[Critical] filter[email] on GET /prospects is silently ignored — always returns 100 unfiltered results

[loic2309]

Summary

GET /public/v1/prospects?filter[email]=any@email.com silently ignores the filter and always returns the first 100 prospects regardless of the value.

Steps to Reproduce

# With a known existing email
curl -H "Authorization: $OVERLOOP_API_KEY" \
  "https://api.overloop.ai/public/v1/prospects?filter[email]=known@example.com"
# Returns 100 unrelated prospects

# With a bogus email that doesn't exist
curl -H "Authorization: $OVERLOOP_API_KEY" \
  "https://api.overloop.ai/public/v1/prospects?filter[email]=nobody@nowhere.xyz"
# Returns the same 100 unrelated prospects

Expected Behavior

The endpoint should return only prospects whose email matches the filter value, or an empty data: [] array if no match.

Actual Behavior

Returns 100 prospects, ignoring the filter entirely. Tested with:

• A known existing email → 100 results (first prospect is not the one searched)
• A bogus email that doesn't exist → 100 results
• URL-encoded vs raw @ → same result

Impact

Any automation that searches a prospect by email will silently pick data[0] — a random existing prospect. In practice, this caused our enrollment script to enroll the wrong person (the first prospect in the account) into a campaign for all 10 contacts.

Workaround

Paginate through all prospects (page[number] + page[size]) and filter client-side by matching attributes.email. This requires 50+ API calls for an account with ~5000 prospects and is not a viable production solution.