Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict Event Booking to Verified Users #433

Merged
merged 7 commits into from
Nov 1, 2024
Merged

Restrict Event Booking to Verified Users #433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1df68f2
docs(contributor): contrib-readme-action has updated readme
github-actions[bot] Oct 29, 2024
7df9c25
verified users
haseebzaki-07 Oct 29, 2024
c044a97
fix
haseebzaki-07 Oct 29, 2024
88e51c4
add verified users
haseebzaki-07 Oct 29, 2024
cfa4409
docs(contributor): contrib-readme-action has updated readme
github-actions[bot] Oct 29, 2024
83aaef0
Merge branch 'main' into verified_users
haseebzaki-07 Oct 30, 2024
3485129
docs(contributor): contrib-readme-action has updated readme
github-actions[bot] Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
164 changes: 32 additions & 132 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,73 +259,43 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Arindam</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/haseebzaki-07">
<img src="https://avatars.githubusercontent.com/u/147314463?v=4" width="100;" alt="haseebzaki-07"/>
<br />
<sub><b>Haseeb Zaki</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/jainaryan04">
<img src="https://avatars.githubusercontent.com/u/138214350?v=4" width="100;" alt="jainaryan04"/>
<br />
<sub><b>Aryan Ramesh Jain</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/alo7lika">
<img src="https://avatars.githubusercontent.com/u/152315710?v=4" width="100;" alt="alo7lika"/>
<br />
<sub><b>alolika bhowmik</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Ashwinib26">
<img src="https://avatars.githubusercontent.com/u/149402720?v=4" width="100;" alt="Ashwinib26"/>
<br />
<sub><b>Ashwini_ab</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/tejasbenibagde">
<img src="https://avatars.githubusercontent.com/u/124677750?v=4" width="100;" alt="tejasbenibagde"/>
<br />
<sub><b>Tejas Benibagde</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/itznayan">
<img src="https://avatars.githubusercontent.com/u/136584376?v=4" width="100;" alt="itznayan"/>
<br />
<sub><b>Mahera Nayan</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Shirisha-16">
<img src="https://avatars.githubusercontent.com/u/148051550?v=4" width="100;" alt="Shirisha-16"/>
<br />
<sub><b>Tyarla Shirisha</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/meghanakn22">
<img src="https://avatars.githubusercontent.com/u/172406754?v=4" width="100;" alt="meghanakn22"/>
<a href="https://github.com/tejasbenibagde">
<img src="https://avatars.githubusercontent.com/u/124677750?v=4" width="100;" alt="tejasbenibagde"/>
<br />
<sub><b>meghanakn22</b></sub>
<sub><b>Tejas Benibagde</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/VinayLodhi1712">
<img src="https://avatars.githubusercontent.com/u/135756009?v=4" width="100;" alt="VinayLodhi1712"/>
<a href="https://github.com/Shirisha-16">
<img src="https://avatars.githubusercontent.com/u/148051550?v=4" width="100;" alt="Shirisha-16"/>
<br />
<sub><b>Vinay Anand Lodhi</b></sub>
<sub><b>Tyarla Shirisha</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Amnyadav">
<img src="https://avatars.githubusercontent.com/u/127370497?v=4" width="100;" alt="Amnyadav"/>
Expand All @@ -341,17 +311,10 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
</a>
</td>
<td align="center">
<a href="https://github.com/Suhas-Koheda">
<img src="https://avatars.githubusercontent.com/u/72063139?v=4" width="100;" alt="Suhas-Koheda"/>
<br />
<sub><b>Suhas Koheda</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/Sumanbhadra">
<img src="https://avatars.githubusercontent.com/u/93245252?v=4" width="100;" alt="Sumanbhadra"/>
<a href="https://github.com/haseebzaki-07">
<img src="https://avatars.githubusercontent.com/u/147314463?v=4" width="100;" alt="haseebzaki-07"/>
<br />
<sub><b>Suman Bhadra</b></sub>
<sub><b>Haseeb Zaki</b></sub>
</a>
</td>
<td align="center">
Expand All @@ -361,15 +324,15 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Sawan kushwah </b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/CoderFleet">
<img src="https://avatars.githubusercontent.com/u/87255169?v=4" width="100;" alt="CoderFleet"/>
<a href="https://github.com/Suhas-Koheda">
<img src="https://avatars.githubusercontent.com/u/72063139?v=4" width="100;" alt="Suhas-Koheda"/>
<br />
<sub><b>Rudransh Pratap Singh</b></sub>
<sub><b>Suhas Koheda</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Jay-1409">
<img src="https://avatars.githubusercontent.com/u/166749819?v=4" width="100;" alt="Jay-1409"/>
Expand All @@ -384,13 +347,6 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Vishnu Prasad Korada</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/Sourabh782">
<img src="https://avatars.githubusercontent.com/u/103349890?v=4" width="100;" alt="Sourabh782"/>
<br />
<sub><b>Sourabh Singh Rawat</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/sajalbatra">
<img src="https://avatars.githubusercontent.com/u/125984550?v=4" width="100;" alt="sajalbatra"/>
Expand Down Expand Up @@ -422,10 +378,10 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
</a>
</td>
<td align="center">
<a href="https://github.com/AE-Hertz">
