F
Filament7mo ago
daar

web front end with QR access

Hi, I’ve received a request to develop a web front end where users can access personal data via a QR code. Personally I don’t think this is very safe but perhaps there are some thoughts how access in a filament based app could be made safe. Any experience with this? TIA
5 Replies
DrByte
DrByte7mo ago
An app, whether Filament-based or not, is as safe as you make it. Whether you provide QR codes on your site to access URLs, or use shortened-URLs via a provider, or email URLs somehow, whatever ... it's up to you to decide what that URL displays, and under what conditions. The Filament part will just do what you tell it to do. And the Laravel part will do what you tell it to do.
daar
daar7mo ago
Agree. But I was explicitly asked to provide access to personal data via a public URL this way eg ‘mydomain.com/uuid’. Would this be considered as something safe enough? Secondly, how would I create a route for this? It seems close to an api request but I’m not sure. Thanks for your support in this.
awcodes
awcodes7mo ago
That’s not safe at all. It shouldn’t be public. It should be a signed url. That way it would only be accessible with a valid token on the query string. So the endpoint is public but the data and page only load with a valid token.
DrByte
DrByte7mo ago
Obviously you already "get" that anytime you're exposing "personal" data, you have to be hyper-attentive to ensuring that it's only seen by those who "should" see it. A challenging legitimate example of exposing very personal data without requiring passwords or other authorizations, is something like a health-alert tool that lets a first-responder scan a QR code to get essential medical information about the patient whose life they're trying to save/assist. THere's no time or opportunity for passcodes or other authorizations there. Especially if the database is national or international and the first-responders are very localized: they won't have a passcard to scan first before scanning the QR code. They need immediate access, to whatever data the patient has agreed to allow to be disclosed if someone (actually anyone) scans the code. But, even in that case, as awcodes said, a signed Url would be safer than just a UUID that could be iterated-over by bots scanning your database. So, to protect hackers slamming your site with random UUIDs, signed Urls would be preferable. The challenge then is in being sure that whatever Urls you generate with the QR codes don't expire ... er, unless whoever owns your database wants the codes to expire at a certain date/time, requiring to be re-issued after that.
daar
daar7mo ago
@awcodes and @DrByte , thanks for your pointers! I was able to use them and create a safe access point for the users.
Want results from more Discord servers?
Add your server
More Posts
Custom import jobGetting a serializable error when trying to import using a custom job: `Cannot initialize readonly adding a tableto a livewire componentI have a problem with the display. pleas guys someone can helpFilament kinda has an issue resolving the url for my custom pageIs there something I'm missing here? Perhaps I've forgotten something.Saving hidden fields in a wizard componentHello All, Any workaround on how to save hidden form field upon form submit. The field is "unit_cosAdding custom actions on form with wizardHello, i've been confused of my code, i wanna run Jobs at submit button was clicked, and i confusedwidget in a loop?I've sort of hacked together a "widget" and the widget basically displays a card for each item in a Excel exporthi everyone, I really need help with this, I need to generate a csv file with this data: how can i apply transition on changing pages?i want to add simple transition like fade on changing pages. is there any solution for that?Laravel Deployer unknown errori've installed: https://github.com/lorisleiva/laravel-deployer i've defined the deploy.php file toTenancy + canAccessPanelHi! I'm using Filament v3 multi-tenancy and I have 2 panels. But only user A in tenant 1 should have