b2c2527c46
Replace sequential event IDs in URLs with unique alphanumeric slugs to prevent enumeration attacks. Event URLs now use format /events/{slug}/chat instead of /events/{id}/chat.
Backend changes:
- Add slug field (VARCHAR 50, unique) to Event model
- Create migration with auto-generated 12-char MD5-based slugs for existing events
- Update GET /api/events/:slug endpoint (changed from :id)
- Update GET /api/events/:slug/messages endpoint (changed from :eventId)
- Modify Socket.IO join_event_room to accept slug parameter
- Update send_event_message to use stored event context instead of passing eventId
Frontend changes:
- Update eventsAPI.getBySlug() method (changed from getById)
- Update eventsAPI.getMessages() to use slug parameter
- Change route from /events/:eventId/chat to /events/:slug/chat
- Update EventsPage to navigate using event.slug
- Update EventChatPage to fetch event data via slug and use slug in socket events
Security impact: Prevents attackers from discovering all events by iterating sequential IDs.
12 lines
409 B
SQL
12 lines
409 B
SQL
-- AlterTable
|
|
ALTER TABLE "events" ADD COLUMN "slug" VARCHAR(50);
|
|
|
|
-- Generate unique slugs for existing events
|
|
UPDATE "events" SET "slug" = lower(
|
|
substring(md5(random()::text || clock_timestamp()::text) from 1 for 12)
|
|
) WHERE "slug" IS NULL;
|
|
|
|
-- Make slug NOT NULL and add unique constraint
|
|
ALTER TABLE "events" ALTER COLUMN "slug" SET NOT NULL;
|
|
CREATE UNIQUE INDEX "events_slug_key" ON "events"("slug");
|