FaSTTUBe/ftracker
54
1
Fork 0
Code Issues 2 Pull Requests Releases 1 Wiki Activity

Compare commits

base: FaSTTUBe:master
Branches Tags
FaSTTUBe:master
FaSTTUBe:1.1.0
..
compare: FaSTTUBe:df0438f407a49ed7be65a3cba718f026acf4d06f
Branches Tags
FaSTTUBe:master
FaSTTUBe:1.1.0

1 Commits
master ... df0438f407

Author SHA1 Message Date
Oskar
df0438f407 Split down files and add question about covid-test 2021-04-12 21:20:09 +02:00
15 changed files with 45 additions and 469 deletions
Expand all files Collapse all files

4
Dockerfile
View File

@ -1,9 +1,7 @@
FROM alpine:latest
RUN apk add --update --no-cache \
bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx npm jq
RUN npm install -g web-push
bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx

37
INSTALL.md
View File

@ -161,40 +161,3 @@ jänE doé
```
would still work, but `Jane D` wouldn't).
### Automatic data deletion (GDPR compliance)
The `delete_after_days` configuration option can be set to a number of days
after which attendance records are purged from the database. If it is not set
(or empty) automatic deletion is deactivated. Automatic deletion is final and
non-recoverable. This option is intended to help make the system fully GDPR
compliant by guaranteeing deletion after a certain period. Keep in mind that a
legally binding data protection guideline and user consent are still required.
### User notification on forgotten sign-out
`ftracker` is capable of notifying users if they forgot to sign-out at the end
of a day using modern web push notifications using the VAPID system. To make
this work, a few things are needed:
Firstly, you need an EC-Prime256v1 keypair in base64url encoding. If you're
using the Docker container, this is automatically generated for you. If not,
the easiest way to create one is to install the `web-push` `npm` package and
run it:
```bash
sudo npm install -g web-push
web-push generate-vapid-keys
```
The keys then need to be copied into the config options `push_public_key` and
`push_private_key` respectively so the backend can handle the rest.
Next, to be VAPID compliant you have to announce an contact address claim to
the push services so they can contact you if anything is going wrong with your
notifications. Do this by entering your email address as a `mailto:` link in
the `push_sender_info` option, like `mailto:it@fasttube.de`.
Finally, you can use the `notify_after_hrs` option to specify how long the
system should wait after a user's arrival to notify them of their missing
departure.

10
config.ini
View File

@ -24,13 +24,3 @@ guideline_url = https://fasttube.de/wp-content/uploads/2020/12/Cororna-Regeln-St
# JSON indentation for debugging
json_indent = 4
# VAPID credentials for push notifications
# private key: base64url encoded public part of an EC-Prime256v1 keypair. See INSTALL.md
# private key: base64url encoded private part of an EC-Prime256v1 keypair. See INSTALL.md
# sender info: usually mailto link to responsible party to contact about issues
push_public_key = BBwBPYxhogHLU3B1FpxfQNzO3q7qZpmD1n1KaaL8WJbcVmJSHhi1uB-VmvsVjjUHWYCeqKyLT7w-1LBfpIcbbcg
push_private_key = abcdefghijklm_NOPQRSTUVWXYZ-0123456789
push_sender_info = mailto:it@fasttube.de
# when to notify users, in hours after arrival
notify_after_hrs = 10

2
ftracker/__version__.py
View File

@ -6,6 +6,6 @@
# Corona time tracker
VERSION = (1, 1, 0)
VERSION = (1, 0, 0)
__version__ = '.'.join(map(str, VERSION))

9
ftracker/config.py
View File

@ -9,17 +9,17 @@ class Config:
def findConfigFile():
if len(sys.argv) > 1:
return sys.argv[1]
elif Path('/etc/ftracker/config.ini').is_file():
return '/etc/ftracker/config.ini'
elif Path('config.ini').is_file():
return 'config.ini'
elif Path('/etc/ftracker/config.ini').is_file():
return '/etc/ftracker/config.ini'
else:
return None
configfile = findConfigFile()
if configfile:
self.config = ConfigParser(strict=False)
self.config = ConfigParser()
self.config.read(configfile)
else:
raise Exception("No config file found")
@ -30,6 +30,3 @@ class Config:
def __getitem__(self, key):
return self.config['global'].get(key)
def __repr__(self):
return repr(self.config.items('global'))

69
ftracker/core.py
View File

@ -26,15 +26,6 @@ if config['delete_after_days']:
from .deleter import Deleter
deleter = Deleter(db, int(config['delete_after_days']))
if config['notify_after_hrs']:
from .notifier import Notifier
notifier = Notifier(db, int(config['notify_after_hrs']), {
'private_key': config['push_private_key'],
'claims': {'sub': config['push_sender_info']}
})
def shutdown():
print('\rReceived stop signal, stopping threads...')
