Skip to content

Issue: Unauthenticated Access to Event Registration Endpoints #180

Description

@NahomAlemu

Description

Problem

Several sensitive endpoints in the event registration controller have no authentication guards, allowing
anyone to:

  • Register attendees without being logged in
  • View attendee lists and personal information
  • Access registration statistics

Why It Matters

  • Data harvesting - Attackers can enumerate all attendees and their information
  • Spam registrations - Bots can flood events with fake registrations
  • Privacy violation - User names exposed publicly without consent
  • GDPR/compliance risk - Exposing PII without proper access controls
  • Critical for cloud deployment - These endpoints will be publicly accessible

Affected Files

nsc-events-nestjs/src/event-registration/controllers/event-registration.controller.ts

Current Code

// Line 64 - Anyone can register attendees
@post('attend') // ❌ NO @UseGuards
async attendEvent(@Body() attendDto: AttendEventDto)

// Line 101 - Attendee data publicly accessible
@get('event/:activityId') // ❌ NO @UseGuards
async getRegistrationsForEvent(@Param('activityId') activityId: string)

// Line 424 - Attendee names publicly accessible
@get('attendees/:activityId') // ❌ NO @UseGuards
async getAttendeesForEvent(@Param('activityId') activityId: string)

// Line 444 - Stats publicly accessible
@get('stats/:activityId') // ❌ NO @UseGuards
async getRegistrationStats(@Param('activityId') activityId: string)

Expected Behavior

@UseGuards(JwtAuthGuard)
@post('attend')
async attendEvent(@Body() attendDto: AttendEventDto)

@UseGuards(JwtAuthGuard, RolesGuard)
@roles('admin', 'creator')
@get('attendees/:activityId')
async getAttendeesForEvent(@Param('activityId') activityId: string)

Tasks

Tasks:

  • Add @UseGuards(JwtAuthGuard) to POST /attend endpoint
  • Add @UseGuards(JwtAuthGuard) to DELETE /unattend endpoint
  • Add @UseGuards(JwtAuthGuard, RolesGuard) and @roles('admin', 'creator') to GET /attendees/:activityId
  • Add @UseGuards(JwtAuthGuard, RolesGuard) and @roles('admin', 'creator') to GET /stats/:activityId
  • Review GET /event/:activityId - determine if public access is intended or should be restricted
  • Add tests for authentication on protected endpoints

Visual Aids

Metadata

Metadata

Assignees

Labels

securityVulnerability patches, encryption, or access control

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions