Skip to content

Enhance security: add env validation and improved token refresh logic #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
codeCraft-Ritik wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Enhance security: add env validation and improved token refresh logic #105

codeCraft-Ritik wants to merge 2 commits into from

Conversation

@codeCraft-Ritik
Copy link

@codeCraft-Ritik codeCraft-Ritik commented Jan 23, 2026

Environment Variable Protection

In backend/server.js, we added a validation layer to ensure the server does not start with missing configuration.

Purpose: To prevent the application from running in an unstable state or crashing unexpectedly when attempting to access undefined environment variables.

Changes:

  1. Defined a list of required variables: mongo_uri, ACCESS_TOKEN, REFRESH_TOKEN, and CLOUDINARY_CLOUD_NAME.
  2. Added a startup check that iterates through these keys immediately after dotenv.config().
  3. Implemented a process exit (process.exit(1)) if any required variable is missing to alert the developer immediately.

2. Enhanced Token Expiration Handling

  1. In backend/utils/verifyUser.js, we refined the authentication middleware to provide specific feedback to the frontend client.
  2. Purpose: To allow the frontend to distinguish between an invalid/tampered token and a naturally expired token, enabling automatic "silent" token refreshes.

Changes:

  1. Modified the catch block within the access token verification logic.

  2. Added a specific check for error.name === "TokenExpiredError".

  3. Updated the error response to return a 401 status code with the message "Access token expired" instead of a generic "invalid" error.

  4. Input Validation for User Registration

  5. We introduced a new validation utility and integrated it into the authentication flow.

  6. Purpose: To ensure data integrity and security by verifying user input before it reaches the database.

Changes:

  1. New Utility (backend/utils/validator.js): Created a middleware to check that usernames are at least 3 characters, emails follow a valid format, and passwords are at least 6 characters long.
  2. Route Integration (backend/routes/authRoute.js): Applied the validateSignUp middleware to the /signup POST route so that invalid requests are rejected before the controller logic executes.

@vercel
Copy link

vercel bot commented Jan 23, 2026

@codeCraft-Ritik is attempting to deploy a commit to the jeevan-aj's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@codeCraft-Ritik