fix: pre-deployment sanitization for Render

[kunalverma2512]

📌 Pull Request Summary

📝 Description

Prepares the full server for production deployment
on Render.

Changes Made

• Fixed cross-origin cookie issue (sameSite: None in production) that
  caused all axios auth requests to return 401
• Added trust proxy to Express for correct IP resolution behind
  Render's reverse proxy (fixes rate limiting for all users)
• Fixed JWT_EXPIRES_IN → JWT_ACCESS_EXPIRES_IN name mismatch that
  crashed the server on startup
• Fixed Nodemailer SMTP port parsed as string — now correctly parsed as
  integer with dynamic secure flag
• Added start script to package.json for Render deployment
• Moved nodemon to devDependencies
• Cleaned up CORS config — removed dead CLIENT_URI reference, added
  localhost comment
• Created server/server-deploying.md — full 13-section deployment
  guide documenting architecture, all services, env vars, and
  troubleshooting

Motivation

APEX AI is the core differentiator of the CodeLens platform. It
provides real, data-backed insights by reading the user's actual
Codeforces and GitHub data — not generic advice. This PR brings that
feature from zero to fully functional and deployed. The deployment
fixes resolve a class of bugs (401 errors, rate limit failures, server
crashes) that historically appear only in production and are hard to
debug after the fact.

---

🚀 Type of Change

• Bug Fix
• New Feature
• Enhancement
• Documentation Update
• Refactoring
• DevOps / Tooling

---

🧪 Testing

Verification

• Tested Locally
• Existing Tests Passed
• New Tests Added
• No Testing Required

Test Details

• Ran a full 7-step manual test suite against the local server covering:
  conversation creation, listing, message streaming, context data
  accuracy, and conversation deletion
• Verified APEX correctly reads Codeforces skill decay and GitHub
  activity by triggering a GitHub sync and creating a fresh conversation
• Verified SSE streaming works end-to-end in the browser with
  word-by-word response rendering
• Verified mobile sidebar overlay does not squeeze the chat area on
  small screens
• Verified the scroll fix — page no longer jumps to footer during
  streaming
• Verified Render deployment boots successfully with correct env vars
• Verified Vercel frontend builds with zero errors (vite build in CI)

---

📸 Screenshots / Demo (If Applicable)

APEX workspace chat — streaming response in dark B&W design

---

✅ Checklist

• I have read and followed the contribution guidelines.
• I have self-reviewed my changes.
• My changes are limited to the scope of this issue.
• Documentation has been updated where necessary.
• No unnecessary files or unrelated changes have been included.
• The related issue has been linked correctly.
• All applicable testing and validation steps have been completed.

---

📚 Additional Notes

• The APEX chat rate limit is set to 20 messages per user per hour
  to protect the Gemini free-tier quota (1500 req/day shared).
• Old APEX conversations created before the GitHub data fix will still
  show incomplete context — users should start a new conversation after
  syncing GitHub data for accurate insights.
• A second GitHub OAuth App is needed for local development once the
  production callback URL is set (GitHub allows only one callback URL
  per app). See server-deploying.md Section 7 for details.
• server-deploying.md documents every env variable, all services,
  architecture decisions, and common production errors with their fixes.

Summary by CodeRabbit

• Documentation

  • Added comprehensive server deployment guide with step-by-step instructions, environment setup checklist, and troubleshooting section.

• Bug Fixes

  • Fixed email service SMTP port configuration to properly handle SSL and STARTTLS protocols.
  • Improved cross-domain authentication cookie handling for production environments.

• Chores

  • Enhanced environment variable documentation with detailed examples and optional/required guidance.
  • Updated reverse proxy configuration for improved compatibility with deployment platforms.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
codelensx	Ready	Preview, Comment	Jun 3, 2026 6:34am

[github-actions]

🚀 PR Received Successfully

Hello @kunalverma2512,

Thank you for taking the initiative to contribute to this project.

Please ensure that your PR follows all project guidelines properly before requesting review.

⚠️ Important Instructions

• Maintain proper code quality and structure
• Do not make unnecessary changes/files
• Ensure responsiveness across devices
• Follow existing project conventions strictly
• Attach screenshots/videos for UI-related changes
• Resolve merge conflicts before requesting review
• Avoid AI-generated low quality PRs or copied implementations

📌 Mandatory for GSSoC'26 Participants

Joining the community group and announcement channel is compulsory for all contributors participating through GSSoC'26.

• Telegram Group: https://t.me/c/3991077814/1
• Telegram Channel: https://t.me/+g4esQdo-DyNlZWE1

Failure to follow contribution guidelines may lead to PR rejection.

We appreciate your effort and wish you a great open-source journey ahead. ✨

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 715c8163-d540-4392-8605-994854a8da79

📥 Commits

Reviewing files that changed from the base of the PR and between 2b0506e and 969fc55.

📒 Files selected for processing (7)

• server/.env.example
• server/app.js
• server/config/env.js
• server/package.json
• server/server-deploying.md
• server/utils/emailService.js
• server/utils/tokenHelper.js

---

📝 Walkthrough

Walkthrough

This PR prepares the CodeLens backend server for production deployment on Render through environment configuration updates, security hardening for cross-domain cookies, Express reverse-proxy configuration, email service port flexibility, and comprehensive deployment documentation with environment template guidance.

Changes

Production Deployment Setup for Render

Layer / File(s)	Summary
JWT Access/Refresh Timing Configuration server/config/env.js	Environment validation refactored to require separate JWT_ACCESS_EXPIRES_IN and JWT_REFRESH_EXPIRES_IN variables instead of a single JWT_EXPIRES_IN, exported in the configuration object.
Production Cookie Security & SameSite Behavior server/utils/tokenHelper.js	Auth cookies updated to use sameSite: "None" and secure: true in production for cross-domain requests, and sameSite: "Lax" in development.
Express Reverse Proxy & CORS Configuration server/app.js	Express configured with trust proxy for Render deployments; CORS allowlist updated to use only process.env.CLIENT_URL (plus localhost in non-production), removing CLIENT_URI reference.
Email Service SMTP Port & SSL Handling server/utils/emailService.js	Email service parses SMTP_PORT as integer (default 587) and dynamically sets secure option based on port 465 (direct SSL) vs 587 (STARTTLS).
NPM Start Script & Dependencies server/package.json	Added start script running node server.js and reorganized tail of dependencies section.
Environment Variables Template server/.env.example	Expanded with detailed section comments for MongoDB (explicit username:password format), JWT (access/refresh separation), CLIENT_URL, GitHub OAuth (with GITHUB_CALLBACK_URL), AI API keys, and Gmail SMTP setup; removed REDIS_URL.
Comprehensive Render Deployment Guide server/server-deploying.md	New guide covering backend architecture, all features, pre-deployment fixes applied (JWT timing, cookie SameSite, trust proxy, SMTP port parsing, CORS cleanup), environment variables reference, step-by-step Render deployment, GitHub OAuth callback updates, MongoDB Atlas and Gmail configuration, post-deployment smoke tests, local development guidance, and error troubleshooting.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• kunalverma2512/CodeLens#103: JWT and cookie configuration changes align with shift to HttpOnly cookie-based authentication and cookie-aware CORS.

Poem

🐰 A Render deployment awaits,
With cookies secure at the gates,
JWT tokens split clean in two,
SMTP ports pick 465 or 587—true!
From dev to prod, this rabbit flies free! 🚀

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Preparing-for-deploying-backend

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}