<img src="https://avatars.githubusercontent.com/u/93651229?v=4" width="100;" alt="AE-Hertz"/>
<a href="https://github.com/VinayLodhi1712">
<img src="https://avatars.githubusercontent.com/u/135756009?v=4" width="100;" alt="VinayLodhi1712"/>
<br />
<sub><b>Abhinandan</b></sub>
<sub><b>Vinay Anand Lodhi</b></sub>
</a>
</td>
<td align="center">
Expand All @@ -435,13 +391,6 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Vishal Lade</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/AnushkaChouhan25">
<img src="https://avatars.githubusercontent.com/u/157525924?v=4" width="100;" alt="AnushkaChouhan25"/>
<br />
<sub><b>Anushka Chouhan</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/REHAN-18">
<img src="https://avatars.githubusercontent.com/u/143922855?v=4" width="100;" alt="REHAN-18"/>
Expand All @@ -456,22 +405,15 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>t rahul prabhu</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Aditya90456">
<img src="https://avatars.githubusercontent.com/u/153073510?v=4" width="100;" alt="Aditya90456"/>
<br />
<sub><b>Aditya Bakshi</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/vaishnavipal1869">
<img src="https://avatars.githubusercontent.com/u/180996531?v=4" width="100;" alt="vaishnavipal1869"/>
<br />
<sub><b>vaishnavipal1869</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/tanishirai">
<img src="https://avatars.githubusercontent.com/u/178164785?v=4" width="100;" alt="tanishirai"/>
Expand All @@ -487,26 +429,17 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
</a>
</td>
<td align="center">
<a href="https://github.com/Shiva-Bajpai">
<img src="https://avatars.githubusercontent.com/u/141490705?v=4" width="100;" alt="Shiva-Bajpai"/>
<br />
<sub><b>Shiva Bajpai</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/Pushpa472">
<img src="https://avatars.githubusercontent.com/u/116655535?v=4" width="100;" alt="Pushpa472"/>
<a href="https://github.com/Sourabh782">
<img src="https://avatars.githubusercontent.com/u/103349890?v=4" width="100;" alt="Sourabh782"/>
<br />
<sub><b>Pushpa Vishwakarma </b></sub>
<sub><b>Sourabh Singh Rawat</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Mansi07sharma">
<img src="https://avatars.githubusercontent.com/u/142892607?v=4" width="100;" alt="Mansi07sharma"/>
<a href="https://github.com/Shiva-Bajpai">
<img src="https://avatars.githubusercontent.com/u/141490705?v=4" width="100;" alt="Shiva-Bajpai"/>
<br />
<sub><b>Mansi Sharma</b></sub>
<sub><b>Shiva Bajpai</b></sub>
</a>
</td>
<td align="center">
Expand All @@ -516,20 +449,15 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>MANI </b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/meghanakn473">
<img src="https://avatars.githubusercontent.com/u/165137755?v=4" width="100;" alt="meghanakn473"/>
<br />
<sub><b>K N Meghana</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/Ayush215mb">
<img src="https://avatars.githubusercontent.com/u/154300084?v=4" width="100;" alt="Ayush215mb"/>
<br />
<sub><b>Ayush Yadav</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/smog-root">
<img src="https://avatars.githubusercontent.com/u/181578777?v=4" width="100;" alt="smog-root"/>
Expand All @@ -544,8 +472,6 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Vaibhav._Y</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Vaibhav-Kumar-K-R">
<img src="https://avatars.githubusercontent.com/u/132189791?v=4" width="100;" alt="Vaibhav-Kumar-K-R"/>
Expand Down Expand Up @@ -574,22 +500,15 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Sapna Kul</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/Nikhil0-3">
<img src="https://avatars.githubusercontent.com/u/149102391?v=4" width="100;" alt="Nikhil0-3"/>
<br />
<sub><b>Nikhil More</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/MutiatBash">
<img src="https://avatars.githubusercontent.com/u/108807732?v=4" width="100;" alt="MutiatBash"/>
<br />
<sub><b>Bashua Mutiat</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/Mohitranag18">
<img src="https://avatars.githubusercontent.com/u/152625405?v=4" width="100;" alt="Mohitranag18"/>
Expand All @@ -604,20 +523,6 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>Jai Dhingra</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/IkkiOcean">
<img src="https://avatars.githubusercontent.com/u/76002919?v=4" width="100;" alt="IkkiOcean"/>
<br />
<sub><b>Vivek Prakash</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/harjasae2001">
<img src="https://avatars.githubusercontent.com/u/83627055?v=4" width="100;" alt="harjasae2001"/>
<br />
<sub><b>Harjas Singh</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/mishradev1">
<img src="https://avatars.githubusercontent.com/u/118660840?v=4" width="100;" alt="mishradev1"/>
Expand All @@ -632,8 +537,6 @@ We extend our heartfelt gratitude to all the amazing contributors who have made
<sub><b>CHIKATLA RAKESH</b></sub>
</a>
</td>
</tr>
<tr>
<td align="center">
<a href="https://github.com/AliGates915">
<img src="https://avatars.githubusercontent.com/u/128673394?v=4" width="100;" alt="AliGates915"/>
Expand Down Expand Up @@ -697,7 +600,4 @@ Stay updated and engage with our community on social media:
- [LinkedIn](https://www.linkedin.com/in/ramakrushna-biswal/)
- [Email](mailto:[email protected])

