Description
Problem
Several sensitive endpoints in the event registration controller have no authentication guards, allowing
anyone to:
- Register attendees without being logged in
- View attendee lists and personal information
- Access registration statistics
Why It Matters
- Data harvesting - Attackers can enumerate all attendees and their information
- Spam registrations - Bots can flood events with fake registrations
- Privacy violation - User names exposed publicly without consent
- GDPR/compliance risk - Exposing PII without proper access controls
- Critical for cloud deployment - These endpoints will be publicly accessible
Affected Files
nsc-events-nestjs/src/event-registration/controllers/event-registration.controller.ts
Current Code
// Line 64 - Anyone can register attendees
@post('attend') // ❌ NO @UseGuards
async attendEvent(@Body() attendDto: AttendEventDto)
// Line 101 - Attendee data publicly accessible
@get('event/:activityId') // ❌ NO @UseGuards
async getRegistrationsForEvent(@Param('activityId') activityId: string)
// Line 424 - Attendee names publicly accessible
@get('attendees/:activityId') // ❌ NO @UseGuards
async getAttendeesForEvent(@Param('activityId') activityId: string)
// Line 444 - Stats publicly accessible
@get('stats/:activityId') // ❌ NO @UseGuards
async getRegistrationStats(@Param('activityId') activityId: string)
Expected Behavior
@UseGuards(JwtAuthGuard)
@post('attend')
async attendEvent(@Body() attendDto: AttendEventDto)
@UseGuards(JwtAuthGuard, RolesGuard)
@roles('admin', 'creator')
@get('attendees/:activityId')
async getAttendeesForEvent(@Param('activityId') activityId: string)
Tasks
Tasks:
Visual Aids
Description
Problem
Several sensitive endpoints in the event registration controller have no authentication guards, allowing
anyone to:
Why It Matters
Affected Files
nsc-events-nestjs/src/event-registration/controllers/event-registration.controller.ts
Current Code
// Line 64 - Anyone can register attendees
@post('attend') // ❌ NO @UseGuards
async attendEvent(@Body() attendDto: AttendEventDto)
// Line 101 - Attendee data publicly accessible
@get('event/:activityId') // ❌ NO @UseGuards
async getRegistrationsForEvent(@Param('activityId') activityId: string)
// Line 424 - Attendee names publicly accessible
@get('attendees/:activityId') // ❌ NO @UseGuards
async getAttendeesForEvent(@Param('activityId') activityId: string)
// Line 444 - Stats publicly accessible
@get('stats/:activityId') // ❌ NO @UseGuards
async getRegistrationStats(@Param('activityId') activityId: string)
Expected Behavior
@UseGuards(JwtAuthGuard)
@post('attend')
async attendEvent(@Body() attendDto: AttendEventDto)
@UseGuards(JwtAuthGuard, RolesGuard)
@roles('admin', 'creator')
@get('attendees/:activityId')
async getAttendeesForEvent(@Param('activityId') activityId: string)
Tasks
Tasks:
Visual Aids