deleter.stop()
@ -42,7 +33,6 @@ def shutdown():
atexit.register(shutdown)
@app.route('/guidelines')
def get_guidelines():
dest = config['guideline_url'] or None
@ -169,62 +159,3 @@ def get_data():
)
return json.dumps(r, indent=SPACES), 200
@app.route('/pushinfo')
def get_pushinfo():
if config['notify_after_hrs']:
r = {
'enabled': True,
'publickey': config['push_public_key']
}
else:
r = {
'enabled': False,
'publickey': None
}
return json.dumps(r, indent=SPACES), 200
@app.route('/pushsubscribe', methods=['POST'])
def post_pushsub():
try:
payload = request.data.decode('UTF-8')
data = json.loads(payload)
except ValueError as e:
return 'Error: JSON decode error:\n' + str(e), 400
notifier.subscribe_user(data)
return 'OK', 201
@app.route('/testpush/<name>')
def testpush(name):
if not 'Authorization' in request.headers:
return 'Error: No Authorization', 401, {'WWW-Authenticate': 'Basic'}
if request.authorization.username != config['admin_user']:
return "Wrong username", 403
if request.authorization.password != config['admin_pass']:
return "Wrong password", 403
Entry = Query()
arrivals = db.search((Entry.name == name) & (Entry.departure == None))
if len(arrivals) == 0:
print("User is not logged in :(")
return "Error: User is not logged in :(", 409
error = notifier.notify_user(arrivals[0])
if error:
return 'Error: ' + error, 404
return 'OK', 201

100
ftracker/notifier.py
View File

@ -1,100 +0,0 @@
import json
import copy
from slugify import slugify
from threading import Thread, Event
from datetime import datetime, timedelta
from tinydb import Query
from pywebpush import webpush, WebPushException
ONE_HOUR_IN_S = 60 * 60
class Notifier(Thread):
def subscribe_user(self, data):
pushsubs = self.db.table('pushsubs')
name = slugify(data['name'])
data['name'] = name
Entry = Query()
pushsubs.upsert(data, Entry.name == name)
def notify_user(self, arrival):
pushsubs = self.db.table('pushsubs')
Entry = Query()
ps = pushsubs.search(Entry.name == arrival['name'])
if len(ps) == 0:
print("User is not subscribed to notifications :(")
return "User is not subscribed to notifications :("
ps = ps[0]
print("Sending notification", arrival, ps, self.vapid_creds)
subscription = ps['sub']
notification = {
'title': "Forgot to sign out?",
'body': "You didn't sign out of ftracker yet",
'arr': arrival
}
privkey = self.vapid_creds['private_key']
claims = copy.copy(self.vapid_creds['claims'])
try:
webpush(
subscription,
json.dumps(notification),
vapid_private_key = privkey,
vapid_claims = claims
)
print("Notification sent")
return None
except WebPushException as exc:
print("Notification failed", exc)
return repr(exc)
def notify_logged_in_users(self):
print("Notifying users that aren't signed out yet...")
