From 8801dd3fd12119b3e0a22f5714321b5ff97d89f8 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Tue, 26 May 2026 17:41:23 +0530
Subject: [PATCH] fix(event): replace organizerId with organizer public fields
 in GET /:slug response

The event detail endpoint was returning the raw organizer UUID via
organizerId, leaking an internal database identifier to unauthenticated
callers. Fetch the organizer relation and expose organizerUsername and
organizerDisplayName instead.
---
 apps/backend/src/routes/event.ts | 38 +++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/apps/backend/src/routes/event.ts b/apps/backend/src/routes/event.ts
index b566874f..d259a5b3 100644
--- a/apps/backend/src/routes/event.ts
+++ b/apps/backend/src/routes/event.ts
@@ -5,15 +5,16 @@ import {generateUniqueSlug} from '../utils/slug'
 
 
 type EventDetails = {
-    id: string; 
-    name: string; 
-    slug: string; 
-    location: string; 
-    description: string | null; 
-    organizerId: string; 
-    startDate: Date; 
-    endDate: Date; 
-    createdAt: Date; 
+    id: string;
+    name: string;
+    slug: string;
+    location: string;
+    description: string | null;
+    organizerUsername: string;
+    organizerDisplayName: string;
+    startDate: Date;
+    endDate: Date;
+    createdAt: Date;
     attendeesCount: number
 }
 
@@ -116,13 +117,19 @@ export async function eventRoutes(app:FastifyInstance) {
         const paramsSlug = request.params.slug; 
         const details = await app.prisma.event.findUnique({
             where: {
-                slug : paramsSlug, 
+                slug: paramsSlug,
             },
             include: {
                 _count: {
                     select: {
                         attendees: true
                     }
+                },
+                organizer: {
+                    select: {
+                        username: true,
+                        displayName: true
+                    }
                 }
             }
         })
@@ -132,14 +139,15 @@ export async function eventRoutes(app:FastifyInstance) {
 
         const response: EventDetails = {
             id: details.id,
-            name: details.name, 
-            slug: details.slug, 
+            name: details.name,
+            slug: details.slug,
             description: details.description,
             location: details.location,
-            organizerId: details.organizerId, 
+            organizerUsername: details.organizer.username,
+            organizerDisplayName: details.organizer.displayName,
             startDate: details.startDate,
-            endDate: details.endDate, 
-            createdAt: details.createdAt, 
+            endDate: details.endDate,
+            createdAt: details.createdAt,
             attendeesCount: details._count.attendees
         }