search

Front-End-Coders-Mauritius / frontend.mu

A community around front-end development based in Mauritius Island. We also organise monthly meetups free for anyone interested to attend.
https://frontend.mu
BSD 3-Clause "New" or "Revised" License
27 stars 20 forks source link

Implementing RSVP verification #128

Open MrSunshyne opened 7 months ago

MrSunshyne commented 7 months ago

Description

A user USER_A is able to login on the frontend.mu website via google. Given that login is successful: A record of USER_A is created in the backend of frontend.mu USER_A is assigned the role ROLE_SSO

Current RSVP process

When USER_A visits an event and completes the RSVP process for that event An entry is upserted into the RSVP table for that RSVP action.

RSVP Table

USER_ID | EVENT_ID | PREFERENCES | NAME | PROFILE_PICTURE | VERIFIED

Permissions

A user is allowed to update his own preferences and view all of his columns Another user is allowed to see the NAME, PROFILE_PICTURE and VERIFIED of all users A user is not allowed to update his own VERIFIED column. (for now)

How could verfication work?

The VERIFIED column is currently unused.

This boolean field would be allowed to be updated by ROLE_ADMIN.

Ideas subsequently unlocked:

  1. RSVP to older meetups Allowing RSVP to older meetups could lead to abuse or fake data. Using the VERIFIED column, we could identify/verify who actually attended because organizers have a list of past attendees.

  2. Counting attendence in current and future meetups When a user USER_B comes to a meetup, a person with ROLE_ADMIN can then update the VERIFIED column of USER_B in the RSVP table. This can be done manually, but of course it would be nicer to have some kind of QR code scanning process that makes this happen under 5 seconds. [Elaborated further in section "Expanding on RSVP Verification"]

  3. Badges on user avatars Verified users can have a badges on their profile picture to show which meetups they really attended.

Expanding on RSVP Verification

If we are able to implement the "Attendee Ticket" feature, we could include a QR code that contains the USER_ID and EVENT_ID in the ticket. Then we read these information to identify which column to update in the RSVP table, and then update the VERIFIED field for that row.

cedpoilly commented 7 months ago

Option 1

Have a new route for the ROLE_ADMIN users: a "Scan ticket" route. Opens a QR code reader for the admin to scan the attendee's ticket on their phone.

Option 2

Have a link that is enabled at the beginning of the meetup: visiting it while logged in will automatically mark you as verified. The link will send the coordinates of the device and the back-end will add the timestamp. If both info are valid, the user is marked as verified. The back-end could be a Vercel Edge Function (suggested by @nicolasstrands).

Considerations

Question(s)

MrSunshyne commented 7 months ago

Definitely prefer option 1, as it enables some physical interaction between organizers an attendees, and seems technically simpler than option 2.

Option 1: How do we mark a user as ROLE_ADMIN? I can change the role of a user in directus. I can also create a new role with specific permissions on that column

Option 1: Where (on the server) do we create the timestamp? Directus already has a date updated value for each row, couldn't we use that? In case we don't want that we can just create a new field verification_timstamp that we can write to. Was this for option 2?

Option 2: How to authenticate the Vercel Edge Function as a Directus ROLE_ADMIN? The function running would need to have an authentication token, like a bot user, and that user is also assigned ROLE_ADMIN in directus.

Can we have some food, please? Yes, most definitely! pizza buns with burger toppings