We are always here to help you! Don’t hesitate to connect with us and be part of the PlayCafe journey.



We are always here to help you! Don’t hesitate to connect with us and be part of the PlayCafe journey.
48 changes: 31 additions & 17 deletions backend/middlewares/authCustomer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,38 @@
const jwt = require("jsonwebtoken");
const logger = require("../config/logger");
const config = require("../config/secret");
const Customer = require("../models/customer.model");

const authenticateCustomer = (req, res, next) => {
const token = req.header("Authorization")?.split(" ")[1]; // Expecting "Bearer <token>"

if (token) {
jwt.verify(token, config.JWT_SECRET, (err, user) => {
if (err) {
if (err.name === "TokenExpiredError") {
return res.status(401).json({ message: "Token expired" });
}
return res.status(403).json({ message: "Invalid token" });
}
req.user = user;
logger.info(`Customer authenticated: ${JSON.stringify(user.username)}`);
next();
});
} else {
res.sendStatus(401); // Unauthorized

const authenticateCustomer = async (req, res, next) => {
const token = req.header("Authorization")?.split(" ")[1];

if (!token) {
return res.status(401).json({ message: "Authorization token is missing" });
}
Comment on lines +8 to +12
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Handle malformed Authorization headers to prevent potential errors

The current implementation assumes that the Authorization header is in the format 'Bearer <token>'. If the header is present but not in the expected format, token will be undefined, and the user will receive a misleading error message.

Apply this diff to improve header parsing and provide more informative feedback:

 const token = req.header("Authorization")?.split(" ")[1];

-if (!token) {
-  return res.status(401).json({ message: "Authorization token is missing" });
+const authHeader = req.header("Authorization");

+if (!authHeader || !authHeader.startsWith("Bearer ")) {
+  return res.status(401).json({ message: "Invalid Authorization header format" });
+}

+const token = authHeader.split(" ")[1];
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const token = req.header("Authorization")?.split(" ")[1];
if (!token) {
return res.status(401).json({ message: "Authorization token is missing" });
}
const authHeader = req.header("Authorization");
if (!authHeader || !authHeader.startsWith("Bearer ")) {
return res.status(401).json({ message: "Invalid Authorization header format" });
}
const token = authHeader.split(" ")[1];


try {
const decoded = jwt.verify(token, config.JWT_SECRET);

const user = await Customer.findById(decoded.sub);

if (!user) {
return res.status(404).json({ message: "User not found" });
}

if (!user.isVerified) {
return res.status(403).json({ message: "Account not verified" });
}

req.user = user;
logger.info(`Customer authenticated: ${user.name}`);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid logging personally identifiable information (PII)

Logging the customer's name may expose PII in the logs. To comply with privacy policies, consider logging less sensitive information, such as the user ID.

