From 3d228a3608c9ababb1a604c7d9fd24cafe2e5154 Mon Sep 17 00:00:00 2001
From: Dylan Jones <dyl@anjon.es>
Date: Mon, 19 Feb 2024 15:18:15 +0000
Subject: [PATCH 1/3] Pull PT data and look for sessions that look sus

---
 .../pub_thursday_audit_controller.rb          | 58 +++++++++++++++++++
 app/views/pub_thursday_audit/index.html.erb   | 10 ++++
 config/routes.rb                              |  1 +
 3 files changed, 69 insertions(+)
 create mode 100644 app/controllers/pub_thursday_audit_controller.rb
 create mode 100644 app/views/pub_thursday_audit/index.html.erb

diff --git a/app/controllers/pub_thursday_audit_controller.rb b/app/controllers/pub_thursday_audit_controller.rb
new file mode 100644
index 0000000..d45fa94
--- /dev/null
+++ b/app/controllers/pub_thursday_audit_controller.rb
@@ -0,0 +1,58 @@
+class PubThursdayAuditController < ApplicationController
+  include ErrorHelper
+  before_action :authenticate_user!, except: [:index, :show, :all]
+  before_action :authenticate_admin!, except: [:index, :show, :all]
+
+
+  # GET /pub-thursday-audit
+  # GET /pub-thursday-audit.json
+  # GET /pub-thursday-audit.xml
+  def index
+
+    @users = {}
+    project = "pub-tracker-live"
+    base_url = "https://firestore.googleapis.com/v1/projects/#{project}/databases/(default)/documents"
+    response = JSON.parse(RestClient.get("#{base_url}/users?mask.fieldPaths=displayName&pageSize=300").body)
+    response["documents"].each do |user|
+      display_name = user["fields"]["displayName"]["stringValue"]
+      @users[user["name"]] = { name: display_name, sessions: [] }
+    end
+
+    documents = []
+
+    url = "#{base_url}/sessions?orderBy=startTime%20desc&mask.fieldPaths=startTime&mask.fieldPaths=endTime&mask.fieldPaths=userRef&mask.fieldPaths=locationRef&pageSize=300"
+    response = JSON.parse(RestClient.get(url).body)
+    documents.concat response["documents"]
+
+    url = "#{url}&pageToken=#{response["nextPageToken"]}"
+    response = JSON.parse(RestClient.get(url).body)
+    documents.concat response["documents"]
+
+    documents.each do |session|
+      ref = session["fields"]["userRef"]["referenceValue"]
+      start_time = session["fields"]["startTime"]["timestampValue"]
+      end_time = session["fields"]["endTime"]["timestampValue"]
+      @users[ref][:sessions] << { id: session["name"], start: DateTime.parse(start_time), end: DateTime.parse(end_time) }
+    end
+
+    @users.delete_if do |k,v|
+      v[:sessions].empty?
+    end
+
+    @users.each do |key, user|
+      user[:sessions].each do |session|
+        user[:sessions].each do |other_session|
+          if other_session[:start] > session[:start] and other_session[:end] < session[:end]
+            session[:within] = other_session
+          end
+        end
+      end
+    end
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: @users, callback: params[:callback] }
+      format.xml { render xml: @users }
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/views/pub_thursday_audit/index.html.erb b/app/views/pub_thursday_audit/index.html.erb
new file mode 100644
index 0000000..82b41c2
--- /dev/null
+++ b/app/views/pub_thursday_audit/index.html.erb
@@ -0,0 +1,10 @@
+<% provide(:title, "Pub Thursday Audit") %>
+<% provide(:description, "Due to a small bug of allowing users to have more than one active session, an audit needs to occur") %>
+<h1>Pub Thursday Audit</h1>
+
+<section class="row">
+	<pre class="col-md-8"><%= JSON.pretty_generate(@users) %></pre>
+	<article class="col-md-4">
+
+	</article>
+</section>
diff --git a/config/routes.rb b/config/routes.rb
index 7c78a24..5e1311b 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -340,6 +340,7 @@ def matches?(request)
     get  "pringles"       => "pringles_prices#index"
     get  "pubthursday"    => "pub_thursday#challenge"
     post "pubthursday"    => "pub_thursday#webhook"
+    get  "pub-thursday-audit"    => "pub_thursday_audit#index"
     get  "qr"             => "qr#index"
     get  "reading"        => "reading#index"
     get  "realtime"       => "realtime#index"

