fix: move CORS allowed origins to env variable

[adityapichikala]

• Replace hardcoded allowedOrigins array with ALLOWED_ORIGINS env var
• Add backend/.env.example documenting all required env vars
• Prevents production URLs from leaking into source control
• Ensures proper CSRF protection with credentials: true

Related Issue

• Closes: 🐛 Bug Report: Critical Security Vulnerability: Insecure CORS Wildcard Configuration #470

---

Description

The backend's CORS configuration had hardcoded origin URLs directly in server.js:

js
const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
This exposes production URLs in source control and makes it impossible to configure different origins per environment without code changes.

Changes made:

backend/server.js — Replaced the hardcoded allowedOrigins array with process.env.ALLOWED_ORIGINS (comma-separated). Falls back to http://localhost:5173 when the env var is not set, so local development works out of the box.

backend/.env.example (new file) — Added a template documenting all required environment variables including the new ALLOWED_ORIGINS.

---

How Has This Been Tested?

Tested with a standalone script that spins up an Express server with the same CORS middleware and verifies 4 scenarios:

Test Case | Expected | Result -- | -- | -- Allowed origin (http://localhost:5173) | Accepted with CORS headers | ✅ PASS Allowed origin (https://github-spy.etlify.app) | Accepted with CORS headers | ✅ PASS Blocked origin (https://evil-site.com) | Rejected with 403 | ✅ PASS No origin (server-to-server / curl) | Accepted | ✅ PASS

All 4 tests passed.

---

Screenshots (if applicable)

---

Type of Change

• Bug fix
• New feature
• Code style update
• Breaking change
• Documentation update

Summary by CodeRabbit

• Chores
  • Added environment configuration template documenting server, database, and session settings for setup purposes
  • CORS origin validation now uses environment-driven configuration instead of hardcoded values, enabling flexible deployment across different environments

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	312d699
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a12cf0114681e00080c1bab
😎 Deploy Preview	https://deploy-preview-482--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@adityapichikala, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 56 minutes and 20 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5300ceb0-734e-4920-a2e2-7336f5ee9023

📥 Commits

Reviewing files that changed from the base of the PR and between 4e62471 and 312d699.

📒 Files selected for processing (1)

• backend/server.js

📝 Walkthrough

Walkthrough

This PR addresses a CORS security vulnerability by replacing hardcoded allowed origins with an environment-driven configuration. An .env.example template now documents the required settings, and server.js computes the CORS allowlist from the ALLOWED_ORIGINS env variable with a localhost fallback.

Changes

Environment-driven CORS configuration

Layer / File(s)	Summary
Environment variable template backend/.env.example	Defines baseline environment variables for local development: PORT, NODE_ENV, MONGO_URI, SESSION_SECRET, and ALLOWED_ORIGINS with inline comments describing defaults.
CORS origin allowlist from environment backend/server.js	CORS configuration now parses the ALLOWED_ORIGINS environment variable (comma-separated, trimmed entries) instead of a hardcoded list, falling back to http://localhost:5173 when not set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

• #470: Directly addresses the critical CORS wildcard vulnerability by moving allowed origins from hardcoded to environment-driven configuration with an explicit allowlist.
• #479: Related to moving CORS configuration to environment variables as a security improvement.
• #454: Addresses the recommendation to replace wildcard CORS with an explicit environment-driven allowlist.

Possibly related PRs

• GitMetricsLab/github_tracker#450: Also restricts CORS origins using an environment variable with localhost:5173 fallback and updates backend/.env.example.
• GitMetricsLab/github_tracker#384: Similarly replaces hardcoded CORS origin list with environment-driven ALLOWED_ORIGINS configuration.

Suggested labels

level:intermediate, quality:clean

Poem

🐰 Security tightened, wild* origins tamed,
Env vars replace what was hardcoded and blamed,
CORS allowlist guards each request with care,
No more reckless* wildcards floating in air! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: moving CORS allowed origins configuration from hardcoded values to environment variables.
Linked Issues check	✅ Passed	The PR fully addresses the requirements in linked issue #470: restricts CORS origins via environment variable (ALLOWED_ORIGINS), sets credentials: true for secure cookie-based sessions, and removes the insecure wildcard configuration.
Out of Scope Changes check	✅ Passed	All changes are scoped to addressing the CORS security vulnerability in issue #470: environment variable configuration and .env.example documentation with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	Pull request description is comprehensive and well-structured, addressing all required template sections with clear motivation, implementation details, testing results, and supporting screenshots.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thank you @adityapichikala for your contribution. Please make sure your PR follows https://github.com/GitMetricsLab/github_tracker/blob/main/CONTRIBUTING.md#-pull-request-guidelines

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/server.js`:
- Around line 18-20: The ALLOWED_ORIGINS parsing assigned to allowedOrigins can
produce an empty/malformed allowlist (e.g., " , ") and accidentally block all
origins; update the logic that reads process.env.ALLOWED_ORIGINS so you split,
map(trim) and then filter out any empty strings (and optionally filter out
invalid/non-HTTP origins), and if the resulting array is empty fall back to the
default ['http://localhost:5173']; ensure this change targets the code that
defines allowedOrigins and references process.env.ALLOWED_ORIGINS so the service
never ends up with an empty allowlist.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: deab92c0-ea98-46d0-897c-bc3fd5d8759f

📥 Commits

Reviewing files that changed from the base of the PR and between 6c6bc3e and 4e62471.

📒 Files selected for processing (2)

• backend/.env.example
• backend/server.js