td = timedelta(hours=self.hours)
threshold = datetime.utcnow() - td
iso = threshold.isoformat() + 'Z'
Entry = Query()
arrivals = self.db.search(
(Entry.arrival < iso) & (Entry.departure == None)
)
for arrival in arrivals:
self.notify_user(arrival)
print("Notified everything until UTC", iso)
def __init__(self, db, hours, vapid_creds):
self.db = db
self.hours = hours
self.vapid_creds = vapid_creds
self.notify_logged_in_users()
Thread.__init__(self, daemon=True)
self.stopped = Event()
self.start()
def run(self):
while not self.stopped.wait(ONE_HOUR_IN_S):
self.notify_logged_in_users()
def stop(self):
self.stopped.set()

13
res/config.deploy.ini
View File

@ -4,9 +4,6 @@
# Remove or leave empty for temporary (/tmp/ftracker-db.json) storage
db_file = /var/ftracker/db.json
# Delete all information after X days (e.g. for GDPR compliance)
delete_after_days = 28
# List of people to be allowed, in .csv format (comma, no delimiters)
# Col1: First Name(s), Col2: Last Name(s), Col3 (optional): EMail
# Remove or leave empty for no check
@ -24,13 +21,3 @@ guideline_url = https://youtu.be/oHg5SJYRHA0
# JSON indentation for debugging
json_indent = 4
# VAPID credentials for push notifications
# private key: base64url encoded public part of an EC-Prime256v1 keypair. See INSTALL.md
# private key: base64url encoded private part of an EC-Prime256v1 keypair. See INSTALL.md
# sender info: usually mailto link to responsible party to contact about issues
push_public_key = abcdefghijklm_NOPQRSTUVWXYZ-0123456789abcdefghijklm_NOPQRSTUVWXYZ-0123456789abcdefghijklm_NOPQRSTUVWXYZ-0123456789
push_private_key = abcdefghijklm_NOPQRSTUVWXYZ-0123456789
push_sender_info = mailto:admin@example.com
# when to notify users, in hours after arrival
notify_after_hrs = 10

19
res/docker-entrypoint.sh
View File

@ -1,24 +1,5 @@
#!/bin/bash
echo " >>> Checking / Creating & patching VAPID creds <<< "
VAPID_CREDS_FILE=/etc/ftracker/vapid-creds.json
if [[ ! -f $VAPID_CREDS_FILE ]]
then
echo "Generating keypair ..."
web-push generate-vapid-keys --json > $VAPID_CREDS_FILE
echo "Patching keypair into config ..."
PUB_KEY=`cat $VAPID_CREDS_FILE | jq -r .publicKey`
echo "pushServerPublicKey = ${PUB_KEY}" >> /var/www/html/ftracker/main.js
PRIV_KEY=`cat $VAPID_CREDS_FILE | jq -r .privateKey`
echo "push_private_key = ${PRIV_KEY}" >> /etc/ftracker/config.ini
fi
echo " >>> Starting nginx <<< "
mkdir /run/nginx # needed because of bug in package

3
setup.py
View File

@ -8,7 +8,7 @@ with open("LICENSE.md", "r") as f:
st.setup(
name="ftracker",
version="1.1.0",
version="1.0.0",
author="Oskar @ FaSTTUBe",
author_email="o.winkels@fasttube.de",
description="Small webapp to track who was in which room at which time to backtrace potential viral infections",
@ -20,7 +20,6 @@ st.setup(
"flask",
"tinydb",
"python-slugify",
"pywebpush",
],
license=license_text,
classifiers=[

51
web/index.html
View File

@ -12,55 +12,52 @@
'arrival': 'I have read and will adhere to the <a href="/guidelines" target="_blank">protection guidelines</a>',
'departure': 'I have cleaned my workspace'
}
var testCheckBox = '<label class="checkbox"><input type="checkbox" name="tested" id="tested"><span>I fullfill one of the <a href="https://www.bundesregierung.de/breg-de/aktuelles/bund-laender-beratung-corona-1949606">3G requirements</a></span></label>'
var editTimeBox = '<label>Departure Date/Time:<input type="datetime-local" name="datetime" id="datetime" required></label>'
function getParams() {
var qparams = document.location.search.substr(1)
if (qparams == "") return {}
qparams = qparams.split('&')
var qps = {}
for (var qparam of qparams) {
var h = document.location.href
