b2c2527c46
Replace sequential event IDs in URLs with unique alphanumeric slugs to prevent enumeration attacks. Event URLs now use format /events/{slug}/chat instead of /events/{id}/chat.
Backend changes:
- Add slug field (VARCHAR 50, unique) to Event model
- Create migration with auto-generated 12-char MD5-based slugs for existing events
- Update GET /api/events/:slug endpoint (changed from :id)
- Update GET /api/events/:slug/messages endpoint (changed from :eventId)
- Modify Socket.IO join_event_room to accept slug parameter
- Update send_event_message to use stored event context instead of passing eventId
Frontend changes:
- Update eventsAPI.getBySlug() method (changed from getById)
- Update eventsAPI.getMessages() to use slug parameter
- Change route from /events/:eventId/chat to /events/:slug/chat
- Update EventsPage to navigate using event.slug
- Update EventChatPage to fetch event data via slug and use slug in socket events
Security impact: Prevents attackers from discovering all events by iterating sequential IDs.
spotlight.cam Backend
Node.js + Express backend for spotlight.cam - P2P video exchange app for dance events.
Features
- ✅ Express REST API
- ✅ CORS enabled
- ✅ Health check endpoint
- ✅ Error handling
- ✅ Unit tests (Jest + Supertest)
- ⏳ PostgreSQL integration (planned)
- ⏳ JWT authentication (planned)
- ⏳ Socket.IO for real-time chat (planned)
- ⏳ WebRTC signaling (planned)
API Endpoints
Health Check
GET /api/health- Backend health status
Future Endpoints
POST /api/auth/register- Register new userPOST /api/auth/login- Login userGET /api/users/me- Get current userGET /api/events- List eventsPOST /api/matches- Create matchPOST /api/ratings- Rate partner
Development
Install dependencies
npm install
Run in development mode
npm run dev
Run tests
npm test
Run tests in watch mode
npm run test:watch
Run in production mode
npm start
Environment Variables
Create a .env file (see .env.example):
NODE_ENV=development
PORT=3000
CORS_ORIGIN=http://localhost:8080
Project Structure
backend/
├── src/
│ ├── __tests__/ # Unit tests
│ │ └── app.test.js
│ ├── routes/ # API routes (future)
│ ├── controllers/ # Business logic (future)
│ ├── middleware/ # Custom middleware (future)
│ ├── utils/ # Helper functions (future)
│ ├── app.js # Express app setup
│ └── server.js # Server entry point
├── .env # Environment variables (gitignored)
├── .env.example # Environment variables template
├── package.json
└── Dockerfile
Testing
Tests are written using:
- Jest - Test framework
- Supertest - HTTP assertions
Run tests:
npm test
Current test coverage:
- Health check endpoint
- 404 error handling
- CORS configuration
- JSON body parsing
Docker
Build and run with Docker Compose (from project root):
docker compose up --build
Backend will be available at:
- Internal: http://backend:3000
- Through nginx: http://localhost:8080/api
Next Steps
- ✅ Basic Express setup
- ✅ Health check endpoint
- ✅ Unit tests
- ⏳ PostgreSQL connection
- ⏳ Database schema and migrations
- ⏳ Authentication (JWT + bcrypt)
- ⏳ Socket.IO for real-time chat
- ⏳ WebRTC signaling
License
TBD