Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kiosk mode for Hasjob #78

Closed
jace opened this issue Jan 30, 2014 · 7 comments
Closed

Kiosk mode for Hasjob #78

jace opened this issue Jan 30, 2014 · 7 comments
Labels
code-architecture enhancement priority-hi

Comments

@jace
Copy link
Member

jace commented Jan 30, 2014

In kiosk mode, Hasjob disables the Login feature and the Apply form for jobs. Instead, it:

  1. Requires the user to tap their ContactPoint NFC card to a locally attached NFC reader (using ContactPoint's localhost server),
  2. Retrieves details from the ContactPoint server (which may be on the LAN, so only reachable from the client-side), and
  3. Emails the candidate with instructions on how to apply from their own computer OR submits an application with a blank message (so that the employer is informed of the submission) and expects the candidate to follow up from their computer.

Since the ContactPoint interaction is entirely client-side and per-browser, enabling kiosk mode involves the following steps:

  1. The user (any user of a given computer) must go to /contactpoint, a special URL
  2. They must enter the URL of the local ContactPoint server and authorization key, and
  3. Click the Enable button.
  4. Hasjob then sets a cookie on the computer identifying it as a kiosk.
  5. The home page now shows all jobs even if the user is not logged in.
  6. The Login link disappears from the networkbar and jobs no longer have an Apply button.
  7. Instead of Apply, the bottom section asks users to tap their cards. When a valid card is recognised, details are retrieved from the ContactPoint server, Hasjob asks for confirmation, and then sends email.

Issues:

  1. In this scheme, Hasjob must authenticate itself to a ContactPoint server, but the reverse is not required. This means anyone can turn their personal laptop into a ContactPoint kiosk with their own ContactPoint server that returns arbitrary data and causes Hasjob to mail a targeted user. There needs to be reverse-authentication too, so that Hasjob can trust data coming from a ContactPoint server.
@miteshashar
Copy link
Contributor

The listed issue can be handled by restricting the enablement of kiosk mode using /contactpoint only to siteadmins. So login as a siteadmin, enable kiosk mode, and log out.

@jace
Copy link
Member Author

jace commented Jan 30, 2014

Good idea. It's a secure cookie, so the cookie can't be edited by users on their own computer.

@jace
Copy link
Member Author

jace commented Jan 30, 2014

Also, Flask-Lastuser sessions are session-only cookies. Setting the contactpoint flag must turn it into a permanent cookie, and turning it off must change back to a session-only cookie.

@miteshashar
Copy link
Contributor

Instead, why not have a separate permanent cookie for kiosk mode & contactpoint data?

@jace
Copy link
Member Author

jace commented Jan 30, 2014

Then we lose the automatic security control of Flask's session cookie and will need to setup all that infrastructure on our own (using the itsdangerous library that Flask itself uses).

@miteshashar
Copy link
Contributor

Ah, ok. Then the former suggestion makes more sense.

@jace
Copy link
Member Author

jace commented Jun 12, 2014

Implemented in 31280e0 and subsequent commits. However, ContactPoint integration is still pending.

@jace jace closed this as completed Jun 12, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code-architecture enhancement priority-hi
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jace @miteshashar