<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: siddarthpatelkama </title>
    <description>The latest articles on DEV Community by siddarthpatelkama  (@siddarthpatelkama).</description>
    <link>https://dev.to/siddarthpatelkama</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4003834%2F5b7c10be-984c-41f4-9e6e-5705458fce67.jpg</url>
      <title>DEV Community: siddarthpatelkama </title>
      <link>https://dev.to/siddarthpatelkama</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/siddarthpatelkama"/>
    <language>en</language>
    <item>
      <title>How I Designed an Anti-Proxy Attendance System Using Dynamic QR Authentication</title>
      <dc:creator>siddarthpatelkama </dc:creator>
      <pubDate>Mon, 29 Jun 2026 12:45:23 +0000</pubDate>
      <link>https://dev.to/siddarthpatelkama/how-i-designed-an-anti-proxy-attendance-system-using-dynamic-qr-authentication-4h8i</link>
      <guid>https://dev.to/siddarthpatelkama/how-i-designed-an-anti-proxy-attendance-system-using-dynamic-qr-authentication-4h8i</guid>
      <description>&lt;p&gt;&lt;em&gt;"Anyone can generate a QR code. Designing one that actually prevents misuse is the hard part."&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;When people hear "QR-based attendance," the first question is usually:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;"Can't someone just take a photo of the QR code and send it to their friend?"&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The answer is: &lt;strong&gt;yes&lt;/strong&gt;, if the system is designed poorly.&lt;/p&gt;

&lt;p&gt;That question became one of the biggest engineering challenges while building my attendance platform.&lt;/p&gt;

&lt;p&gt;Instead of thinking about QR codes as images, I started thinking about them as &lt;strong&gt;temporary authentication tokens&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Problem
&lt;/h2&gt;

&lt;p&gt;Most QR attendance systems work like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Teacher generates a QR code.&lt;/li&gt;
&lt;li&gt;Students scan it.&lt;/li&gt;
&lt;li&gt;Attendance is marked.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Simple.&lt;/p&gt;

&lt;p&gt;Unfortunately, it's also vulnerable.&lt;/p&gt;

&lt;p&gt;A student can:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Photograph the QR code.&lt;/li&gt;
&lt;li&gt;Send it through WhatsApp.&lt;/li&gt;
&lt;li&gt;Another student scans it from somewhere else.&lt;/li&gt;
&lt;li&gt;Attendance gets recorded.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The QR code itself becomes the vulnerability.&lt;/p&gt;

&lt;h2&gt;
  
  
  Rethinking the QR Code
&lt;/h2&gt;

&lt;p&gt;Instead of creating a QR code that simply points to an attendance page, I designed it to behave more like a short-lived authentication token.&lt;/p&gt;

&lt;p&gt;Every QR code is generated dynamically and remains valid only for a limited period (in my implementation, I set this to 11 seconds).&lt;/p&gt;

&lt;p&gt;Once it expires, the system rejects it.&lt;/p&gt;

&lt;p&gt;This dramatically reduces the opportunity for someone to reuse an older QR code.&lt;/p&gt;

&lt;h2&gt;
  
  
  Authentication Beyond the QR
&lt;/h2&gt;

&lt;p&gt;Scanning the QR code alone isn't enough.&lt;/p&gt;

&lt;p&gt;The backend performs additional validation before marking attendance.&lt;/p&gt;

&lt;p&gt;Rather than trusting the client, the server becomes the source of truth.&lt;/p&gt;

&lt;p&gt;This reduces opportunities for client-side manipulation and keeps the attendance workflow under server control.&lt;/p&gt;

&lt;h2&gt;
  
  
  Designing for the Real World
&lt;/h2&gt;

&lt;p&gt;One challenge I encountered was balancing &lt;strong&gt;security&lt;/strong&gt; with &lt;strong&gt;usability&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;If the QR expires too quickly, students may struggle to scan it in time.&lt;/p&gt;

&lt;p&gt;If it stays active for too long, it becomes easier to misuse.&lt;/p&gt;

&lt;p&gt;Finding the right balance required thinking about actual classroom conditions rather than only technical implementation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lessons Learned
&lt;/h2&gt;

&lt;p&gt;One lesson stood out throughout this project:&lt;/p&gt;

&lt;p&gt;Security isn't usually one big feature.&lt;/p&gt;

&lt;p&gt;It's the result of multiple smaller decisions working together.&lt;/p&gt;

&lt;p&gt;A dynamic QR code helps.&lt;/p&gt;

&lt;p&gt;Server-side validation helps.&lt;/p&gt;

&lt;p&gt;Short-lived sessions help.&lt;/p&gt;

