# Example Code/Flow/Design

## 🔒 Securing the communication

### 1. Restrict to localhost for kiosk

* The kiosk UI (`:8080`) should only talk to the backend via `ws://127.0.0.1:12345` (or `wss://` if you enable TLS).
* This ensures the touchscreen browser cannot be hijacked remotely.

### 2. TLS for remote UI

* For the remote UI (`:9090`), expose a WebSocket server with TLS (`wss://Pi_IP:12346`).
* Generate a self‑signed certificate or use Let’s Encrypt if the Pi is reachable externally.
* Qt supports `QWebSocketServer::SecureMode` with SSL certificates.

```cpp
server = new QWebSocketServer("SecureServer",
                              QWebSocketServer::SecureMode, this);
QSslConfiguration sslConfig;
sslConfig.setLocalCertificate(QSslCertificate::fromPath("server.crt"));
sslConfig.setPrivateKey(QSslKey(QFile("server.key"), QSsl::Rsa));
server->setSslConfiguration(sslConfig);
server->listen(QHostAddress::Any, 12346);

```

### 3. Authentication

* Require a token or password for remote clients.
* On connection, the client must send `{ "auth":"secret123" }` before other commands.
* Backend rejects unauthenticated clients.

***

## 🖥️ Serving two UIs

### Option A: Two web servers

* Run a lightweight HTTP server (e.g. `QtHttpServer` or `nginx`) on the Pi.
* Serve `dashboard_kiosk.html` at port 8080.
* Serve `dashboard_full.html` at port 9090.
* Both connect to the same backend WebSocket, but kiosk uses localhost only.

### Option B: One server, two routes

* Serve both UIs from one server, but separate routes: 
  * `http://Pi_IP:8080/kiosk`
  * `http://Pi_IP:8080/full`
* Use Chromium kiosk mode on the Pi to open `/kiosk`.

***

## 🔄 Communication flow

* **Kiosk UI (touchscreen)**
   → Connects to `ws://127.0.0.1:12345` (no TLS, local only).
   → Sends commands like `toggleSiren`.
   → Receives sensor updates every few seconds.
* **Remote UI (PC browser)**
   → Connects to `wss://Pi_IP:12346` (TLS).
   → Authenticates with token.
   → Can send commands and receive updates, but with richer navigation.

***

## 🚀 Next Steps

1. Generate TLS certs (`openssl req -new -x509 -days 365 -keyout server.key -out server.crt`).
2. Configure Qt WebSocket server with `SecureMode` for remote clients.
3. Serve two HTML versions (kiosk vs full) via nginx or QtHttpServer.
4. Add authentication handshake for remote connections.

***