From e2baf4bbdb6b4c8ce2ff4bf18115217d34e7fb87 Mon Sep 17 00:00:00 2001
From: Dylan Jones <dyl@anjon.es>
Date: Tue, 20 Feb 2024 06:16:14 +0000
Subject: [PATCH 2/3] Add pics, links and cover all overlap scenarios

---
 .../pub_thursday_audit_controller.rb          | 44 +++++++++++++++----
 app/views/pub_thursday_audit/index.html.erb   | 30 ++++++++++++-
 2 files changed, 64 insertions(+), 10 deletions(-)

diff --git a/app/controllers/pub_thursday_audit_controller.rb b/app/controllers/pub_thursday_audit_controller.rb
index d45fa94..5f8f105 100644
--- a/app/controllers/pub_thursday_audit_controller.rb
+++ b/app/controllers/pub_thursday_audit_controller.rb
@@ -9,18 +9,22 @@ class PubThursdayAuditController < ApplicationController
   # GET /pub-thursday-audit.xml
   def index
 
-    @users = {}
     project = "pub-tracker-live"
-    base_url = "https://firestore.googleapis.com/v1/projects/#{project}/databases/(default)/documents"
-    response = JSON.parse(RestClient.get("#{base_url}/users?mask.fieldPaths=displayName&pageSize=300").body)
+    api_url = "https://firestore.googleapis.com/v1/"
+    base_url = "#{api_url}projects/#{project}/databases/(default)/documents"
+
+    @users = {}
+
+    response = JSON.parse(RestClient.get("#{base_url}/users?mask.fieldPaths=displayName&mask.fieldPaths=photoURL&pageSize=300").body)
     response["documents"].each do |user|
       display_name = user["fields"]["displayName"]["stringValue"]
-      @users[user["name"]] = { name: display_name, sessions: [] }
+      photo_url = user["fields"]["photoURL"]["stringValue"]
+      @users[user["name"]] = { name: display_name, photo: photo_url, sessions: [] }
     end
 
     documents = []
 
-    url = "#{base_url}/sessions?orderBy=startTime%20desc&mask.fieldPaths=startTime&mask.fieldPaths=endTime&mask.fieldPaths=userRef&mask.fieldPaths=locationRef&pageSize=300"
+    url = "#{base_url}/sessions?orderBy=startTime%20desc&mask.fieldPaths=startTime&mask.fieldPaths=endTime&mask.fieldPaths=userRef&mask.fieldPaths=locationName&pageSize=300"
     response = JSON.parse(RestClient.get(url).body)
     documents.concat response["documents"]
 
@@ -32,7 +36,14 @@ def index
       ref = session["fields"]["userRef"]["referenceValue"]
       start_time = session["fields"]["startTime"]["timestampValue"]
       end_time = session["fields"]["endTime"]["timestampValue"]
-      @users[ref][:sessions] << { id: session["name"], start: DateTime.parse(start_time), end: DateTime.parse(end_time) }
+      location = session["fields"]["locationName"]["stringValue"]
+      @users[ref][:sessions] << {
+        id: session["name"],
+        url: "#{api_url}#{session["name"]}",
+        start: DateTime.parse(start_time),
+        end: DateTime.parse(end_time),
+        location: location
+      }
     end
 
