fix: prevent bypassing event check-in via page refresh

Users could gain unauthorized access to event chats by refreshing the page after leaving an event. The socket handler was automatically creating participation records when users joined rooms, completely bypassing the QR code check-in requirement. This fix verifies that users have legitimately checked in before allowing socket room access.
2025-11-14 14:36:49 +01:00
parent 6823851b63
commit a6e4981f17
2 changed files with 78 additions and 16 deletions
--- a/backend/src/socket/index.js
+++ b/backend/src/socket/index.js
@@ -69,26 +69,27 @@ function initializeSocket(httpServer) {

        const eventId = event.id;
        const roomName = `event_${eventId}`;
-        socket.join(roomName);
-        socket.currentEventRoom = roomName;
-        socket.currentEventId = eventId;
-        socket.currentEventSlug = slug;

-        // Record event participation in database
-        await prisma.eventParticipant.upsert({
+        // Verify that user has checked in to this event
+        const participant = await prisma.eventParticipant.findUnique({
          where: {
            userId_eventId: {
              userId: socket.user.id,
              eventId: eventId,
            },
          },
-          update: {}, // Don't update anything if already exists
-          create: {
-            userId: socket.user.id,
-            eventId: eventId,
-          },
        });

+        if (!participant) {
+          socket.emit('error', { message: 'You must check in to this event first' });
+          return;
+        }
+
+        socket.join(roomName);
+        socket.currentEventRoom = roomName;
+        socket.currentEventId = eventId;
+        socket.currentEventSlug = slug;
+
        // Add user to active users
        if (!activeUsers.has(eventId)) {
          activeUsers.set(eventId, new Set());