radziel/spotlightcam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5bea2ad1337506610ca744cc410670912b2acff7
spotlightcam/frontend/src/services/api.js
Radosław Gierwiało b2c2527c46 feat: add event slugs to prevent ID enumeration attacks 
Replace sequential event IDs in URLs with unique alphanumeric slugs to prevent enumeration attacks. Event URLs now use format /events/{slug}/chat instead of /events/{id}/chat.

Backend changes:
- Add slug field (VARCHAR 50, unique) to Event model
- Create migration with auto-generated 12-char MD5-based slugs for existing events
- Update GET /api/events/:slug endpoint (changed from :id)
- Update GET /api/events/:slug/messages endpoint (changed from :eventId)
- Modify Socket.IO join_event_room to accept slug parameter
- Update send_event_message to use stored event context instead of passing eventId

Frontend changes:
- Update eventsAPI.getBySlug() method (changed from getById)
- Update eventsAPI.getMessages() to use slug parameter
- Change route from /events/:eventId/chat to /events/:slug/chat
- Update EventsPage to navigate using event.slug
- Update EventChatPage to fetch event data via slug and use slug in socket events

Security impact: Prevents attackers from discovering all events by iterating sequential IDs.
2025-11-13 21:43:58 +01:00

205 lines
4.8 KiB
JavaScript
Raw Blame History

const API_URL = 'http://localhost:8080/api';
class ApiError extends Error {
constructor(message, status, data) {
super(message);
this.name = 'ApiError';
this.status = status;
this.data = data;
}
}
async function fetchAPI(endpoint, options = {}) {
const url = `${API_URL}${endpoint}`;
const config = {
...options,
headers: {
'Content-Type': 'application/json',
...options.headers,
},
};
// Add auth token if available
const token = localStorage.getItem('token');
if (token) {
config.headers['Authorization'] = `Bearer ${token}`;
}
try {
const response = await fetch(url, config);
// Check if response is JSON before parsing
const contentType = response.headers.get('content-type');
if (!contentType || !contentType.includes('application/json')) {
throw new ApiError(
'Server returned non-JSON response',
response.status,
{ message: 'The server is not responding correctly. Please try again later.' }
);
}
const data = await response.json();
if (!response.ok) {
throw new ApiError(
data.error || 'API request failed',
response.status,
data
);
}
return data;
} catch (error) {
if (error instanceof ApiError) {
throw error;
}
// Handle JSON parsing errors
if (error instanceof SyntaxError) {
throw new ApiError(
'Invalid server response',
0,
{ message: 'The server returned an invalid response. Please check if the server is running.' }
);
}
throw new ApiError('Network error', 0, { message: error.message });
}
}
// Auth API
export const authAPI = {
async register(username, email, password, firstName = null, lastName = null, wsdcId = null) {
const data = await fetchAPI('/auth/register', {
method: 'POST',
body: JSON.stringify({ username, email, password, firstName, lastName, wsdcId }),
});
// Save token
if (data.data.token) {
localStorage.setItem('token', data.data.token);
}
return data.data;
},
async login(email, password) {
const data = await fetchAPI('/auth/login', {
method: 'POST',
body: JSON.stringify({ email, password }),
});
// Save token
if (data.data.token) {
localStorage.setItem('token', data.data.token);
}
return data.data;
},
async getCurrentUser() {
const data = await fetchAPI('/users/me');
return data.data;
},
async verifyEmailByToken(token) {
const data = await fetchAPI(`/auth/verify-email?token=${token}`);
return data;
},
async verifyEmailByCode(email, code) {
const data = await fetchAPI('/auth/verify-code', {
method: 'POST',
body: JSON.stringify({ email, code }),
});
return data;
},
async resendVerification(email) {
const data = await fetchAPI('/auth/resend-verification', {
method: 'POST',
body: JSON.stringify({ email }),
});
return data;
},
async requestPasswordReset(email) {
const data = await fetchAPI('/auth/request-password-reset', {
method: 'POST',
body: JSON.stringify({ email }),
});
return data;
},
async resetPassword(token, newPassword) {
const data = await fetchAPI('/auth/reset-password', {
method: 'POST',
body: JSON.stringify({ token, newPassword }),
});
return data;
},
async updateProfile(profileData) {
const data = await fetchAPI('/users/me', {
method: 'PATCH',
body: JSON.stringify(profileData),
});
// Update token if it was returned (email changed)
if (data.data?.token) {
localStorage.setItem('token', data.data.token);
}
return data;
},
async changePassword(currentPassword, newPassword) {
const data = await fetchAPI('/users/me/password', {
method: 'PATCH',
body: JSON.stringify({ currentPassword, newPassword }),
});
return data;
},
async getUserByUsername(username) {
const data = await fetchAPI(`/users/${username}`);
return data.data;
},
logout() {
localStorage.removeItem('token');
localStorage.removeItem('user');
},
};
// WSDC API (Phase 1.5)
export const wsdcAPI = {
async lookupDancer(wsdcId) {
const data = await fetchAPI(`/wsdc/lookup?id=${wsdcId}`);
return data;
},
};
// Events API
export const eventsAPI = {
async getAll() {
const data = await fetchAPI('/events');
return data.data;
},
async getBySlug(slug) {
const data = await fetchAPI(`/events/${slug}`);
return data.data;
},
async getMessages(slug, before = null, limit = 20) {
const params = new URLSearchParams({ limit: limit.toString() });
if (before) {
params.append('before', before.toString());
}
const data = await fetchAPI(`/events/${slug}/messages?${params}`);
return data;
},
};
export { ApiError };
Reference in New Issue View Git Blame Copy Permalink