[Security] Replace wildcard CORS with environment-driven origin allowlist

[advikdivekar]

Problem

backend/server.js line 15 applied app.use(cors('*')) — a fully open wildcard CORS policy across every API endpoint. This instructs browsers to allow any origin to read API responses, completely nullifying the Same-Origin Policy as a defence layer.

Concrete impact:

• Any page on the internet (including file://, http://attacker.com) could call POST /api/auth/signup or POST /api/auth/login and read the full JSON response with no browser restriction.
• Every new endpoint added by any contributor was silently exposed by default with no per-origin security review needed — a permanent attack surface expansion vector as the API grows.
• Combined with the differential error messages in passportConfig.js, a cross-origin script could enumerate the entire registered user database in seconds.

Changes

backend/server.js

• Removed cors('*').
• Replaced with an explicit origin allowlist built from process.env.ALLOWED_ORIGINS (comma-separated), defaulting to http://localhost:5173 so local development works out of the box.
• Added credentials: true to allow session cookies in cross-origin requests from the allowlisted frontend.
• Restricted methods to ['GET', 'POST'] and allowedHeaders to ['Content-Type'] — minimises the CORS surface as the API grows.
• Server-to-server requests (no Origin header) are still allowed for health checks and internal tooling.

backend/.env.sample

• Added ALLOWED_ORIGINS=http://localhost:5173 so contributors know to set this variable for their deployment environment.

Why this approach fixes the root cause

The wildcard policy was a blanket grant at the infrastructure level. Replacing it with an environment-variable-driven allowlist means the set of trusted origins is explicit, auditable, and different per environment — http://localhost:5173 for dev, the production domain for prod — without any code change required between environments.

Steps to test

1. Start the backend (npm start in backend/).
2. From a browser console on http://localhost:5173, call POST /api/auth/signup — request succeeds (allowlisted origin).
3. Open http://localhost:5174 (a different port) and repeat the fetch — browser blocks the request with a CORS error.
4. Confirm the Access-Control-Allow-Origin response header shows http://localhost:5173, not *.
5. Set ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174 in .env and restart — both origins are now accepted.
6. Confirm server-to-server calls (e.g. curl -X POST ... with no Origin header) still work.

Edge cases covered

• Requests with no Origin header (server-to-server, curl) — allowed, as the !origin guard passes them through.
• Multiple production origins — supported via comma-separated ALLOWED_ORIGINS.
• Unlisted origins — receive a CORS error from the browser; no response body is readable.

Regression check

All existing routes (/api/auth/signup, /api/auth/login, /api/auth/logout) continue to work normally from http://localhost:5173. The credentials: true flag ensures session cookies are forwarded correctly from the frontend. No changes to route handlers, middleware order, or tests.

Please review and merge this under GSSoC 2026.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	5a3bf00
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a11bbb5a37af80007b9cee0
😎 Deploy Preview	https://deploy-preview-457--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@advikdivekar, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 58 minutes and 4 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a639146d-1a9e-43fe-bf6e-e1dc0d64a329

📥 Commits

Reviewing files that changed from the base of the PR and between 373dde2 and 5a3bf00.

📒 Files selected for processing (2)

• backend/.env.sample
• backend/server.js

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[advikdivekar]

@mehul-m-prajapati why was my code not merged? did i make any mistakes in my code? please let me know