fix: improve env setup and prevent malformed auth API URLs

[vv-verse]

Summary

This PR improves environment setup and prevents malformed auth API request URLs when VITE_BACKEND_URL is missing.

Closes #410

---

Problem

The deployed frontend currently generates malformed auth requests such as:

POST https://github-spy.netlify.app/undefined/api/auth/signup
404 (Not Found)

This happens when VITE_BACKEND_URL is not configured in the deployment environment.

---

Changes Made

• Added frontend environment variable .env.example
• Added backend environment variable backend/.env.example
• Added fallback handling for missing VITE_BACKEND_URL
• Prevented malformed undefined/api/auth/... requests
• Improved local setup documentation in README.md

---

Testing

• Frontend runs successfully with npm run dev

• Verified .env.example files

• Verified auth pages no longer generate malformed URLs

• No new runtime or TypeScript errors introduced

---

Screenshots (if applicable)

N/A

---

Type of Change

• Bug fix

• Documentation update

---

Note for Maintainers

The production deployment still requires configuring:

VITE_BACKEND_URL=<deployed_backend_url>

in the Netlify environment settings.

Summary by CodeRabbit

Release Notes

• Chores

  • Added environment configuration example files for frontend and backend development setup.

• Bug Fixes

  • Improved backend URL initialization in authentication components with enhanced fallback handling for missing environment variables.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	d62c44b
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a10a1dba5160f0008a3d231
😎 Deploy Preview	https://deploy-preview-417--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

🎉 Thank you @vv-verse for your contribution. Please make sure your PR follows https://github.com/GitMetricsLab/github_tracker/blob/main/CONTRIBUTING.md#-pull-request-guidelines

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds environment configuration templates and implements fallback handling for missing environment variables in authentication flows. Frontend and backend .env.example files document required variables, while Login and Signup components default backendUrl to empty string instead of undefined when VITE_BACKEND_URL is not configured.

Changes

Environment Configuration and Auth URL Fallback

Layer / File(s)	Summary
Environment configuration templates .env.example, backend/.env.example	Frontend and backend .env.example files document required environment variables for local development, including VITE_BACKEND_URL, MongoDB connection settings, session secrets, and server port configuration.
Frontend auth URL fallback handling src/pages/Login/Login.tsx, src/pages/Signup/Signup.tsx	Login and Signup components update backendUrl initialization to default to empty string when VITE_BACKEND_URL is missing, preventing undefined values in constructed API request URLs like ${backendUrl}/api/auth/login.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• GitMetricsLab/github_tracker#250: The backendUrl fallback handling in Login/Signup components directly addresses the same auth endpoint URL configuration issue with related .env template guidance.

Suggested labels

quality:clean, type:bug

Poem

🐰 A wily rabbit hops through env files with care,
Setting up variables, templates laid bare!
When URLs vanish into undefined space,
Empty strings catch the auth case—
Now login requests find their place!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: improving environment setup and preventing malformed auth API URLs when VITE_BACKEND_URL is missing.
Description check	✅ Passed	The PR description covers the related issue, problem statement, changes made, testing performed, and type of change, mostly following the template structure.
Linked Issues check	✅ Passed	The PR addresses all coding requirements from issue #410: adds .env.example files for environment setup [#410], implements fallback handling to prevent undefined URLs in Login.tsx and Signup.tsx [#410], and prevents malformed requests [#410].
Out of Scope Changes check	✅ Passed	All changes are within scope: .env.example files document required environment variables, Login/Signup fallback changes directly address the malformed URL issue, and no extraneous modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

backend/.env.example (1)

4-5: ⚡ Quick win

Add a security warning for SESSION_SECRET.

The placeholder value your_session_secret_here is weak and developers might accidentally deploy with it. Consider adding a comment warning that this must be replaced with a strong random string in production and should never be committed to version control.

🔒 Suggested improvement with security warning

-# Session secret - use a strong random string
-SESSION_SECRET=your_session_secret_here
+# Session secret - IMPORTANT: Replace with a strong random string for production
+# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+# NEVER commit real secrets to version control
+SESSION_SECRET=your_session_secret_here

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/.env.example` around lines 4 - 5, Add a clear security warning above
the SESSION_SECRET entry: explain that the placeholder value
"your_session_secret_here" is insecure, must be replaced with a strong random
string in production, must never be committed to version control, and suggest
using env management or a secrets manager; update the SESSION_SECRET line in
.env.example to keep it as a placeholder but add the comment referencing
SESSION_SECRET so developers are warned.

src/pages/Login/Login.tsx (1)

7-7: ⚡ Quick win

Consider adding validation for missing VITE_BACKEND_URL.

