Skip to main content

Overview

The User model represents user accounts in the Checawaa system. User data is stored in data/usuarios.json as a JSON array.

Schema

username
string
required
Unique identifier for the user. Used for login authentication and attendance tracking.Constraints: Must be unique across all usersExamples: "admin", "empleado1"
pass
string
required
User password stored in plain text.
Passwords are stored in plain text without encryption or hashing. This is not secure for production use and should only be used for development/testing.
Example: "123"
email
string
required
User’s email address. Used for sending automated reminder notifications.Format: Valid email addressExamples: "[email protected]", "[email protected]"

JSON Structure

{
  "username": "empleado1",
  "pass": "123",
  "email": "[email protected]"
}

Complete Example

The default data/usuarios.json file: 
[
  {
    "username": "admin",
    "pass": "123",
    "email": "[email protected]"
  },
  {
    "username": "empleado1",
    "pass": "123",
    "email": "[email protected]"
  }
]

Implementation Details

User data initialization (app.py:30-35): 
if not os.path.exists(USUARIOS_FILE):
    with open(USUARIOS_FILE, 'w') as f:
        json.dump([
            {"username": "admin", "pass": "123", "email": "[email protected]"},
            {"username": "empleado1", "pass": "123", "email": "[email protected]"}
        ], f, indent=4)

User Roles

The system distinguishes users by their username:
admin
special user
Username: adminPrivileges:
  • Access to /monitor dashboard
  • Can view all attendance records
  • Can see absent users
  • Excluded from reminder emails
  • Redirected to monitor page after login
regular users
default
Any username except “admin”Privileges:
  • Access to home page (/)
  • Can submit location via /update-location
  • Cannot access /monitor (redirected to home)
  • Receive reminder emails if not checked in
  • Redirected to home page after login

Authentication Flow

  1. User submits username and password via /login endpoint
  2. System reads all users from data/usuarios.json
  3. Checks if any user matches both username and password
  4. If match found, creates session with Flask-Login
  5. User ID stored in session is the username string
if any(u['username'] == user_input and u['pass'] == pass_input for u in usuarios):
    login_user(User(user_input))

Flask-Login Integration

The User class for session management (app.py:45-46): 
class User(UserMixin):
    def __init__(self, id): self.id = id
The current_user.id in authenticated requests contains the username string.

Email Notifications

Users receive automated emails at 8:00 AM if they haven’t checked in for the day. The system:
  1. Loads all users from usuarios.json
  2. Excludes users with username “admin”
  3. Checks today’s attendance records
  4. Sends reminder to email field of users not found in today’s records
Email configuration (app.py:15-21): 
app.config['MAIL_SERVER'] = 'smtp.gmail.com'
app.config['MAIL_PORT'] = 587
app.config['MAIL_USE_TLS'] = True
app.config['MAIL_USERNAME'] = '[email protected]'
app.config['MAIL_PASSWORD'] = 'mcgc unmv wkci dbrr'

Security Considerations

The current implementation has several security issues suitable only for development:
  • Passwords stored in plain text
  • No password complexity requirements
  • No rate limiting on login attempts
  • Secret key hardcoded in source
  • Email credentials hardcoded in source
For production use, implement:
  • Password hashing (bcrypt, argon2)
  • Secure secret key management
  • Environment variables for credentials
  • HTTPS/TLS encryption
  • Login attempt throttling

Build docs developers (and LLMs) love

Get started for freeTalk to us