Bug: POST /api/events/:slug/join allows users to join events that have already ended

[anshul23102]

Summary

The POST /api/events/:slug/join handler fetches the event and creates an attendee record with no check on event.endDate. Users can successfully join an event that ended days or months ago, corrupting attendance data and attendance counts.

---

Affected File

apps/backend/src/routes/event.ts - POST /:slug/join handler (lines 157-195)

const event = await app.prisma.event.findUnique({
  where: { slug: paramsSlug }
})

if (!event) {
  return reply.status(404).send({ error: 'Event not found' })
}

// No endDate check here - proceeds directly to create attendee
try {
  await app.prisma.eventAttendee.create({
    data: {
      eventId: event.id,
      userId: userId,
      joinedAt: new Date()
    }
  })
  return reply.status(201).send({ message: 'User joined successfully' })
}

---

Impact

• Users can join events that ended in the past, making attendance counts meaningless.
• joinedAt timestamps on historical events will be far outside the event's time window, producing misleading data.
• Organizers viewing their event attendees cannot trust whether a person registered before or after the event closed.

---

Suggested Fix

Add an endDate guard immediately after the event existence check:

if (!event) {
  return reply.status(404).send({ error: 'Event not found' })
}

if (new Date() > event.endDate) {
  return reply.status(400).send({ error: 'This event has already ended and is no longer accepting registrations.' })
}

The same guard should be considered for POST /:slug/leave - leaving an already-ended event may also be something to restrict depending on product intent.

---

Environment

• apps/backend/src/routes/event.ts
• Prisma ORM with PostgreSQL
• Fastify backend

[anshul23102]

@ShantKhatri I'd like to work on this under GSSoC '26. The fix is a one-line guard checking new Date() > event.endDate before the attendee create, returning 400 with a clear message. Please assign me.

/assign

gssoc'26