Merge pull request #467 from Ridanshi/fix/cors-allowlist-session-cookie-hardening

fix(security): replace wildcard CORS with allowlist and harden session cookies

Author: mehul-m-prajapati

.env.example

@@ -0,0 +1,3 @@
+# URL of the backend API (no trailing slash).
+# Must match the origin the backend server listens on.
+VITE_BACKEND_URL=http://localhost:5000

README.md

@@ -103,8 +103,27 @@ Install backend dependencies:
 npm install
 ```
 
-Start the backend server:
+3. Configure environment variables
 
+   Copy the example files and fill in your values:
+   ```bash
+   # Frontend (.env in the repo root)
+   cp .env.example .env
+
+   # Backend (.env inside backend/)
+   cp backend/.env.example backend/.env
+   ```
+
+   Key variables to set:
+
+   | Variable | Where | Description |
+   |---|---|---|
+   | `VITE_BACKEND_URL` | root `.env` | URL of the backend (default: `http://localhost:5000`) |
+   | `MONGO_URI` | `backend/.env` | MongoDB connection string |
+   | `SESSION_SECRET` | `backend/.env` | Long random string used to sign session cookies |
+   | `FRONTEND_ORIGIN` | `backend/.env` | URL of the frontend — restricts CORS. **Required in production.** Defaults to `http://localhost:5173` in development. |
+
+4. Run the frontend
 ```bash
 npm run dev
 ```
@@ -115,18 +134,11 @@ The backend server will run on:
 http://localhost:5000
 ```
 
----
-
-# 🐳 Docker Development Workflow
-
-The project includes Docker configurations for both development and production environments.
-
-## 📦 Development Environment
-
-Run the complete development environment using Docker:
-
+5. Run the backend
 ```bash
-npm run docker:dev
+$ cd backend
+$ npm i
+$ npm start
 ```
 
 This command:

backend/.env.example

@@ -0,0 +1,37 @@
+# ---------------------------------------------------------------
+# Server
+# ---------------------------------------------------------------
+PORT=5000
+NODE_ENV=development
+
+# ---------------------------------------------------------------
+# MongoDB
+# ---------------------------------------------------------------
+MONGO_URI=mongodb://127.0.0.1:27017/github_tracker
+
+# ---------------------------------------------------------------
+# Session
+# Generate a long random string for production, e.g.:
+#   node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
+# ---------------------------------------------------------------
+SESSION_SECRET=replace-with-a-long-random-string
+
+# ---------------------------------------------------------------
+# CORS — Frontend origin allowlist
+#
+# Set this to the exact URL of your frontend (no trailing slash).
+# REQUIRED in production: the server will refuse to start without it.
+# In development, the server defaults to http://localhost:5173 when
+# this variable is not set.
+#
+# Examples:
+#   Development : FRONTEND_ORIGIN=http://localhost:5173
+#   Production  : FRONTEND_ORIGIN=https://app.example.com
+# ---------------------------------------------------------------
+FRONTEND_ORIGIN=http://localhost:5173
+
+# ---------------------------------------------------------------
+# Logging
+# Accepted values: error | warn | info | debug
+# ---------------------------------------------------------------
+LOG_LEVEL=debug

backend/config/validateEnv.js

@@ -0,0 +1,15 @@
+/**
+ * Validates required environment variables before the server starts.
+ * Throws so callers can decide whether to log + exit or handle otherwise,
+ * which keeps the logic unit-testable without spawning child processes.
+ */
+function validateEnv() {
+  if (process.env.NODE_ENV === 'production' && !process.env.FRONTEND_ORIGIN) {
+    throw new Error(
+      'FRONTEND_ORIGIN environment variable is required in production. ' +
+      'Set it to the URL of your frontend (e.g., https://app.example.com).'
+    );
+  }
+}
+
+module.exports = { validateEnv };

backend/package.json

@@ -25,6 +25,8 @@
     "zod": "^4.4.3"
   },
   "devDependencies": {
-    "nodemon": "^3.1.9"
+    "jasmine": "^5.0.0",
+    "nodemon": "^3.1.9",
+    "supertest": "^7.0.0"
   }
 }

backend/server.js

@@ -6,32 +6,62 @@ const bodyParser = require('body-parser');
 require('dotenv').config();
 const cors = require('cors');
 
+const { validateEnv } = require('./config/validateEnv');
+const logger = require('./logger');
+
+// Fail fast in production when required env vars are absent.
+try {
+  validateEnv();
+} catch (err) {
+  logger.error(`[FATAL] ${err.message}`);
+  process.exit(1);
+}
+
 // Passport configuration
 require('./config/passportConfig');
 
-const logger = require('./logger');
-
 const app = express();
 
-// CORS configuration
-const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
+// In development, fall back to localhost:5173 if FRONTEND_ORIGIN is not set so
+// that contributors can run the stack without a full .env file.
+const corsOrigin = process.env.FRONTEND_ORIGIN || 'http://localhost:5173';
+
+if (!process.env.FRONTEND_ORIGIN) {
+  logger.warn(
+    'FRONTEND_ORIGIN is not set; defaulting to http://localhost:5173. ' +
+    'Set this variable in production.'
+  );
+}
+
+// CORS — explicit allowlist with credentials support.
+// A function-based origin is required so that the header is only set (and
+// reflected) for allowed origins; a static string would send the header on
+// every response regardless of the requesting origin.
 app.use(cors({
-    origin: function (origin, callback) {
-        if (!origin || allowedOrigins.indexOf(origin) !== -1) {
-            callback(null, true);
-        } else{
-            callback(new Error('Blocked by CORS policy'));
-        }
-    },
-    credentials: true
+  origin: (requestOrigin, callback) => {
+    // Allow same-origin requests (no Origin header) and the configured origin.
+    if (!requestOrigin || requestOrigin === corsOrigin) {
+      return callback(null, true);
+    }
+    callback(null, false);
+  },
+  credentials: true,
+  methods: ['GET', 'POST'],
+  allowedHeaders: ['Content-Type'],
 }));
 
 // Middleware
 app.use(bodyParser.json());
 app.use(session({
-    secret: process.env.SESSION_SECRET,
-    resave: false,
-    saveUninitialized: false,
+  secret: process.env.SESSION_SECRET,
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,
+    // Only transmit the cookie over HTTPS in production.
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+  },
 }));
 app.use(passport.initialize());
 app.use(passport.session());
@@ -42,12 +72,10 @@ app.use('/api/auth', authRoutes);
 
 // Connect to MongoDB
 mongoose.connect(process.env.MONGO_URI, {}).then(() => {
-    logger.info('Connected to MongoDB');
-
-    const PORT = process.env.PORT || 5000;
-    app.listen(PORT, () => {
-        logger.info(`Server running on port ${PORT}`);
-    });
+  logger.info('Connected to MongoDB');
+  app.listen(process.env.PORT, () => {
+    logger.info(`Server running on port ${process.env.PORT}`);
+  });
 }).catch((err) => {
-    logger.error('MongoDB connection error', err);
+  logger.error('MongoDB connection error', err);
 });

package.json

@@ -54,6 +54,7 @@
 
     "autoprefixer": "^10.4.20",
     "bcryptjs": "^3.0.3",
+    "cors": "^2.8.5",
 
     "eslint": "^9.13.0",
     "eslint-plugin-react": "^7.37.2",