This is a very rough POC of using a QR code to authenticate an app towards an API, without requiring the user of the app to have an account with the backend.
Imagine a situation where you have a manager role who hands out e.g. inventory counting tasks to employees on the shop floor. The task is performed on a mobile device, but the store does not have a device for each shop floor employee.
This means two things:
-
After completing a task a worker always needs to return the device back to the manager’s desk
-
Shop floor employees do not necessarily have a username to log in with
This POC demonstrates one way of allowing any shop floor worker to use any store device to do the exact inventory count that the manager assigns to that worker, without requiring a login, without the risk of performing unrelated actions in the backend, and allowing the app used by the shop floor workers to be as minimal as possible.
There are two pieces in this repo:
-
A small Express.js server to act as the manager’s frontend and data storage
-
A small ReactNative app to act as the shop floor worker’s interaction with a task
You will need to start the server and ReactNative applications in separate terminals, and the mobile device on which you install the ReactNative app should be connected to your computer (or running on the same network might be enough, not sure).
In one terminal start the server:
cd server
npm install
npm run start
You now have a server running on localhost:3000 with some dummy data.
In another terminal start the app:
cd app/otp-connect-poc
npx expo run:ios --device # or run:android if you prefer
This will open an app on your connected device which is ready to scan a QR code. Grant it permission to access the camera.
Now you are ready to test out the flow. Imagine you are both manager and shop floor worker for this to make any sense. ;-)
-
Go to localhost:3000[localhost:3000] and press "Initiate CC123"
-
This will associate a one-time code with the data of id CC123 in the datastore
-
-
Pick up your device and point the camera at the QR code
-
This will switch extract data ID and associated one-time code from the QR code
-
These are used by the app to register itself as the handler of this task, which makes the server generate a long-lived access key and send it to the app
-
The access key is used to request the data for the ID, and the view transitions
-
-
Put in values for the three number inputs
-
Press submit
-
This will clear the app’s state and switch it back to be ready for a new QR code
-
It will also use the access key to send the updated data to the backend
-
The backend server owns the data, the app is granted access to a very limited amount of data and/or operations for a limited time on request:
-
Server generates OTP for a particular piece of data and encodes it as a QR code
-
App reads the OTP and data ID from the QR code
-
App registers with the backend using data ID and OTP
-
Backend expires OTP and returns long-lived access key
-
App makes requests towards the backend using access key
-
App eventually submits data using access key
-
Backend expires access key
At any point you can call the debug endpoint on the server to view the current state of the data store.