💪 Increase checks for scanned QR code #1081
Conversation
we need to make sure that nobody scans a random qr code and gets into the app with an invalid token, we can help prevent that by checking that the qr code contains the right elements
added a log statement, and verifying that the first part of the opcode is "nrelopenpath" or "emission" -- the staging opcodes start with "emission", but sometimes we use production opcodes to test things in develpoment
|
While testing this, I discovered that the QR code on the "save qr" page is not composed with a full URL, only the opcode. I'll work up a fix now. |
make sure qr code is made with the whole url link
|
Fix up for the QR code being created with opcode and not whole link in onboarding. In the Checks have been added when the code is scanned. I chose to check for "nrelopenpath" or "emission" to accomodate the dev environment, but open to changing this. The reason I did not condition what I check for on the global |
There was a problem hiding this comment.
Let's keep this as emission in the public repo, I will change it to nrelopenpath in the internal one.
Long term, this should be part of the app config
e-mission/e-mission-docs#985 (comment)
Long term, this should be part of the app config e-mission/e-mission-docs#985 (comment)
In order to ensure that only valid users are created, we need to make sure that the qr codes that are scanned: are QR codes, have not been canceled, start with the appropriate prefix (either emission or nrelopenpath), and include a token parameter.
This way, after we scan into the app, we are sure that the user has scanned the right thing and will have a valid opcode. Later in the login process, we check the opcode for validity.
I still need to test this with a physical phone before it can be merged, which I plan to do tonight.