var qparam = h.split('?')[1] || null
if (qparam == null)
return null
var vals = qparam.split('=')
qps[vals[0]] = vals[1] || null
if (vals.length < 2 || !cbt.hasOwnProperty(vals[0]))
return null
return {
action: vals[0],
room: vals[1]
}
// Backwards compat
if (qps.arrival) {qps.action = 'arrival'; qps.room = qps.arrival}
if (qps.departure) {qps.action = 'departure'; qps.room = qps.departure}
return qps
}
var qp = getParams()
</script>
</head>
<body>
<h1><script>
document.write(qp.action ? (qp.action + "<br>Room " + qp.room) : 'FTracker<br>V1.1')
if (qp)
document.write(qp.action + "<br>Room " + qp.room)
else
document.write('FTracker<br>V1')
</script></h1>
<div id="startpage">
This is a web app to track which people were in the same rooms at
which times in order to backtrace potential viral infections.<br><br>
If you've reached this page that either means your're testing
things or something has gone quite wrong with the URL.<br>
This is a web app to track which people
were in the same rooms at which times in order to backtrace
potential viral infections.<br><br>
If you've reached this page that either means your're
testing things or something has gone quite wrong with the\
URL.<br>
In the former case: Yay it works! In the latter you should
probably contact an admin or a dev nearby :(<br><br>
Here are a few links for testing:<br>
<a href="/view">View Data</a>,
<a href="/QRgen">Door Sign Generator</a>,
<a href="/?arrival=42">Test Arrival</a>,
<a href="/?departure=42">Test Departure</a>,
<a href="javascript:localStorage.removeItem('pushsub')">Reset Push Subscription</a><br><br>
&copy; 2020 made by <a target="_blank" href="mailto:&#111;&#46;&#119;&#105;&#110;&#107;&#101;&#108;&#115;&#64;&#102;&#97;&#115;&#116;&#116;&#117;&#98;&#101;&#46;&#100;&#101;">Oskar</a>
<a href="/?departure=42">Test Departure</a><br><br>
&copy; 2020 made by <a target="_blank" href="mailto:&#111;&#46;&#119;&#105;&#110;&#107;&#101;&#108;&#115;&#64;&#102;&#97;&#115;&#116;&#116;&#117;&#98;&#101;&#46;&#100;&#101;">Oskar</a> \
for <a target="_blank" href="//fasttube.de">FaSTTUBe</a>.<br>
For source code & licensing see <a href="//git.fasttube.de/FaSTTUBe/ftracker">git repo</a>
</div>
<form id="mainform" action="javascript:void(0);" style="display: none">
<form id="mainform" style="display: none">
<label>
Full Name:<br>
<input type="text" name="name" id="name" placeholder="John Doe" required>
</label>
<script>
if (qp.edittime && qp.edittime == 1)
document.write(editTimeBox)
</script>
<label class="checkbox">
<input type="checkbox" name="agree" id="agree" required>
<span><script>
@ -68,8 +65,8 @@
</script></span>
</label>
<script>
if (qp.action && qp.action == 'arrival')
document.write(testCheckBox)
if (qp.action == 'arrival')
document.write('<label class="checkbox"><input type="checkbox" name="tested" id="tested"><span>I have been tested negative for COVID in the last 24 hours</span></label>')
</script>
<input type="submit">
</form>

139
web/main.js
View File

@ -1,44 +1,29 @@
var spage = document.getElementById('startpage')
var mform = document.getElementById('mainform')
if (qp.action) {
if (qp) {
spage.style.display = 'none'
mform.style.display = 'block'
}
// Get the name field if it was successfully entered before
// Prefill the name field if it was successfully entered before
var savedName = localStorage.getItem('name')
if (qp && qp.name) {
// Forced Admin checkout - prefill qp name and auto-agree
document.getElementById('name').value = qp.name.replace(/-/g, ' ').toUpperCase();
document.getElementById('agree').checked = true
document.getElementById('agree').parentElement.style.display = 'none'
} else if (savedName && qp) {
// Prefill the client's locally saved name