&lt;p&gt;Each layer reduces risk.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's Next?
&lt;/h2&gt;

&lt;p&gt;This article only covers one piece of the system.&lt;/p&gt;

&lt;p&gt;In future posts, I'll explore:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Backend architecture&lt;/li&gt;
&lt;li&gt;Firestore data modeling&lt;/li&gt;
&lt;li&gt;Authentication flow&lt;/li&gt;
&lt;li&gt;Scaling the platform&lt;/li&gt;
&lt;li&gt;Engineering decisions behind the project&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Building software has taught me that writing code is only part of engineering.&lt;/p&gt;

&lt;p&gt;Designing systems that continue to work under real-world conditions is where the interesting problems begin. In this project, I used libraries like &lt;code&gt;qrcode&lt;/code&gt; on the backend to generate dynamic QR codes and &lt;code&gt;html5-qrcode&lt;/code&gt; on the frontend to scan and verify them efficiently, while SHA-256 hashing was used on the backend to securely generate and validate the QR token payloads.&lt;/p&gt;




&lt;p&gt;⭐ GitHub: &lt;a href="https://github.com/siddarthpatelkama" rel="noopener noreferrer"&gt;https://github.com/siddarthpatelkama&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;💼 LinkedIn: &lt;a href="https://www.linkedin.com/in/siddarthpatelkama" rel="noopener noreferrer"&gt;https://www.linkedin.com/in/siddarthpatelkama&lt;/a&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>showdev</category>
      <category>softwareengineering</category>
      <category>systemdesign</category>
    </item>
    <item>
      <title>Building an Anti-Proxy -Offline-First Attendance Platform with Next.js, Express &amp; Firebase</title>
      <dc:creator>siddarthpatelkama </dc:creator>
      <pubDate>Fri, 26 Jun 2026 12:10:14 +0000</pubDate>
      <link>https://dev.to/siddarthpatelkama/building-an-anti-proxy-offline-first-attendance-platform-with-nextjs-express-firebase-15io</link>
      <guid>https://dev.to/siddarthpatelkama/building-an-anti-proxy-offline-first-attendance-platform-with-nextjs-express-firebase-15io</guid>
      <description>&lt;p&gt;Traditional attendance systems seem simple until you look at how they work in practice. Manual roll calls consume valuable class time, paper attendance sheets are inefficient, and many QR-based systems can still be exploited through proxy attendance.&lt;/p&gt;

&lt;p&gt;I wanted to explore whether a better solution was possible.&lt;/p&gt;

&lt;p&gt;This project is my attempt at designing and building an &lt;strong&gt;offline-first anti-proxy attendance platform&lt;/strong&gt; from scratch as a solo developer. The goal wasn't just to digitize attendance, but to create a system that remains reliable in real-world environments while prioritizing security, scalability, and a smooth user experience.&lt;/p&gt;

&lt;p&gt;The platform is built using &lt;strong&gt;Next.js 16, React 19, TypeScript, Express.js, Firebase Authentication, Firestore, Firebase Admin SDK, Tailwind CSS, Capacitor, Progressive Web Apps (PWA), Sentry, and dynamic QR-based authentication&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Rather than focusing only on features, this article explores the engineering decisions behind the project: why I chose an offline-first architecture, how dynamic QR validation improves security, the reasoning behind the technology stack, the challenges I faced during development, and the lessons I learned while building a production-style application that is already being used in my college club.&lt;/p&gt;

&lt;p&gt;The project is still evolving, and I continue to improve it whenever I have time. My aim is to keep documenting that journey by sharing not only what works, but also the mistakes, trade-offs, and architectural decisions that shaped the system.&lt;/p&gt;

&lt;p&gt;If you're interested in &lt;strong&gt;full-stack development, system design, Next.js, Firebase, TypeScript, or building software that solves practical problems&lt;/strong&gt;, I hope you'll find something valuable in this article.&lt;/p&gt;

&lt;p&gt;⭐ &lt;strong&gt;GitHub:&lt;/strong&gt; &lt;a href="https://github.com/siddarthpatelkama" rel="noopener noreferrer"&gt;https://github.com/siddarthpatelkama&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;💼 &lt;strong&gt;LinkedIn:&lt;/strong&gt; &lt;a href="https://www.linkedin.com/in/siddarthpatelkama" rel="noopener noreferrer"&gt;https://www.linkedin.com/in/siddarthpatelkama&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I'm always open to feedback, suggestions, and discussions with fellow developers. If you have ideas for improving the project or questions about the implementation, I'd love to hear from you.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>computerscience</category>
      <category>development</category>
      <category>vibecoding</category>
    </item>
  </channel>
</rss>
