Minor adjustments for prototype

README.md

@@ -31,3 +31,43 @@ Add this code to the nginx configuration file for the virtual host:
     }
 ```
 
+## Decided, pending to be done
+
+* Create a separate group in LDAP for non-Workspace users
+* Change **Google Cloud Directory Sync** configuration to skip users in this
+  group
+* List all non-Workspace users with access to Odoo and create them in LDAP
+
+## To be decided
+
+* The Flask app will be installed in a central container? or a separate
+  instance on every Raspberry Pi display?
+* If every display has an instance, how to prevent direct connections
+  to it, that bypass Authelia?
+* Different QR codes pointing to different URLs (perhaps with the same
+  UUID?) for entrance/exit, very clearly labeled.
+* How to allow the display to show the main screen without having to
+  login to Authelia? (remember that the Authelia registration cookie
+  expires every month), and still requiring login for everyone else?
+* How to prevent users from accessing the main page and displaying the QR code?
+  Perhaps using a separate attendance-checking domain?
+
+### Odoo login: OIDC or LDAP?
+
+* Install [OIDC module][1] in Odoo to allow access and login via Authelia
+* Configure Authelia to require password from users in this LDAP group
+  when accessing Odoo.
+* Change nginx configuration in Odoo server to force users to go through
+  Authelia (internal connections will be allowed using the _bypass_ option
+  in Authelia; non-Workspace users who have logged into Authelia will be able
+  to login to Odoo using one click).
+
+* Another option is to install the LDAP authentication module in Odoo,
+  and allow users to enter their username and password, instead of their
+  personal Google account (not sure if it's possible), or a manually
+  assigned password. The user would login twice in this scenario:
+  once to Authelia for their attendance registration, and again in
+  Odoo (using the same user and password).
+
+[1]: https://pypi.org/project/odoo14-addon-auth-oidc/
+

main.py

@@ -34,9 +34,11 @@ def show_qr_and_list():
     data = conn.execute('SELECT * FROM hits ORDER BY id DESC LIMIT 10').fetchall()
     conn.close()
 
-    # TODO: next_ uuid should be in global state, to verify it when it's received
+    # TODO: store next_uuid in a queue, and remove it once it's used. Accept only ids
+    #       from the queue
+    next_uuid = uuid.uuid1()
     return render_template("template.html",
-            next_uuid=str(uuid.uuid1()),
+            next_uuid=str(next_uuid),
             hits=data)
 
 @app.route('/<uuid:id>')
@@ -49,11 +51,10 @@ def catch_uuids(id):
     conn = get_db_connection()
     existing = conn.execute(
             'SELECT * FROM hits WHERE uuid = ?', (str(id),)).fetchone()
-    existing = False # Temporary, for easier development
-    if id.fields[5] !=  uuid.getnode():
-        error = 'DIFFERENT_NODE'
     if not ua:
         error = 'NO_USERNAME'
+    elif id.fields[5] !=  uuid.getnode():
+        error = 'DIFFERENT_NODE'
     elif existing:
         error = 'ALREADY_USED'
     else:

requirements.txt

@@ -1,10 +1,17 @@
+bidict==0.22.0
 click==8.1.3
 Flask==2.1.3
 Flask-QRcode==3.1.0
+Flask-SocketIO==5.2.0
 Flask-UUID==0.2
+h11==0.13.0
 itsdangerous==2.1.2
 Jinja2==3.1.2
 MarkupSafe==2.1.1
 Pillow==9.2.0
+python-engineio==4.3.3
+python-socketio==5.7.1
 qrcode==7.3.1
+simple-websocket==0.7.0
 Werkzeug==2.2.1
+wsproto==1.1.0