fix: validate env on startup

[adityack477]

Related Issue

• Closes: Security: Store session secret validation #366

---

Description

If SESSION_SECRET is not set in .env, express-session silently uses
undefined as the secret, making all session cookies insecure.

Added a startup check that loops over required env vars and calls
process.exit(1) with a descriptive error if any are missing.

• backend/server.js — env validation block before middleware setup
• backend/.env.example — new file listing required variables

---

How Has This Been Tested?

Tested by removing SESSION_SECRET from .env and confirming the
server exits with the expected error message.

---

Screenshots (if applicable)

---

Type of Change

• Bug fix
• New feature
• Code style update
• Breaking change
• Documentation update

Summary by CodeRabbit

• Bug Fixes

  • Configuration is now validated at startup to ensure all required settings are present, preventing the application from launching with incomplete setup.
  • User authentication responses now return only essential, non-sensitive account information instead of complete user records.

• Chores

  • Added an example configuration template to guide local development setup.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	8d24698
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a0fe52b40197c00088d6f11
😎 Deploy Preview	https://deploy-preview-385--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR hardens backend security by validating required environment variables at startup and sanitizing user data in authentication responses. The server now terminates immediately if SESSION_SECRET or MONGO_URI are missing, and login endpoints return only non-sensitive user fields (id, username, email) instead of full user objects.

Changes

Environment validation and user response sanitization

Layer / File(s)	Summary
Environment configuration and startup validation backend/.env.example, backend/server.js	Example configuration file documents SESSION_SECRET, MONGO_URI, and PORT. Server startup guard validates that required env variables are set before proceeding with middleware and database initialization.
User data sanitization in auth responses backend/models/User.js, backend/routes/auth.js	User model adds toSafeObject() instance method returning only id, username, and email. Login route uses this method to return sanitized user data instead of the full user object.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 In the warren of secrets kept tight,
Session guards stand watch through the night,
User objects trimmed down with care,
Safe fields only—no passwords there!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	The changes in User.js and auth.js (toSafeObject method and sanitized login response) are not directly related to issue #366's requirement of env validation but represent related security improvements.	Clarify whether User.js and auth.js changes align with #366's scope or if they should be separated into a distinct PR addressing user data sanitization.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: validate env on startup' accurately describes the main change—adding environment variable validation at server startup to prevent insecure defaults.
Description check	✅ Passed	The description is complete, following the template with all required sections: Related Issue, Description, Testing method, and Type of Change.
Linked Issues check	✅ Passed	The changes fully address #366: env validation is implemented in backend/server.js, required variables are documented in .env.example, and the startup check prevents insecure session defaults.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

backend/.env.example (1)

1-1: ⚡ Quick win

Uncomment the required SESSION_SECRET key in the example config.

With Line 1 commented, copying .env.example to .env leaves out a required variable and guarantees startup failure. Prefer a placeholder value so the required shape is explicit.

Proposed change

-#SESSION_SECRET=your_secret_here
+SESSION_SECRET=change_me_before_running

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/.env.example` at line 1, Uncomment the SESSION_SECRET key in the
example config so a placeholder value is present (replace the commented line
"`#SESSION_SECRET`=your_secret_here" with "SESSION_SECRET=your_secret_here" or
another safe placeholder) to ensure copying .env.example to .env includes the
required SESSION_SECRET environment variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@backend/.env.example`:
- Line 1: Uncomment the SESSION_SECRET key in the example config so a
placeholder value is present (replace the commented line
"`#SESSION_SECRET`=your_secret_here" with "SESSION_SECRET=your_secret_here" or
another safe placeholder) to ensure copying .env.example to .env includes the
required SESSION_SECRET environment variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6da8bcab-2133-4213-8aed-875c0473fc02

📥 Commits

Reviewing files that changed from the base of the PR and between 9d34c19 and 8d24698.

📒 Files selected for processing (4)

• backend/.env.example
• backend/models/User.js
• backend/routes/auth.js
• backend/server.js

[adityack477]

@mehul-m-prajapati @Srijatalamarla @ASR1015 please review and merge

[mehul-m-prajapati]

@adityack477 will do on weekend