Modify the log statement:

-logger.info(`Customer authenticated: ${user.name}`);
+logger.info(`Customer authenticated: ${user._id}`);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
logger.info(`Customer authenticated: ${user.name}`);
logger.info(`Customer authenticated: ${user._id}`);

next();
} catch (err) {
if (err.name === "TokenExpiredError") {
return res.status(401).json({ message: "Token expired" });
}
logger.error("Token verification failed:", err);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Limit error details in logs to prevent sensitive data exposure

Logging the entire error object may unintentionally expose sensitive information. Consider logging only essential error details.

Modify the log statement:

-logger.error("Token verification failed:", err);
+logger.error(`Token verification failed: ${err.message}`);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
logger.error("Token verification failed:", err);
logger.error(`Token verification failed: ${err.message}`);

return res.status(403).json({ message: "Invalid token" });
Comment on lines +31 to +35
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Return 401 Unauthorized for invalid tokens

Returning a 403 Forbidden status code for an invalid token may not be appropriate. A 401 Unauthorized status is more suitable for authentication failures due to invalid credentials.

Apply this diff to update the status code:

 if (err.name === "TokenExpiredError") {
   return res.status(401).json({ message: "Token expired" });
 }
-logger.error("Token verification failed:", err);
-return res.status(403).json({ message: "Invalid token" });
+logger.error("Token verification failed:", err.message);
+return res.status(401).json({ message: "Invalid token" });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (err.name === "TokenExpiredError") {
return res.status(401).json({ message: "Token expired" });
}
logger.error("Token verification failed:", err);
return res.status(403).json({ message: "Invalid token" });
if (err.name === "TokenExpiredError") {
return res.status(401).json({ message: "Token expired" });
}
logger.error("Token verification failed:", err.message);
return res.status(401).json({ message: "Invalid token" });

}
};

Expand Down
10 changes: 7 additions & 3 deletions backend/routes/eventRouter.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ const {
getEvents,
deleteEvent,
} = require("../controller/event.controller");
const authenticateCustomer = require("../middlewares/authCustomer");

const router = express.Router();

Expand All @@ -24,8 +25,11 @@ router.get("/", async (req, res) => {
res.status(500).json({ error: "Internal server error" });
}
});
router.post("/create", createEvent);
router.get("/all", getEvents);
router.get("/delete", deleteEvent);


router.post("/create",authenticateCustomer, createEvent);
router.get("/all",authenticateCustomer, getEvents);
router.get("/delete",authenticateCustomer, deleteEvent);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Use DELETE HTTP method for delete operations.

Using GET for delete operations violates REST principles and could lead to unintended consequences (e.g., search engine crawlers accidentally deleting resources). Consider changing to DELETE method.

-router.get("/delete", authenticateCustomer, deleteEvent);
+router.delete("/delete", authenticateCustomer, deleteEvent);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
router.get("/delete",authenticateCustomer, deleteEvent);
router.delete("/delete",authenticateCustomer, deleteEvent);

Comment on lines +30 to +32
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Authentication should not be required for GET /all endpoint

The Event.jsx component shows that event listings are meant to be public, with authentication only required for event registration. This is evidenced by:

  • The events page is publicly accessible in the router configuration
  • The frontend makes unauthenticated requests to /api/event/all
  • Only the "Register for Event" button requires authentication, redirecting to login if needed
  • Event listings serve as a marketing tool showing upcoming events to all visitors

The current authentication middleware on GET /all conflicts with this design and should be removed.

🔗 Analysis chain

Verify if authentication is required for GET /all endpoint.

Based on the PR objectives to "Restrict Event Booking to Verified Users", it's unclear if viewing events should also be restricted. Consider if this aligns with the business requirements, as typically event listings are public while booking/modifications are restricted.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any public-facing components that might need this event data
rg -l "getEvents|/event/all" --type js --type jsx --type ts --type tsx

Length of output: 100

Script:

#!/bin/bash
# Check for frontend components or API calls related to events listing
rg -l "getEvents|/events/all|/event/all" --type js

# Check if there are any public routes or components related to events
rg "router\.(get|post)\s*\(['\"].*event" --type js -A 2

# Look for any event-related components or pages
fd -e js -e jsx -e ts -e tsx | xargs rg "event" -i -l

Length of output: 1692

Script:

#!/bin/bash
# Check the Event.jsx component to see if it's a public-facing page
cat frontend/src/components/Pages/Event.jsx

# Check the router configuration to see how the event page is configured
cat frontend/src/router/index.jsx

# Check the event controller implementation
cat backend/controller/event.controller.js

Length of output: 14848



module.exports = router;
Loading
Loading