List of local bodies as available here: https://github.com/coronasafe/datastore/tree/master/JSON

Merchant can select one local body off the list that is saved to the database at the time of registration

When user scans a QR code (#3), the details from QR code (#5) needs to be send to the backend.

Here a "Visit" is created with details of:

• current user
• current time as entry time
• establishment identifier (from scanned QR code)
• empty exit time

For expansion purposes, would like to have Visit to have polymorphic link to Establishment as other types could be added in the future.

Change the signup image to open source SVG

• Clears the token
• takes user back to sign up page

Vulnerabilities

DepShield reports that this application's usage of lodash.toarray:4.4.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.toarray:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

• tailwindcss:1.8.10
        └─ node-emoji:1.10.0
              └─ lodash.toarray:4.4.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Name of the user is not provided on searching the user from admin.
Hence cannot display the name of the user in the admin dashboard for routemap

1. Why do we have to delete the QR Code after a month?

   journal/app/jobs/cleanup_old_data_job.rb

   Line 8 in 24aeb71

   QrCode.where("created_at <= ?", Date.current - DEFAULT_LIFETIME).destroy_all

2. Logging a visit as of now doesn't change the user's updated_at field. User's updated_at remains the same as his created_at. So deleting a user based on his updated_at will just remove the user and ALL HIS VISITS from the system after 30 days of his first login.

   journal/app/jobs/cleanup_old_data_job.rb

   Line 9 in 24aeb71

   User.where("updated_at <= ?", Date.current - DEFAULT_LIFETIME).destroy_all

3. Shouldn't we be deleting all visits which are older than 30 days? And also delete the user if his last visit was logged more than 30 days ago?

Admin should be able to enter an establishment name, a particular date and time and receive filtered details on users who have been in and out during the particular time period.

Vulnerabilities

DepShield reports that this application's usage of acorn:6.4.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:6.4.1 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ webpack:4.44.2
              └─ acorn:6.4.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

On user sign up page, the phone number entered by user has to be verified first.

@bodhish for docs on existing service to do that.

Related to #8
API: https://github.com/coronasafe/journal/blob/develop/doc/api.md#routemap-for-a-user

Backend defaults to last 7 days, but date can be customized. Requires two date pickers for start and end date, end date needs to be validated to be less than start date.

Seems like
Apis /api/v1/visits/ongoing and /api/v1/visits not working for some scenarios.

user has no visit - api is working
user has 1 visit - api is working
user has 2 visit - api is not working
user has more than 2 visits - api is not working

Originally posted by @amaljosea in #45 (comment)

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ optimize-css-assets-webpack-plugin:5.0.4
              └─ cssnano:4.1.10
                    └─ cssnano-preset-default:4.0.7
                          └─ postcss-merge-rules:4.0.3
                                └─ caniuse-api:3.0.0
                                      └─ lodash.memoize:4.1.2

• postcss-cssnext:3.1.0
        └─ caniuse-api:2.0.0
              └─ lodash.memoize:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

User

On the user end, the application is to be used by the most common of people. This design has to be kept as simple and bare bones as possible.

This is why we are skipping detailed password based authentication on user. User will have a sign up page where they can enter minimal details of themselves, this will be saved to the backend with a token generated ending the user on main page.
If this token ever gets cleared (assuming that the possibility of this happening is rare), user will be redirected back to the sign up page.

Uniqueness of date of birth + phone number is enforced, so as communicate with other Coronasafe projects easier in the future.

Merchant

Admin

This is to be used by district officials, the emphasis here is on the functionality rather than the UI.

Label each page by their application.

Currently all pages are named Journal - Coronasafe. Keeping the same template, add the page name in front.

Use react-helmet

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ webpack:4.44.2
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ debug:2.6.9
                    └─ snapdragon:0.8.2
                          └─ debug:2.6.9

• webpack-dev-server:3.11.0
        └─ compression:1.7.4
              └─ debug:2.6.9
        └─ express:4.17.1
              └─ body-parser:1.19.0
                    └─ debug:2.6.9
              └─ debug:2.6.9
              └─ finalhandler:1.1.2
                    └─ debug:2.6.9
              └─ send:0.17.1
                    └─ debug:2.6.9
        └─ serve-index:1.9.1
              └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ webpack:4.44.2
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ to-object-path:0.3.0
                                            └─ kind-of:3.2.2
                                └─ class-utils:0.3.6
                                      └─ static-extend:0.1.2
                                            └─ object-copy:0.1.0
                                                  └─ kind-of:3.2.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2

• webpack-dev-server:3.11.0
        └─ chokidar:2.1.8
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Generated admin credentials can be used to sign up to the application.

