6. Technology (Under construction)#
6.1. System Architecture#
The system is a standard client-server web application, built on the Django framework, with the following major architectural additions:
Multi-tenanting, to allow the web server to support a number of brigades.
Channels/websockets, that allow bi-directional communication between the client and server. These are used to enable asynchronous updates of web pages when external events such as tagging in occur.
Load balancing and on-demand scaling, provided by AWS Elastic Beanstalk. Under load, the system will automatically adjust by adding more servers and network capacity within defined bounds, and will offload these when demand drops.
Traffic splitting to allow continuous operations even through system updates.
Access control to the web application is through User accounts, with usernames and passwords required for any access to the server. This leverages Django’s excellent User Authentication system, which includes granular permission setting by group and for individual users.
Fast relational database support is provided using PostgreSQL, which also provides native support for the partitioning used in multi-tenanting. All data is backed up daily inside the secure AWS infrastructure.
6.2. Security#
The RFStag web application is built using the Django platform, which has effective protections against a number of common threats, including XSS and CSRF attacks.
Details of Django’s security features are available here, but the following is a summary of the main protections:
Access to the brigade sites requires a registered user name, and password. User names are issued by the brigade administrator, and passwords are set by the user.
Personal data for Members stored on the system is limited to member name (required), email address (required) and mobile phone number (optional).
An email address is required so that the Member can reset their password. It does not have to be the primary email address of the Member, and eg. an RFS email address may be used if preferred.
Mobile phone numbers are not required, though if they are supplied, they will be shared with other Members for their convenience.
RFStag can only be accessed using secure connection (https). This means that the connection between the user and the server is encrypted, and cannot be intercepted.
Additional protections, including HTTP Strict Transport Security (HSTS), Cross site scripting (XSS), Cross site request forgery (CSRF), and all others directly supported by Django are also included in the web application.
RFSTAG is rated as A+ (very secure), by Mozilla Observatory, which is higher than most sites, including activ (rated F).
Data is held on a Relational Database System (RDS) stored within Amazon Web Services. Only the web application can access the database, and access to the web application is restricted to registered users.
6.3. Hardware#
6.3.1. Kiosk#
6.3.2. NFC#
6.3.3. Server#
t3.medium used as main server. Up to 4 servers can be deployed if demand requires.
6.4. Software#
6.4.1. Django#
6.4.2. Forms#
6.4.3. Calendar#
6.4.4. Channels#
6.4.5. Multi-tenant#
Each brigade has its own database, including the list of members, and you can only login to a brigade system if you are a member there. Once you are logged in, you can only access data for your own brigade, and you won’t see data for any other brigades.
6.4.6. Database#
PostgreSQL is used as the back-end. Django’s Object-Relational Mapper (ORM) is used to access the database, so there is very little raw SQL in the system.
6.4.7. Admin#
6.4.8. User Authentication#
6.4.9. html/css#
If not completed in 15 minutes, forms will be automatically removed, and the screen will return to the normal Kiosk view to allow members to continue signing in and out.