Secure Single Use QR Codes

Top  Previous  Next

Secure single use QR codes provide an extension of the QR codes used for contactless operation. The QR code is signed using a password to make it secure and difficult to forge and can only be used once on an iPad. This means that it can be used for theme parks and attractions or for photo booths where users can be issued with a QR code "coupon" to use the photo booth. It can also be used to run a paid photo booth where the user makes a payment using an online payment service such as PayPal and is sent an email or a text linking to a single use QR code that can be scanned by the photo booth.

 

The QR Code Text

 

The QR code is in the form of a URL which has two parameters: a JSON string containing the commands and a SHA1 signature.

 

The JSON string can contain up to 10 strings (s1 to s10) and up to 10 commands which correspond to touchscreen actions (c1 to c10). It can also contain an email command (autoemail or email) and an expiry date and time. Please see QR codes used for contactless operation for information about the strings, commands and email options.

The expiry date/time is in the form of the number of seconds since the Unix epoch (00:00:00 UTC on 1 January 1970) stored in the JSON "expiry" value.

For additional security an optional id field can be added to the JSON string to specify the Vendor Id of the iPad. The app will only process the QR code if the id in the JSON string matches the Vendor Id of the iPad.

 

The signature is the SHA1 hash of the JSON string plus the password.

 

Example:

To create a QR code that starts a photo session with the touchscreen command "switchToStillsAndStart"and automatically emails the output to sales@breezesys.com and is valid until 12:57 on Tuesday, May 19th, 2020 the JSON string would be:

{"c1":"switchToStillsAndStart","expiry":1589885824,"autoemail":"sales@breezesys.com"}

 

The default password for the app is: <auth_password>

The string to sign is the JSON string + the password: {"c1":"switchToStillsAndStart","expiry":1589885824,"autoemail":"sales@breezesys.com"}<auth_password>

The SHA1 hash of the string to sign is:4717b76e279cd2dd8435e0c46d95ccd4c9392da8

 

The text for the QR code needs to be in the form of a URL with a base URL which can be anything you like e.g. https://contactlessbooth.com

The signature is then added as the 'auth' parameter e.g. https://contactlessbooth.com?auth=4717b76e279cd2dd8435e0c46d95ccd4c9392da8

Then URL encode the JSON string and add it to the URL as the "j" parameter e.g.

https://contactlessbooth.com?auth=4717b76e279cd2dd8435e0c46d95ccd4c9392da8&j=%7B%22c1%22%3A%22switchToStillsAndStart%22%2C%22expiry%22%3A1589885824%2C%22autoemail%22%3A%22sales%40breezesys.com%22%7D

 

Additional parameters can also be added to the base URL if required. One use for this would be to provide a link to the photos on an online gallery e.g. https://yoursite.com/gallery.php?id=1234&auth=...

 

Enabling Secure Single Use QR Codes

 

Secure single use QR codes need to be enabled by setting two values in the settings.xml file on the iPad:

<qrCodeAuthRequired>true</qrCodeAuthRequired>

<qrCodeAuthPassword>d315a84c6b10a1184550bdd47c1210</qrCodeAuthPassword>

 

The <qrCodeAuthRequired> tag needs to be set to true. This will disable normal QR codes in the app and only allow secure QR codes that have the correct signature. The encrypted signature is stored in the <qrCodeAuthPassword>

tag and defaults to <auth_password>. An encrypted password can be created by setting one of the other passwords in the iPad's App Settings, e.g. the upload URL password, and copying its value.

 

In addition QR commands and strings should be enabled in the iPad's App Settings screen and in the settings for each event.

 

Providing Feedback When Scanning QR Codes

 

If a QR code is scanned and accepted the app will execute the commands (e.g. starting the countdown) without displaying any additional information. If there is an error a simple error message screen will be displayed for a few seconds. This can be customized by providing an optional JPEG background image and GIF or movie animation. The GIF and movie animations can be sized and positioned on screen in the same way as animations on the other photo booth screens. The following error screens filenames can be used:

 

qr_missing_parameters - the QR code is missing the auth or j parameters

qr_not_authorized - the auth parameter does not match the SHA1 hash of the JSON string plus password or the optional id in the JSON string does not match the iPad's Vendor Id

qr_invalid - the JSON string cannot be decoded or the expiry date/time value is missing from the JSON string

qr_used - the QR code has already been used on this iPad

qr_expired - the QR code has expired

 

For example to display a screen with a background and an GIF animation centered on the screen when a QR code has expired the files would be:

qr_expired.jpg

qr_expired_{l%50t%50}.gif

 

Example PHP Script

 

The PHP code below will generate the QR code text to start a photo booth session using the touchscreen command "switchToStillsAndStart" and automatically email the photos to sales@breezesys.com. The QR code will be valid for 5 minutes (300 seconds) from when it was generated:

       

// add touchscreen command to switch to stills mode and start the countdown

$json['c1'] = "switchToStillsAndStart";

 

// add a command to automatically email the photos to sales@breezesys.com

$json['autoemail'] = "sales@breezesys.com";

 

// set the expiry time to 300 seconds from now

$expires = time() + 300;

$json['expiry'] = $expires;

 

// generate the JSON string and SHA1 signature

$jsonStr = json_encode($json);

$authStr = $jsonStr . "<auth_password>";

$auth = sha1($authStr);

 

// construct the URL for the QR code text

$url = "https://contactlessbooth.com?auth=$auth&j=" . urlencode($jsonStr);