feat: included frontend url for CORS security

.env.example

@@ -21,3 +21,5 @@ SUPABASE_URL=your_supabase_url
 SUPABASE_SERVICE_ROLE_KEY=your_supabase_service_role_key
 
 REDIS_URL=your_url_for_redis eg. redis://localhost:6379
+
+FRONTEND_URL=your_frontend_url eg. http://localhost:3000

.github/workflows/ci-cd.yml

@@ -75,6 +75,7 @@ jobs:
           REFRESH_EXPIRES_IN: "7d"
           SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
           SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
+          FRONTEND_URL: "http://localhost:3000"
 
   build-and-push:
     name: Build and push to Docker Hub

.gitignore

@@ -8,4 +8,5 @@ node_modules
 
 /logs
 
-NotifierAPI_Documentation.md
+NotifierAPI_Documentation.md
+FRONTEND_API_DOCS.md

package.json

@@ -19,6 +19,7 @@
     "@supabase/supabase-js": "^2.101.1",
     "bcryptjs": "^3.0.3",
     "cookie-parser": "^1.4.7",
+    "cors": "^2.8.6",
     "crypto": "^1.0.1",
     "dotenv": "^17.3.1",
     "express": "^5.2.1",

src/app.js

@@ -4,6 +4,7 @@ import express from "express";
 import cookieparser from "cookie-parser";
 import { connectRedis } from "./config/redis.js";
 import helmet from "helmet";
+import cors from "cors";
 
 // Import routes
 import authRoutes from "./routes/auth.js";
@@ -21,6 +22,15 @@ import { requestLogger } from "./middlewares/requestLogger.js";
 
 const app = express();
 
+app.use(
+  cors({
+    origin: process.env.FRONTEND_URL,
+    credentials: true,
+    allowedHeaders: ["Content-Type", "Authorization"],
+    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+  }),
+);
+
 app.use(
   helmet({
     contentSecurityPolicy: false,

src/config/envValidator.js

@@ -23,6 +23,8 @@ const envSchema = z.object({
   SUPABASE_URL: z.string().url(),
   SUPABASE_SERVICE_ROLE_KEY: z.string().min(20),
   REDIS_URL: z.string().url(),
+
+  FRONTEND_URL: z.string().url(),
 });
 
 const _env = envSchema.safeParse(process.env);

src/controllers/users/getAll.js

@@ -16,6 +16,9 @@ const getUsers = async (req, res) => {
       select: {
         id: true,
         name: true,
+        email: true,
+        isEmailVerified: true,
+        role: true,
         isDeleted: true,
         profilePictureUrl: true,
         updatedAt: true,

src/controllers/users/getMyself.js

@@ -8,6 +8,7 @@ const getMyself = async (req, res) => {
       id: true,
       name: true,
       email: true,
+      role: true,
       isEmailVerified: true,
       profilePictureUrl: true,
       updatedAt: true,

src/utils/sendVerificationEmail.js

@@ -21,7 +21,7 @@ const sendVerificationEmail = async (user) => {
     },
   });
 
-  const verifyUrl = `${env.BASE_URL}/auth/verify-email?token=${verificationToken}`;
+  const verifyUrl = `${env.FRONTEND_URL}/verify-email?token=${verificationToken}`;
 
   await sendEmail({
     email: user.email,