nsc-events-fullstack_32_180-update-event-registration-endpoints

[NahomAlemu]

Summary & Changes 📃

• Resolves: Issue: Unauthenticated Access to Event Registration Endpoints #180

• Summary: (Briefly describe what this PR does)

  • 🔨 Fixes security vulnerability where sensitive endpoints had no authentication, allowing unauthenticated users to register for
    events and view attendee data
    • 👀 Users must now be authenticated to attend events; only admins/creators can access attendee lists and statistics
    • 🗨️ Uses existing JwtAuthGuard and RoleGuard patterns already established in the codebase
  • Changes:
    • ✅ Added JwtAuthGuard to POST /attend endpoint
    • ✅ Added JwtAuthGuard + RoleGuard with @roles('admin', 'creator') to GET /attendees/:activityId
    • ✅ Added JwtAuthGuard + RoleGuard with @roles('admin', 'creator') to GET /stats/:activityId
    • ✅ Updated Swagger documentation with 401/403 response codes
    • 🛠️ Breaking change: Frontend must now include JWT token for /attend requests

  How to Test 🧪

1. Steps to Reproduce:
   • Step 1: Start the backend server (npm run start:dev)
   • Step 2: Try POST /event-registration/attend without a JWT token → should return 401
   • Step 3: Try GET /event-registration/attendees/:activityId with a regular user token → should return 403
   • Step 4: Try the same endpoint with an admin/creator token → should return 200
2. Expected Behavior: Unauthenticated requests return 401; non-admin/creator users get 403 on restricted endpoints
3. Actual Behavior (before fix): All endpoints returned 200 without any authentication

Checklist ✅

• I have tested this PR locally and it works as expected.
• This PR resolves an issue (Resolves #issue-number).
• Reviewers, assignees(self), tags, and labels are correctly assigned.
• Squash commits and enable auto-merge if approved.

[github-actions]

✅ Full E2E Test Results

Running full test suite (critical files changed)

Status	Count
✅ Passed	47
❌ Failed	0
📊 Total	47

View detailed report