Possibility with Active admin generated page

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ optimize-css-assets-webpack-plugin:5.0.4
              └─ cssnano:4.1.10
                    └─ cssnano-preset-default:4.0.7
                          └─ postcss-merge-rules:4.0.3
                                └─ caniuse-api:3.0.0
                                      └─ lodash.uniq:4.5.0

• postcss-cssnext:3.1.0
        └─ caniuse-api:2.0.0
              └─ lodash.uniq:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Admin should be able to generate a list of establishments visited by the user in case they test positive for the virus.

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

http-proxy:1.18.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.11.0
        └─ http-proxy-middleware:0.19.1
              └─ http-proxy:1.18.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Verify working of:

• Rails

• Active Admin

• React

• Tailwind UI

To mark exit on an ongoing visit as specified in the doc, field visit_id is needed.

Seems like the field visit_id is now not present in the response of these apis.

Log a new visit
Get all visits of a user
Get ongoing visits of a user

This happens because User schema has been changed. It has no email now, but has phone_number, date_of_birth etc instead. But this change is not reflected while loading sample data.

Api required to list all establishments in admin.

Related to #9

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ webpack:4.44.2
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

For MVP, merchant does not need to have a login to application.

The merchant page should enable to collect:

• Establishment name
• Phone number
• Address

This has to be saved on to the database and a QR code is generated.

QR code contains following details:

• typeof "establishment" (this is for extension purposes later on, other types can be added)
• backend identifier for merchant/establishment

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

• postcss-cssnext:3.1.0
        └─ postcss-initial:2.0.0
              └─ lodash.template:4.5.0
                    └─ lodash._reinterpolate:3.0.0
                    └─ lodash.templatesettings:4.2.0
                          └─ lodash._reinterpolate:3.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The homepage should have a listing of ongoing visits of the user.

Ongoing visits are those that do not have an exit time (#30)

User should be able to mark as Exit from a visit from the same list.

From the main page, user should be able to scan a QR code.

Checkout libraries like Instascan

Scanning a QR code successfully, shows a small microinteraction indicating success and returns the user to the main page.

Sign up collects following details from the user:

• Name
• Phone number
• Date of Birth of the user

Authentication enforces uniqueness of phone number + date of birth on the backend.

Ref: #1

Returns a token (cookie or otherwise) stored locally on the device.

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ webpack-assets-manifest:3.1.1
              └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Ref: #4

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

express:4.17.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.11.0
        └─ express:4.17.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ webpack:4.44.2
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ has-value:1.0.0
                                            └─ has-values:1.0.0
                                                  └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

If you can help

As per images

https://drive.google.com/file/d/1GvQfJhf8WSbvIKecCLCpKcN3hglqs0pQ/view?usp=sharing

I created in the workspace some releases

The IDE starts the application, until I show the return in chrome

The problem is that the variable pointed at the breakpoint is not being returned

Can anyone help?

As per images

https://drive.google.com/file/d/1M6mhdvItbj2cu0Zqool6D5VZzhJHpM72/view?usp=sharing

The IDE starts the application, until I show the return in chrome

The problem is that the error is being returned when trying to debug the application

Can anyone help?

Add a background service to delete all user journal data which is older than 30 days.

I have seen a use case for journal for a different way.

In our church due to covid, daily entry of all the people visited is being made. Info collected are Name, Phone number, Age, Address. Currently they are logging the register manually.

I thought of suggesting journal to the officials, but the issue is that the crowd come to the church in a rural village like ours doesn't have internet and smart phone.

So the idea is to print QR codes, register the user and assign and give a QR code per person and they bring it daily and we could scan and log their entry. I am sure that the individual elements (like scanner, QR generator, databases etc) for making this work is present inside journal project.

Do we have any scope of accompanying something like this in our current project or a new fork/fresh will be appropriate?

Thoughts?

• Show merchant name and address next to ongoing visits list

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

• @rails/webpacker:4.3.0
        └─ optimize-css-assets-webpack-plugin:5.0.4
              └─ cssnano:4.1.10
                    └─ cssnano-preset-default:4.0.7
                          └─ postcss-svgo:4.0.2
                                └─ svgo:1.3.2
                                      └─ coa:2.0.2
                                            └─ q:1.5.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}