75 lines
2.6 KiB
Markdown
75 lines
2.6 KiB
Markdown
# Sample application for verifying attendance through a unique QR code
|
|
|
|
To run in a Python virtual environment, using **Flask**:
|
|
|
|
```bash
|
|
mkvenv flask
|
|
venv flask
|
|
pip install Flask Flask-QRcode Flask-UUID
|
|
```
|
|
|
|
To create an empty `database.db` sqlite file with the table described in
|
|
`schema.sql`:
|
|
|
|
```bash
|
|
./init_db.py
|
|
```
|
|
|
|
## Nginx reverse proxy configuration
|
|
|
|
Add this code to the nginx configuration file for the virtual host:
|
|
|
|
```nginx
|
|
location /socket.io {
|
|
set $webapp http://attendance.lxd:5000;
|
|
include proxy_params;
|
|
proxy_http_version 1.1;
|
|
proxy_buffering off;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
proxy_pass $webapp;
|
|
}
|
|
```
|
|
|
|
## Tasks
|
|
|
|
* [X] Create a separate group in LDAP for non-Workspace users
|
|
* [X] Change **Google Cloud Directory Sync** configuration to skip users in this
|
|
group
|
|
* [X] List all non-Workspace users with access to Odoo and create them in LDAP
|
|
|
|
## To be decided
|
|
|
|
* [X] The Flask app will be installed in a central container? or a separate
|
|
instance on every Raspberry Pi display?: In a central container
|
|
* [X] If every display has an instance, how to prevent direct connections
|
|
to it, that bypass Authelia?
|
|
* [X] Different QR codes pointing to different URLs (perhaps with the same
|
|
UUID?) for entrance/exit, very clearly labeled.
|
|
* [ ] How to allow the display to show the main screen without having to
|
|
login to Authelia? (remember that the Authelia registration cookie
|
|
expires every month), and still requiring login for everyone else?
|
|
* [ ] How to prevent users from accessing the main page and displaying the QR code?
|
|
Perhaps using a separate attendance-checking domain?
|
|
|
|
### Odoo login: OIDC or LDAP?
|
|
|
|
* The [OIDC module][1] could be installed in Odoo to allow access and login
|
|
via Authelia instead of Google/Oauth
|
|
* Configure Authelia to require password from users in this LDAP group
|
|
when accessing Odoo.
|
|
* Change nginx configuration in Odoo server to force users to go through
|
|
Authelia (internal connections will be allowed using the _bypass_ option
|
|
in Authelia; non-Workspace users who have logged into Authelia will be able
|
|
to login to Odoo using one click).
|
|
|
|
* Another option would be to install the LDAP authentication module in Odoo,
|
|
and allow users to enter their username and password, instead of their
|
|
personal Google account (not sure if it's possible), or a manually
|
|
assigned password. The user would login twice in this scenario:
|
|
once to Authelia for their attendance registration, and again in
|
|
Odoo (using the same user and password).
|
|
|
|
[1]: https://pypi.org/project/odoo14-addon-auth-oidc/
|
|
|