Closed JoepdeJong closed 2 years ago
Describe the bug I noticed that the response of a ticket scanner request leaks user data and ticket sale information data when scanning a valid ticket.
For example events/api/v1/sales/scan/event/{barcode}/barcode returns this response:
events/api/v1/sales/scan/event/{barcode}/barcode
"status": "208 ALREADY_REPORTED", "timestamp": "************T16:22:59.222805", "message": "Ticket has already been scanned", "object": { "ticket": { "id": 11, "key": "e3e35f29-4f1d-47fc-****-*****", "order": { "id": 10, "publicReference": "******-48b9-41f4-****-*****", "owner": { "id": 1, "key": "******-fc5f-4f36-88cc-*****", "sub": "WISVCH.*****", "name": "Joep", "email": "joe*******@*****", "rfidToken": "", "verifiedChMember": ****, "ldapGroups": [ "****" ], "createdAt": "********T20:52:51.736" }, "amount": 0.0, "orderProducts": [ { "id": 9, "product": { "id": 3, "key": "8a2815dc-e699-****-****", "title": "****", "description": "****", "cost": ***.***, "sold": ***, "reserved": 0, "maxSold": *, "maxSoldPerCustomer": *, "sellStart": "********.T21:06:00", "sellEnd": "*********T12:00:00", "products": [], "linked": ***, "chOnly": ***, "reservable": *** }, "price": ***, "amount": ***, } ], "createdBy": "events-webshop", "createdAt": "******T16:08:08.385", "paidAt": null, "status": "PAID", "paymentMethod": "OTHER", "ticketCreated": false, "chPaymentsReference": null }, "owner": { "id": 1, "key": "ea4e4fe1-fc5f-4f36-************", "sub": "WISVCH.******", "name": "Joep", "email": "joep************", "rfidToken": "", "verifiedChMember": ******, "ldapGroups": [ "******" ], "createdAt": "************T20:52:51.736" }, "product": { "id": 3, "key": "8a2815dc-e699-4d2a-************", "title": "TEST", "description": "******", "cost": 0.0, "sold": 0, "reserved": 0, "maxSold": 5, "maxSoldPerCustomer": 1, "sellStart": "************T21:06:00", "sellEnd": "************T12:00:00", "products": [], "linked": true, "chOnly": false, "reservable": true }, "uniqueCode": "************", "status": "SCANNED", "valid": true } } }
To Reproduce
Expected behavior I expected no user data or ticket sale data to be returned.
Describe the bug I noticed that the response of a ticket scanner request leaks user data and ticket sale information data when scanning a valid ticket.
For example
events/api/v1/sales/scan/event/{barcode}/barcode
returns this response:To Reproduce
Expected behavior I expected no user data or ticket sale data to be returned.