Skip to content

Add persistent per-item access tokens that can be used in QR codes #1220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Add persistent per-item access tokens that can be used in QR codes #1220

wants to merge 8 commits into from

Conversation

ml-evs
Copy link
Member

@ml-evs ml-evs commented May 24, 2025
edited
Loading

This PR initiates the work on allowing QR codes to be generated that are
accessible by anyone who has printed one out, requested by @PeterKraus in #1053.

It does this by adding a /items/<refcode>/issue-access-token endpoint, which stores a token in the
database that can be used to access that refcode without login. A corresponding
admin endpoint for invalidating the token is added, in case of nefarious use.

Outstanding questions:

  • For the UI, this should likely be a conscious second step -- e.g., QR code -> generate public QR code. We may want to limit how many there are per item too, perhaps to 1. Admins should probably also have access to another UI that shows when tokens were generated, with the option to invalidate them, though I
    think this could be a future PR.
  • Right now, a user with existing access to a sample could generate access tokens to all samples they have access to without using the UI. This is a bit of a harder problem to solve, and involves some trust on existing verified users. For now, the token is stored with the user account in place, so tokens can be invalidated programmatically that correspond to that user. We may also want to investigate a way of sharing a secret between the app and API so that the API can be sure that the generation is being done from a known UI, though this would probably be a relatively complicated deployment detail to implement.
  • As it stands in this PR, the user still has to be logged in to get access to the item (though they don't necessarily need to have permissions for it). I will relax this constraint once the rest is properly tested.
  • I am currently using uuid.uuid1() for the token generatiion (and storing a sha-512 hash of it in the database), but we might need to reduce the entropy a bit so that it fits into a printable QR.

@ml-evs ml-evs added the enhancement New feature or request label May 24, 2025
@ml-evs ml-evs changed the title Ml evs/add access tokens to qr codes Add persistent per-item access tokens that can be used in QR codes May 24, 2025
@ml-evs ml-evs marked this pull request as draft May 24, 2025 09:48
@cypress Cypress
Copy link

cypress bot commented May 24, 2025
edited
Loading

datalab    Run #3840

Run Properties:  status check passed Passed #3840  •  git commit 28c59edb9d ℹ️: Merge 920beb16e704ba68735461b564750ecc4e48cecb into e5a78e7ec96ceb1fd6a38d5106eb...
Project datalab
Branch Review ml-evs/add-access-tokens-to-qr-codes
Run status status check passed Passed #3840
Run duration 07m 06s
Commit git commit 28c59edb9d ℹ️: Merge 920beb16e704ba68735461b564750ecc4e48cecb into e5a78e7ec96ceb1fd6a38d5106eb...
Committer Matthew Evans
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 336
View all changes introduced in this branch ↗︎

@PeterKraus
Copy link

As discussed, feel free to deploy and ping me once it's ready for testing. When QR codes are printed on curvy/flexible surfaces, they're harder to read - I can test how small we can print the QR code to still be useful.

@BenjaminCharmes BenjaminCharmes force-pushed the ml-evs/add-access-tokens-to-qr-codes branch from 0c2d9cb to 9ac73a6 Compare September 4, 2025 07:18
@BenjaminCharmes
Use DialogService to generate and invalidate Public QRCode and Tokens
c172b04
@BenjaminCharmes
Change button style and fix pytest
920beb1 
Small pytest fix

Small pytest fix

Small pytest fix

Small pytest fix

Small pytest fix
@BenjaminCharmes BenjaminCharmes force-pushed the ml-evs/add-access-tokens-to-qr-codes branch from 5ffbe91 to 920beb1 Compare September 4, 2025 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdbocarsly jdbocarsly Awaiting requested review from jdbocarsly jdbocarsly is a code owner

@BenjaminCharmes BenjaminCharmes Awaiting requested review from BenjaminCharmes BenjaminCharmes is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@BenjaminCharmes BenjaminCharmes

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ml-evs @PeterKraus @BenjaminCharmes