU6X7TAH6OLAEXXSRJ344GI37AVCNFSM6AAAAACZIKFL6GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKMRVGMYDOMJYGY> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[github-actions]

🎉🎉 Thank you for your contribution! Your PR #384 has been merged! 🎉🎉

[mehul-m-prajapati]

@KoderOP : ok, merged

[KoderOP]

Happy to contribute! I really appreciate you valuing the time and efforts taken and merging this

[Bhuvanakalaga]

Hi @KoderOP
I am a GSSoC 2026 contributor and would like to work on this issue.
Could you please assign it to me?

[KoderOP]

This issue has been closed. You should look for open issues . All the Best!