GateFlow: QR-Based Access Control

GateFlow replaces paper logbooks with QR-powered access control, automated approvals, and live movement analytics — for schools, colleges, IT firms, and any access point worldwide.

Comment

Inspiration

Every hostel, campus, and corporate office still runs on paper registers, manual attendance sheets, and physical gate logs. Students waste time waiting for wardens to manually approve passes. Guards juggle clipboards. Parents are unreachable.

We asked — what if a single QR scan could replace all of this?

That spark became GateFlow — an Intelligent Access Management Platform that eliminates friction at every gate, replacing paper-based chaos with a seamless digital access ecosystem.

What it does

GateFlow is a QR-powered, real-time access control system designed to manage 15,000+ users across campuses, hostels, and offices — all from a single unified platform.

  • 📱 Students generate dynamic, time-expiring QR gate-passes from their phone in seconds
  • 🛡️ Guards scan QR codes via webcam/camera of their phones — access is granted or denied in under 1 second
  • 🔐 Google OAuth 2.0 Login — Students log in using their institutional Google account (@cse.iiitp.ac.in). Email domain is validated server-side to auto-assign roles — a student email can never access the Warden or Guard portal, and vice versa. No passwords required.
  • 🏡 Home Visit Workflow — Students request leave, parents approve via WhatsApp, warden is notified automatically
  • 📊 Admin Dashboard — Full real-time analytics, entry/exit logs, complaint management, and performance telemetry
  • 🔑 Zero replay attacks — Time-based OTP keys embedded in every QR code expire immediately after use
  • Sub-second scan verification with Redis-backed distributed locking to prevent double-scans at busy gates

Use cases: University hostels · Corporate offices · Metro stations · Smart city infrastructure

How we built it

Layer Technology
Frontend React (Vite), React Router v6, Recharts, HTML5-QRCode
Backend Node.js, Express.js, Socket.io (real-time logs)
Authentication Google OAuth 2.0 (google-auth-library), JWT (jsonwebtoken), RBAC role enforcement
Database MongoDB Atlas + Mongoose
Cache & Queue Redis Cloud (ioredis) + BullMQ
Notifications Twilio WhatsApp API (simulation mode with live fallback)
DevOps Docker, Docker Compose, Nginx
Deployment Render (backend) + Vercel (frontend)

The system uses a monorepo architecture with separate frontend/ and backend/ services. An async BullMQ job queue handles all WhatsApp parent notifications without ever blocking the API thread. Socket.io pushes live scan events to all connected guard dashboards in real time.

Role-Based Access Control (RBAC) defines four isolated permission scopes: Student → Guard → Warden → Admin. Roles are assigned server-side based on verified Google email domains — never trusted from the client.

Challenges we ran into

Double-scan race condition: Two guards scanning the same QR simultaneously would create duplicate entry logs. We solved this with an atomic Redis distributed lock (ScanLockService) that rejects any second scan of the same QR within a 5-second window.

Secure OAuth role enforcement: We had to ensure that a student with a @cse.iiitp.ac.in email could never spoof their way into the Warden portal. The solution was server-side email domain validation before any database operation — the frontend role claim is never blindly trusted.

Free-tier MongoDB Atlas limits: Atlas M0 clusters cap at ~500 connections. We fine-tuned maxPoolSize: 5, added response compression, aggressive static asset caching, and IP-based rate limiting to run reliably at scale on zero budget.

Real-time at scale: Pushing live scan logs to all connected guard dashboards simultaneously required careful Socket.io room architecture to avoid broadcast storms during peak 1,000-concurrent-scan scenarios.

Accomplishments that we're proud of

  • ✅ Handles 500–1,000 simultaneous QR scans during peak hours (validated with Autocannon load tests)
  • ✅ p95 latency under 200ms on health endpoints, under 600ms on all student-facing APIs
  • Google OAuth 2.0 with server-side email domain gating — institutional accounts only, roles never spoofable
  • ✅ Full RBAC system — Student, Guard, Warden, Admin with completely isolated permission scopes
  • ✅ End-to-end Home Visit approval workflow with WhatsApp parent notifications via Twilio
  • Zero replay attacks — dynamic OTP-keyed QR codes that expire after a single scan
  • ✅ Production-ready with Docker orchestration, staged rollout runbooks, and go-live checklists

What we learned

  • Designing distributed systems with atomic locks for high-concurrency, race-prone use cases
  • How to implement OAuth 2.0 securely — verifying ID tokens server-side via Google's public keys, never trusting frontend role claims
  • Optimizing MongoDB Atlas connection pools for free-tier constraints without sacrificing reliability
  • Building async notification pipelines with BullMQ that degrade gracefully under partial Redis failure
  • The power of WebSockets for instant real-time guard dashboard updates vs. expensive polling

What's next for GateFlow: QR-Based Access Control

  • 🌐 Multi-tenant SaaS — One platform managing multiple campuses and organisations
  • 🤖 AI anomaly detection — Automatically flag suspicious or unusual entry/exit patterns
  • 📍 GPS geofencing — Verify student location compliance during approved home visits
  • 🧠 Face recognition access — Frictionless entry via AI-powered facial identity verification as a second factor alongside QR, eliminating the risk of stolen or shared gate passes
  • 🪪 NFC + biometric fusion — QR + fingerprint dual-factor gate access for high-security zones
  • 📲 Native mobile app — React Native companion app for students and guards
  • 📡 IoT gate integration — Direct API control of smart turnstile hardware via REST webhooks

Built With

Share this project:

Updates