Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QR code validation #677

Draft
wants to merge 46 commits into
base: master
Choose a base branch
from
Draft

QR code validation #677

wants to merge 46 commits into from

Conversation

rm03
Copy link
Member

@rm03 rm03 commented Apr 22, 2024

Addresses #676

  • QR codes now resolve to signed tokens which encode the ticket id and owner
  • Upon scanning the QR code in Penn Mobile, mobile backend sends an authenticated request to our backend
  • Only officer+ have permission to scan QR codes

cphalen and others added 30 commits November 12, 2022 14:54
…out and updated when any cart is validated before checkout
* Merge master into ticketing

* Move ticketing migration to end
Merge frontend ticketing branch into main ticketing feature branch.

---------

Co-authored-by: Rohan Gupta <rohangupta883@gmail.com>
Co-authored-by: dfeng678 <dfeng678@seas.upenn.edu>
Co-authored-by: alnasir7 <alnasirvx@gmail.com>
Co-authored-by: Mohamed Abaker <mabaker@vag-nap-dhcp0951.apn.wlan.private.upenn.edu>
Co-authored-by: DiiZyy <zhangdavid33@gmail.com>
Co-authored-by: printer83mph <printer.83mph@gmail.com>
Co-authored-by: Avi Upadhyayula <69180850+aviupadhyayula@users.noreply.github.com>
Co-authored-by: cphalen <cphalen@seas.upenn.edu>
Co-authored-by: Alexander Kyimpopkin <39439486+alxkp@users.noreply.github.com>
Co-authored-by: Joy Liu <joyliu.q@gmail.com>
Co-authored-by: Rohan Moniz <60864468+rm03@users.noreply.github.com>
Co-authored-by: joel8019 <46795321+joel8019@users.noreply.github.com>
Co-authored-by: Eunsoo Shin <me@esinx.net>
Make TicketsTab not crash
rohangpta and others added 15 commits April 14, 2024 17:39
* Add check on event deletion

* add cybersource package

* Capture context generation + local dev setup instructions (#645)

* capture context view

* fix populate

* move capture context generation to checkout view

* Optimize Django ops in cart validation

* Use Q objects in cart validation

* switch out nginx for local-ssl-proxy

---------

Co-authored-by: aviupadhyayula <aupadhy@gmail.com>

* fix target origin url

* Closes #632 (#648)

* This commit resolves #632:

- Add logic to interact with the CyberSource API to validate
transaction data and also confirm the payment.
- Add appropriate error handling for API invocation failures causing
transaction failure.
- Store the transaction data in a new model `TicketTransactionRecord`
for bookkeeping purposes. Each ticket is also associated with an
instance of this class.
- On transaction success, assign the ticket to the user, remove holds
and from cart, and send out confirmation email.

* Address PR comments, query opt, and others

- More judicious use of `select_for_update`: only lock when updating
holder/owner.
- Better prefetching/bulk updating throughout the query logic
- Return HTTP status codes
- Refactor as per PR comments

* Validate the transient token's signature

- I tested the workflow from `initiate_checkout` to `complete_checkout`
and was able to get it working.
- Ironed out a few bugs
- Add the `reconciliation_id` as a field on the transaction record;
could be useful to generate reports. We'll need to figure out what else
to store to interact with their reporting API.

* Make reconciliation_id nullable to support free tickets

* Address nit, refactor ticket count logic to SQL

* merge migrations...

* pipenv lock again

* Pin uwsgi...2.0.25 breaks CI

---------

Co-authored-by: aviupadhyayula <aupadhy@gmail.com>
Co-authored-by: Rohan Moniz <60864468+rm03@users.noreply.github.com>
* Set & enforce order limit on ticket purchases

* Add migration

* Default tix order limit to 10

* Consolidate migrations

* Check each carted event's order limit

* Move limit validation to `add_to_cart`

* Fix typo 😔

* Address nits with validation logic

* Minor refactor
* Integrate ticket price field into ticket creation/list views, as well into ticket creation frontend.

* Enforce non-negative ticket prices at creation

* Add frontend checks for fractional/negative ticket count and cost.

* Prevent users from entering negative/fractional ticket counts/price for now.

---------

Co-authored-by: aviupadhyayula <aupadhy@gmail.com>
* Add group discount fields to ticket model

* Ingest group discount info at ticket creation

* Add validator for group size

* Add comments

* Apply discounts when checking out

* Remove model-level validators

* Remove validators from migration

* Improve comments

* Minor refactor

* Default group_discount to 0

* Remove check for discount in cart calculation

* Consolidate validation checks upon ticket creation

* Fix typo in validation upon ticket creation
* Owned tickets tab skeleton code.

* 🎉 Functional but suspicious code

* 🧹 Fix some good practice

---------

Co-authored-by: Julian Weng <julian.weng.us@gmail.com>
* Add test cases for backend ticketing APIs

Long overdue addition of tests to the ticketing backend.

Tests and fixes all the APIs under the Event and Ticket models.

There are more complex workflows with race conditions etc that are not
tested, but should be at some point. Unmerged functionality is also
not tested yet.

* Don't use locked rows to groupby

* Set cybersource settings in CI

* Address feedback
* Add to cart feature (styling is borked)

* 🐛 Broken code

* 🐛 fixed

* 🎨 Readd event preview

* 🧹 Less jank way of doing group discount visibility

* 🎨 Address comments and actually type things

* 🎨 Address nit

---------

Co-authored-by: Julian Weng <julian.weng.us@gmail.com>
Co-authored-by: Eunsoo Shin <me@esinx.net>
* Use capture context to verify transient token

* Add migration

* Minor changes to documentation

* Add tests

* Add comment explaining max char length
Copy link

codecov bot commented Apr 22, 2024

Codecov Report

Attention: Patch coverage is 17.24138% with 24 lines in your changes are missing coverage. Please review.

Project coverage is 70.15%. Comparing base (78f02fd) to head (4bde09e).
Report is 8 commits behind head on ticketing.

Files Patch % Lines
backend/clubs/views.py 12.50% 21 Missing ⚠️
backend/clubs/models.py 40.00% 3 Missing ⚠️
Additional details and impacted files
@@              Coverage Diff              @@
##           ticketing     #677      +/-   ##
=============================================
- Coverage      70.36%   70.15%   -0.21%     
=============================================
  Files             31       31              
  Lines           6694     6721      +27     
=============================================
+ Hits            4710     4715       +5     
- Misses          1984     2006      +22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@rm03 rm03 added the backend label Apr 22, 2024
Base automatically changed from ticketing to master April 29, 2024 03:52
Copy link

gitguardian bot commented Apr 29, 2024

⚠️ GitGuardian has uncovered 5 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
10282361 Triggered Generic High Entropy Secret 428dd7e backend/pennclubs/settings/development.py View secret
9451515 Triggered Generic Password 50b9c0b .github/workflows/cdkactions_build-and-deploy.yaml View secret
9451515 Triggered Generic Password 03214af .github/workflows/cdkactions_build-and-deploy.yaml View secret
9451515 Triggered Generic Password 80e8201 .github/workflows/cdkactions_build-and-deploy.yaml View secret
10282361 Triggered Generic High Entropy Secret 40fb7f7 backend/pennclubs/settings/ci.py View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

9 participants