Feature Request: API for room occupancy

[pobv]

It would be very nice to be able to retrieve the current room occupancy for a given room via either polling (REST request) or active notification on change (WebSocket or MQTT or similar). As the check-in system is now consistently used, works reliably and data is widely available, a display visible for all users "how many are currently logged in" has this "give something back" feeling and might be motivating (and is fun to build). For that, an API reporting room occupancy of a room (if necessary either authenticated or restricted by other means) would be very welcome.

[MorMundHS-MA]

I don't think providing notifications through web sockets is feasible for this, since we would have to poll the database on the server-side anyway or make quite significant architectural changes. But a REST endpoint is doable and mostly straight forward.

However I think we should not allow unauthenticated access to this endpoint as public access to this, even if it is read-only. Since we have already ruled out the university's single-sign-on system as an authentication method for the regular login, I don't think it will be useful here either.
The other options I see are:

• A fixed token passed as environment variable. This does limit the endpoints usefulness significantly as it will be only reasonable accessible for a single use-case.
• A public key which can verify generated tokens i.e. something like JWT. This allows the administrators to sign as many tokens as necessary, but requires much more implementation and documentation effort, as well as manual management of the tokens.
• Limiting API access to university IPs. This is easy to implement, but may not translate well to the use-cases other users of this open source project may have.
• Using the existing login system. This would require the client to authenticate with a username/password and manage the session cookie. It should be as secure as the other options but would require much more documentation for client implementations compared to token-based approaches.

[pobv]

Thanks, fixed token and restrict to university IPs would be absolutely fine for me. If that is doable, great - thanks in advance.

[Wifi-cable]

The team is discussing various solutions. The aspects of usability, service and data protection matter to us.Technical solutions often have social implications. We have to ensure that any form of API to is GDPR or DSGVO conform.