     @users.delete_if do |k,v|
@@ -42,11 +53,28 @@ def index
     @users.each do |key, user|
       user[:sessions].each do |session|
         user[:sessions].each do |other_session|
-          if other_session[:start] > session[:start] and other_session[:end] < session[:end]
-            session[:within] = other_session
+          if
+            (other_session[:start] > session[:start] and other_session[:end] < session[:end]) ||
+            (other_session[:start] < session[:start] and other_session[:end] > session[:end]) ||
+            (other_session[:start] > session[:start] and other_session[:start] < session[:end] and other_session[:end] > session[:end]) ||
+            (other_session[:start] < session[:start] and other_session[:end] < session[:end] and other_session[:end] > session[:start])
+            session[:within] = {
+              id: other_session[:id],
+              url: other_session[:url],
+              start: other_session[:start],
+              end: other_session[:end]
+            }
+            user[:illegal] = true
           end
         end
       end
+      user[:sessions].delete_if do |session|
+        session[:within].nil?
+      end
+    end
+
+    @users.delete_if do |k,v|
+      v[:illegal].nil?
     end
 
     respond_to do |format|
diff --git a/app/views/pub_thursday_audit/index.html.erb b/app/views/pub_thursday_audit/index.html.erb
index 82b41c2..6e57acc 100644
--- a/app/views/pub_thursday_audit/index.html.erb
+++ b/app/views/pub_thursday_audit/index.html.erb
@@ -1,10 +1,36 @@
 <% provide(:title, "Pub Thursday Audit") %>
 <% provide(:description, "Due to a small bug of allowing users to have more than one active session, an audit needs to occur") %>
+
 <h1>Pub Thursday Audit</h1>
 
+<p class="well">
+	Due to a severe security vulnerability on the Pub Tursday backed, clients have been able to trigger multiple check-in sessions inflating their time spent in pub.
+	Here is an audit of sessions where they overlap another.
+</p>
+
 <section class="row">
-	<pre class="col-md-8"><%= JSON.pretty_generate(@users) %></pre>
+  <% @users.each do |key, user| %>
 	<article class="col-md-4">
-
+		<h2>
+			<img alt="Gravatar" width="50" height="50" class="img-circle" src="<%= user[:photo] %>">
+			<%= user[:name] %>
+		</h2>
+		<% user[:sessions].each do |session| %>
+		<div style="margin-bottom:24px">
+			<h4>
+				<a href="<%= session[:url] %>" target="_blank">
+					<%= session[:start].strftime('%d/%m/%Y') %>
+					<%= session[:start].strftime('%H:%M:%S') %> - <%= session[:end].strftime('%H:%M:%S') %>
+				</a>
+			</h4>
+			<h5><%= session[:location] %></h6>
+			<p>
+				Overlaps with <a href="<%= session[:within][:url] %>" target="_blank">another session</a>
+				<%= session[:within][:start].strftime('%H:%M:%S') %> -
+				<%= session[:within][:end].strftime('%H:%M:%S') %>
+			</p>
+		</div>
+		<% end %>
 	</article>
+	<% end %>
 </section>

From 1f88bdb91a7db259e8b758dff83ec2bbb49f0ad4 Mon Sep 17 00:00:00 2001
From: Dylan Jones <dyl@anjon.es>
Date: Tue, 20 Feb 2024 06:16:44 +0000
Subject: [PATCH 3/3] remove need to login as admin

---
 app/controllers/pub_thursday_audit_controller.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/app/controllers/pub_thursday_audit_controller.rb b/app/controllers/pub_thursday_audit_controller.rb
index 5f8f105..401a43c 100644
--- a/app/controllers/pub_thursday_audit_controller.rb
+++ b/app/controllers/pub_thursday_audit_controller.rb
@@ -1,7 +1,5 @@
 class PubThursdayAuditController < ApplicationController
   include ErrorHelper
-  before_action :authenticate_user!, except: [:index, :show, :all]
-  before_action :authenticate_admin!, except: [:index, :show, :all]
 
 
   # GET /pub-thursday-audit