The fallback to empty string prevents malformed URLs (as intended), but requests will still fail when the env var is not configured—just with a different error (404 instead of malformed URL). For better developer experience, consider adding early validation that warns when VITE_BACKEND_URL is missing.

💡 Optional enhancement: Early validation

-const backendUrl = import.meta.env.VITE_BACKEND_URL || '';
+const backendUrl = import.meta.env.VITE_BACKEND_URL || '';
+
+if (!import.meta.env.VITE_BACKEND_URL) {
+  console.warn('VITE_BACKEND_URL is not configured. Authentication requests will fail.');
+}

Alternatively, you could show a user-facing error message in the UI when the env var is missing, rather than letting the axios request fail with a cryptic network error.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Login/Login.tsx` at line 7, The code currently falls back to an
empty string for import.meta.env.VITE_BACKEND_URL (const backendUrl =
import.meta.env.VITE_BACKEND_URL || ''), which hides a missing env var and leads
to confusing runtime failures; add explicit validation in the Login component
initialization (or a small helper run during app startup) to detect when
import.meta.env.VITE_BACKEND_URL is undefined/empty, log a clear
developer-facing error (e.g., processLogger.error or console.error) and surface
a user-facing message or disable login UI until it is fixed; ensure the check
references the existing backendUrl constant (or the raw
import.meta.env.VITE_BACKEND_URL) and short-circuits any axios/fetch calls when
invalid so requests are not attempted with a blank URL.

src/pages/Signup/Signup.tsx (1)

9-9: ⚡ Quick win

Consider extracting backend URL to a shared constant.

The backendUrl initialization pattern is duplicated between Login.tsx (line 7) and Signup.tsx (line 9). Consider extracting this to a shared constant or configuration module to maintain consistency and reduce duplication.

♻️ Suggested refactor: Extract to shared config

Create a new file src/config/api.ts:

// Fallback to empty string to prevent malformed URLs
// Production deployment requires VITE_BACKEND_URL to be configured
export const backendUrl = import.meta.env.VITE_BACKEND_URL || '';

if (!import.meta.env.VITE_BACKEND_URL) {
  console.warn('VITE_BACKEND_URL is not configured. API requests will fail.');
}

Then import in both Login and Signup:

+import { backendUrl } from '../../config/api';
-const backendUrl = import.meta.env.VITE_BACKEND_URL || '';

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Signup/Signup.tsx` at line 9, Duplicate backendUrl initialization
in Signup.tsx and Login.tsx should be extracted to a shared constant: create a
new module that exports backendUrl (derived from
import.meta.env.VITE_BACKEND_URL || '') and optionally logs a warning when the
env var is missing, then replace the local const backendUrl in Signup.tsx and
the one in Login.tsx with imports from that module; update any references to
backendUrl in the Signup component (and Login) to use the imported symbol so
both components share a single source of truth.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@backend/.env.example`:
- Around line 4-5: Add a clear security warning above the SESSION_SECRET entry:
explain that the placeholder value "your_session_secret_here" is insecure, must
be replaced with a strong random string in production, must never be committed
to version control, and suggest using env management or a secrets manager;
update the SESSION_SECRET line in .env.example to keep it as a placeholder but
add the comment referencing SESSION_SECRET so developers are warned.

In `@src/pages/Login/Login.tsx`:
- Line 7: The code currently falls back to an empty string for
import.meta.env.VITE_BACKEND_URL (const backendUrl =
import.meta.env.VITE_BACKEND_URL || ''), which hides a missing env var and leads
to confusing runtime failures; add explicit validation in the Login component
initialization (or a small helper run during app startup) to detect when
import.meta.env.VITE_BACKEND_URL is undefined/empty, log a clear
developer-facing error (e.g., processLogger.error or console.error) and surface
a user-facing message or disable login UI until it is fixed; ensure the check
references the existing backendUrl constant (or the raw
import.meta.env.VITE_BACKEND_URL) and short-circuits any axios/fetch calls when
invalid so requests are not attempted with a blank URL.

In `@src/pages/Signup/Signup.tsx`:
- Line 9: Duplicate backendUrl initialization in Signup.tsx and Login.tsx should
be extracted to a shared constant: create a new module that exports backendUrl
(derived from import.meta.env.VITE_BACKEND_URL || '') and optionally logs a
warning when the env var is missing, then replace the local const backendUrl in
Signup.tsx and the one in Login.tsx with imports from that module; update any
references to backendUrl in the Signup component (and Login) to use the imported
symbol so both components share a single source of truth.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 799ab1c4-fb54-43b0-ab50-32d66d6e85e1

📥 Commits

Reviewing files that changed from the base of the PR and between 9d34c19 and d62c44b.

📒 Files selected for processing (4)

• .env.example
• backend/.env.example
• src/pages/Login/Login.tsx
• src/pages/Signup/Signup.tsx