# Sample application for verifying attendance through a unique QR code

To run in a Python virtual environment, using **Flask**:

```bash
mkvenv flask
venv flask
pip install Flask Flask-QRcode Flask-UUID
```

To create an empty `database.db` sqlite file with the table described in
`schema.sql`:

```bash
./init_db.py
```

## Nginx reverse proxy configuration

Add this code to the nginx configuration file for the virtual host:

```nginx
    location /socket.io {
        set $webapp http://attendance.lxd:5000;
        include proxy_params;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass $webapp;
    }
```

## Tasks

* [X] Create a separate group in LDAP for non-Workspace users
* [X] Change **Google Cloud Directory Sync** configuration to skip users in this
  group
* [X] List all non-Workspace users with access to Odoo and create them in LDAP

## To be decided

* [X] The Flask app will be installed in a central container? or a separate
  instance on every Raspberry Pi display?: In a central container
* [X] If every display has an instance, how to prevent direct connections
  to it, that bypass Authelia?
* [X] Different QR codes pointing to different URLs (perhaps with the same
  UUID?) for entrance/exit, very clearly labeled.
* [ ] How to allow the display to show the main screen without having to
  login to Authelia? (remember that the Authelia registration cookie
  expires every month), and still requiring login for everyone else?
* [ ] How to prevent users from accessing the main page and displaying the QR code?
  Perhaps using a separate attendance-checking domain?

### Odoo login: OIDC or LDAP?

* The [OIDC module][1] could be installed in Odoo to allow access and login
  via Authelia instead of Google/Oauth
* Configure Authelia to require password from users in this LDAP group
  when accessing Odoo.
* Change nginx configuration in Odoo server to force users to go through
  Authelia (internal connections will be allowed using the _bypass_ option
  in Authelia; non-Workspace users who have logged into Authelia will be able
  to login to Odoo using one click).

* Another option would be to install the LDAP authentication module in Odoo,
  and allow users to enter their username and password, instead of their
  personal Google account (not sure if it's possible), or a manually
  assigned password. The user would login twice in this scenario:
  once to Authelia for their attendance registration, and again in
  Odoo (using the same user and password).

[1]: https://pypi.org/project/odoo14-addon-auth-oidc/