simplQ-backend icon indicating copy to clipboard operation
simplQ-backend copied to clipboard
verified publisher icon SimplQ

PublicQueueTask5: PIN to protect queue

Open daltonfury42 opened this issue 5 years ago • 8 comments

A queue creator can optionally choose to protect his queue by using a 4 digit pin. Then he can keep refreshing the pin whenever he wishes to.

daltonfury42 avatar Jun 10 '20 19:06 daltonfury42

While creating a queue, we can take as a boolean 'isPasswordProtected'.

If so, a random 4 digit number is to be returned. There should also be a api for the admin to request a new random number.

Similarly, while joining a queue, if the queue is password protected, the user should be asked to s enter the PIN. We should have a queue information api, that the UI can call for knowing more information on the queue. The API can return queue name, current number of people in the queue, and also if it 'isPasswordProtected'.

(The APIs will be much cleaner once we have @thehamzarocks 's #16 and auth.)

daltonfury42 avatar Jun 16 '20 18:06 daltonfury42

@avinashkris9 This is a nice task, you want to take it up?

daltonfury42 avatar Jun 17 '20 05:06 daltonfury42

I can try. I have some doubts

  1. Post request on /queue/create will have isPasswordProtected field. Can client send a pin when sending create request or is it always server responsible to generate pin ?
  2. if isPasswordProtectedField is yes, a 4 digit random pin should be generated and send through response body.
  3. Post v1/user/add should have pin while adding user. How the pin should be passed ? Header/Request body?
  4. Queue info api is that the same /v1/user/status ?
  5. Is there any spec or uri decided for random pin generation.

avinashkris9 avatar Jun 17 '20 10:06 avinashkris9

  1. Let's generate the PIN. It would be cleaner UX. Otherwise the user would have to think of one and type it. Most systems are designed like this.
  2. Right
  3. Request Body
  4. Good question. Yes. it's the same for now, but I have plans to have two separate APIs later.
  5. Nothing fancy, new Random(System.currentTimeMillis()) should work, in my opinion.

daltonfury42 avatar Jun 17 '20 17:06 daltonfury42

How is the pin stored and validated ?

sajmalyousef avatar Jul 04 '20 12:07 sajmalyousef

The pin is stored in the queue table. Validation is manual, we will have to check the pin from the user against the pin from the db.

The join queue form will send a queue status request when the page loads, it will have a boolean field isPasswordProtected that if set to true, the UI would have to ask the user for the PIN.

The admin would also have a button somewhere to reset the pin with a new one.

daltonfury42 avatar Jul 04 '20 14:07 daltonfury42

Just a suggestion encrypt (not encode) the pin before storing it in db , will be a good practice

sajmalyousef avatar Jul 04 '20 14:07 sajmalyousef

From what I think, these are the reasons why we encrypt data:

  1. We hash passwords so that even the website owners can't read it.
  2. We encrypt sensitive information, like credit card info, biometrics etc. so that if we get hacked and the data gets stolen, it doesn't create problems.

Our queue password, is a random 4 digit pin that we store. Think of it like a bluetooth pairing code. I don't see a need to encrypt it.

In the event of a hack, I'll be more concerned about the name and mobile number that will get leaked.

daltonfury42 avatar Jul 04 '20 17:07 daltonfury42