Merge pull request #412 from dylan8902/pub-thursday-audit

Pub thursday audit
dylan8902 · Feb 20, 2024 · 82fc618 · 82fc618
2 parents eb5402a + 1f88bdb
commit 82fc618
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 0 deletions.
diff --git a/app/controllers/pub_thursday_audit_controller.rb b/app/controllers/pub_thursday_audit_controller.rb
@@ -0,0 +1,84 @@
+class PubThursdayAuditController < ApplicationController
+  include ErrorHelper
+
+
+  # GET /pub-thursday-audit
+  # GET /pub-thursday-audit.json
+  # GET /pub-thursday-audit.xml
+  def index
+
+    project = "pub-tracker-live"
+    api_url = "https://firestore.googleapis.com/v1/"
+    base_url = "#{api_url}projects/#{project}/databases/(default)/documents"
+
+    @users = {}
+
+    response = JSON.parse(RestClient.get("#{base_url}/users?mask.fieldPaths=displayName&mask.fieldPaths=photoURL&pageSize=300").body)
+    response["documents"].each do |user|
+      display_name = user["fields"]["displayName"]["stringValue"]
+      photo_url = user["fields"]["photoURL"]["stringValue"]
+      @users[user["name"]] = { name: display_name, photo: photo_url, sessions: [] }
+    end
+
+    documents = []
+
+    url = "#{base_url}/sessions?orderBy=startTime%20desc&mask.fieldPaths=startTime&mask.fieldPaths=endTime&mask.fieldPaths=userRef&mask.fieldPaths=locationName&pageSize=300"
+    response = JSON.parse(RestClient.get(url).body)
+    documents.concat response["documents"]
+
+    url = "#{url}&pageToken=#{response["nextPageToken"]}"
+    response = JSON.parse(RestClient.get(url).body)
+    documents.concat response["documents"]
+
+    documents.each do |session|
+      ref = session["fields"]["userRef"]["referenceValue"]
+      start_time = session["fields"]["startTime"]["timestampValue"]
+      end_time = session["fields"]["endTime"]["timestampValue"]
+      location = session["fields"]["locationName"]["stringValue"]
+      @users[ref][:sessions] << {
+        id: session["name"],
+        url: "#{api_url}#{session["name"]}",
+        start: DateTime.parse(start_time),
+        end: DateTime.parse(end_time),
+        location: location
+      }
+    end
+
+    @users.delete_if do |k,v|
+      v[:sessions].empty?
+    end
+
+    @users.each do |key, user|
+      user[:sessions].each do |session|
+        user[:sessions].each do |other_session|
+          if
+            (other_session[:start] > session[:start] and other_session[:end] < session[:end]) ||
+            (other_session[:start] < session[:start] and other_session[:end] > session[:end]) ||
+            (other_session[:start] > session[:start] and other_session[:start] < session[:end] and other_session[:end] > session[:end]) ||
+            (other_session[:start] < session[:start] and other_session[:end] < session[:end] and other_session[:end] > session[:start])
+            session[:within] = {
+              id: other_session[:id],
+              url: other_session[:url],
+              start: other_session[:start],
+              end: other_session[:end]
+            }
+            user[:illegal] = true
+          end
+        end
+      end
+      user[:sessions].delete_if do |session|
+        session[:within].nil?
+      end
+    end
+
+    @users.delete_if do |k,v|
+      v[:illegal].nil?
+    end
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: @users, callback: params[:callback] }
+      format.xml { render xml: @users }
+    end
+  end
+end
diff --git a/app/views/pub_thursday_audit/index.html.erb b/app/views/pub_thursday_audit/index.html.erb
@@ -0,0 +1,36 @@
+<% provide(:title, "Pub Thursday Audit") %>
+<% provide(:description, "Due to a small bug of allowing users to have more than one active session, an audit needs to occur") %>
+
+<h1>Pub Thursday Audit</h1>
+
+<p class="well">
+	Due to a severe security vulnerability on the Pub Tursday backed, clients have been able to trigger multiple check-in sessions inflating their time spent in pub.
+	Here is an audit of sessions where they overlap another.
+</p>
+
+<section class="row">
+  <% @users.each do |key, user| %>
+	<article class="col-md-4">
+		<h2>
+			<img alt="Gravatar" width="50" height="50" class="img-circle" src="<%= user[:photo] %>">
+			<%= user[:name] %>
+		</h2>
+		<% user[:sessions].each do |session| %>
+		<div style="margin-bottom:24px">
+			<h4>
+				<a href="<%= session[:url] %>" target="_blank">
+					<%= session[:start].strftime('%d/%m/%Y') %>
+					<%= session[:start].strftime('%H:%M:%S') %> - <%= session[:end].strftime('%H:%M:%S') %>
+				</a>
+			</h4>
+			<h5><%= session[:location] %></h6>
+			<p>
+				Overlaps with <a href="<%= session[:within][:url] %>" target="_blank">another session</a>
+				<%= session[:within][:start].strftime('%H:%M:%S') %> -
+				<%= session[:within][:end].strftime('%H:%M:%S') %>
+			</p>
+		</div>
+		<% end %>
+	</article>
+	<% end %>
+</section>
diff --git a/config/routes.rb b/config/routes.rb
@@ -340,6 +340,7 @@ def matches?(request)
     get  "pringles"       => "pringles_prices#index"
     get  "pubthursday"    => "pub_thursday#challenge"
     post "pubthursday"    => "pub_thursday#webhook"
+    get  "pub-thursday-audit"    => "pub_thursday_audit#index"
     get  "qr"             => "qr#index"
     get  "reading"        => "reading#index"
     get  "realtime"       => "realtime#index"