if (savedName && qp)
document.getElementById('name').value = savedName
}
// 2nd script, server API communication
var name, datetime, agreed, tested
var name, agreed, tested
mform.onsubmit = function(e) {
e.preventDefault()
var i = 0;
name = e.srcElement[i++].value
if (qp.edittime && qp.edittime == 1) {
var value = e.srcElement[i++].value
datetime = new Date(value).toISOString()
}
agreed = e.srcElement[i++].checked
if (qp.action && qp.action == 'arrival')
tested = e.srcElement[i++].checked
name = e.srcElement[0].value
agreed = e.srcElement[1].checked
if (e.srcElement.length > 2)
tested = e.srcElement[2].checked
sendMainData()
initPush(name)
}
function sendMainData() {
@ -48,13 +33,11 @@ function sendMainData() {
{
'room': qp.room,
'name': name,
'arrival': datetime,
'agreetoguidelines': agreed,
'tested': tested // = 3G
'tested': tested
} :
{
'name': name,
'departure': datetime,
'cleanedworkspace': agreed
}
@ -68,7 +51,6 @@ function post(url, payload) {
return fetch(url, {
method: "POST",
headers: {'Content-Type': 'application/json'},
body: JSON.stringify(payload)
}).then(res => {
handleResponse(res)
@ -110,17 +92,13 @@ function handleRequestSubmit(e, json) {
var input = e.srcElement[0].value
var iso = new Date(input).toISOString()
if (e.srcElement.length > 1)
tested = e.srcElement[1].checked // = 3G
// POST JSON. See docs/API.md
var payload = (json.request == 'arrival') ?
{
'room': qp.room,
'name': name,
'arrival': iso,
'agreetoguidelines': agreed,
'tested': tested // = 3G
'agreetoguidelines': agreed
} :
{
'name': name,
@ -155,7 +133,6 @@ function handleRequest(res) {
var aInfo = ''
var minD = ''
var doubleT = ''
var testCheck = ''
if (json.request == 'departure') {
var d = new Date(json.arrival.time)
var dInfo = d.toString('en-GB').split(' ').slice(0,5).join(' ')
@ -164,8 +141,6 @@ function handleRequest(res) {
if (new Date() - d < 3 * 60 * 1000) {
doubleT = '<b style="color:red">Your last sign in was less than 3 minutes ago. You might be accidentally trying to sign in twice. If you don\'t intend to log 2 arrivals within the last 3 minutes, please abort below.</b>'
}
} else if (json.request == 'arrival') {
testCheck = testCheckBox.replace('have', 'had then');
}
var now = localISOTimeMinutes(new Date())
@ -176,17 +151,16 @@ function handleRequest(res) {
<form id="reqform">
<label>
${reqt[json.request]}
<input type="datetime-local" ${minD} max="${now}" required>
<input type="datetime-local" id="datetime" ${minD} max="${now}" required>
${aInfo}
</label>
${doubleT}
${testCheck}
<input type="submit">
<input type="button" value="Abort" onclick="document.body.innerHTML='<h1>Aborted</h1><form>Nothing was logged.<br>You can close this tab/window now.</form>'">
</form>
</div>`
var rform = document.getElementById('reqform')
rform = document.getElementById('reqform')
rform.onsubmit = async function(e) {
await handleRequestSubmit(e, json)
document.querySelector('.request').remove()
@ -196,92 +170,3 @@ function handleRequest(res) {
})
}
if (qp.edittime && qp.edittime == 1) {
var now = localISOTimeMinutes(new Date())
document.getElementById('datetime').value = now;
document.getElementById('datetime').max = now;
}
/* Push Notifications */
function sendNotification() {
navigator.serviceWorker.ready.then(function(serviceWorker) {
serviceWorker.showNotification("Forgot to sign out?", {
body: "You didn't sign out of ftracker yet",
icon: "/favicon.ico",
actions: [{
action: "depart",
title: "Sign Out"
}]
})
})
}
function initPush(name) {
// Check availability
var supported = "serviceWorker" in navigator && "PushManager" in window
if (!supported) {
console.warn("Push Notifications not supported!")
