feat: add event slugs to prevent ID enumeration attacks

Replace sequential event IDs in URLs with unique alphanumeric slugs to prevent enumeration attacks. Event URLs now use format /events/{slug}/chat instead of /events/{id}/chat. Backend changes: - Add slug field (VARCHAR 50, unique) to Event model - Create migration with auto-generated 12-char MD5-based slugs for existing events - Update GET /api/events/:slug endpoint (changed from :id) - Update GET /api/events/:slug/messages endpoint (changed from :eventId) - Modify Socket.IO join_event_room to accept slug parameter - Update send_event_message to use stored event context instead of passing eventId Frontend changes: - Update eventsAPI.getBySlug() method (changed from getById) - Update eventsAPI.getMessages() to use slug parameter - Change route from /events/:eventId/chat to /events/:slug/chat - Update EventsPage to navigate using event.slug - Update EventChatPage to fetch event data via slug and use slug in socket events Security impact: Prevents attackers from discovering all events by iterating sequential IDs.
2025-11-13 21:43:58 +01:00
parent 20f405cab3
commit b2c2527c46
8 changed files with 127 additions and 37 deletions
--- a/frontend/src/services/api.js
+++ b/frontend/src/services/api.js
@@ -186,17 +186,17 @@ export const eventsAPI = {
    return data.data;
  },

-  async getById(id) {
-    const data = await fetchAPI(`/events/${id}`);
+  async getBySlug(slug) {
+    const data = await fetchAPI(`/events/${slug}`);
    return data.data;
  },

-  async getMessages(eventId, before = null, limit = 20) {
+  async getMessages(slug, before = null, limit = 20) {
    const params = new URLSearchParams({ limit: limit.toString() });
    if (before) {
      params.append('before', before.toString());
    }
-    const data = await fetchAPI(`/events/${eventId}/messages?${params}`);
+    const data = await fetchAPI(`/events/${slug}/messages?${params}`);
    return data;
  },
 };