return
}
fetch('/pushinfo').then(function(res) {
if (res.ok)
res.json().then(function(push) {
if (push.enabled)
registerPush(name, push.publickey);
});
});
}
function registerPush(name, pushServerPublicKey) {
// Register service worker
navigator.serviceWorker.register("/sw.js").then(function(swRegistration) {
console.log("ServiceWorker registered:", swRegistration)
})
// Request permission
// TODO: Only do this AFTER the first? SUCCESSFUL sign-in
Notification.requestPermission(function(result) {
return (result === 'granted')
}).then(function(consent) {
console.log('Notifications', consent ? 'enabled' : 'denied');
})
// Check if already initialized
if (localStorage.getItem('pushsub'))
return
// Register push service
navigator.serviceWorker.ready.then(function(serviceWorker) {
serviceWorker.pushManager.subscribe({
userVisibleOnly: true,
applicationServerKey: pushServerPublicKey
}).then(function(subscription) {
console.log("User is subscribed:", subscription);
var jsonSub = JSON.stringify({
name: name,
sub: subscription
});
fetch('/pushsubscribe', {
method: "POST",
headers: {"Content-Type": "application/json"},
body: jsonSub
}).then(function(res) {
if (res.ok)
localStorage.setItem('pushsub', jsonSub);
});
});
});
}

35
web/sw.js
View File

@ -1,35 +0,0 @@
function receivePushNotification(event) {
var data = event.data.json();
console.log("[Service Worker] Push Received:", data)
var room = data.arr ? data.arr.room : 'test'
var options = {
data: `/?departure=${room}&edittime=1`,
body: data.body,
icon: "/favicon.ico",
actions: [{
action: "depart",
title: "Sign Out"
}]
};
event.waitUntil(self.registration.showNotification(data.title, options))
}
self.addEventListener("push", receivePushNotification)
function openPushNotification(event) {
console.log("[Service Worker] Notification click Received.", event.notification.data)
event.notification.close()
event.waitUntil(clients.openWindow(event.notification.data))
}
self.addEventListener("notificationclick", openPushNotification)

6
web/view.css
View File

@ -67,15 +67,9 @@ main > section.times, #timeheader {
font-weight: bold;
-webkit-text-stroke: .4px #c50e1f;
}
.times span.tested { /* = 3G */
background: rgb(0,136,0);
}
.times span.implausible {
background: linear-gradient(to right, #c50e1f, rgba(197,14,31,0.2) 1000px);
}
.times span.implausible.tested { /* = 3G */
background: linear-gradient(to right, rgb(0,136,0), rgba(0,136,0,0.2) 1000px);
}
.viewheader.row {
height: 30px;
background: #ddd !important;

15
web/view.js
View File

@ -88,14 +88,6 @@ function exportCSV() {
}
function offerUserCheckout(event) {
var name = event.target.getAttribute('data-name')
var room = event.target.textContent
window.open(`/?departure=${room}&edittime=1&name=${name}`, '_blank').focus();
}
function renderData() {
if (data == null) {
@ -171,13 +163,10 @@ function renderData() {
block.style.left = arr + 'px' // 1px/min
block.style.width = Math.max(0,(dur-14)) + 'px' // 1px/min
if (entry.tested)
block.classList.add('tested') // = 3G
block.style.background = '#080'
if (dur > 60 * 24) {
if (dur > 60 * 24)
block.classList.add('implausible')
block.setAttribute('data-name', name)
block.addEventListener('click', offerUserCheckout);
}
row.appendChild(block)