# Feature Specification: Generate a QR Code for an Event **Feature**: `017-qr-code` **Created**: 2026-03-06 **Status**: Draft **Source**: Migrated from spec/userstories.md ## User Scenarios & Testing ### User Story 1 - Display and Download QR Code (Priority: P1) Any visitor who holds the event link can view a QR code on the event page that encodes the public event URL. The QR code is generated server-side — no external service is contacted — and can be downloaded as a print-ready file (SVG or high-resolution PNG). This makes it easy to print the code on posters or flyers. **Why this priority**: This is the core deliverable of US-11. Without a downloadable, server-generated QR code, the feature has no value. All other criteria are conditions of this baseline. **Independent Test**: Can be fully tested by loading any event page and verifying that a QR code is displayed, that a download link produces a valid SVG or PNG file whose content encodes the correct event URL, and that no external network request was made to generate it. **Acceptance Scenarios**: 1. **Given** a valid event exists, **When** a visitor opens the event page, **Then** a QR code encoding the public event URL is displayed on the page. 2. **Given** a QR code is displayed, **When** the visitor clicks the download link, **Then** a file (SVG or high-resolution PNG) is downloaded directly from the app's backend without client-side generation. 3. **Given** the downloaded file, **When** it is scanned with a QR reader, **Then** it resolves to the correct public event URL. 4. **Given** the QR code endpoint is accessed, **When** the server generates the code, **Then** no request is made to any external QR code service. 5. **Given** a visitor who has not RSVPed or logged in, **When** they access the event page, **Then** the QR code and download link are still available — no organizer token or RSVP required. 6. **Given** the event has expired, **When** a visitor opens the event page, **Then** the QR code and download link remain available and functional. 7. **Given** the QR code download is requested, **When** the server handles the request, **Then** no personal data, IP address, or identifier is transmitted to any third party. --- ### Edge Cases - What happens when the event does not exist? The server returns "event not found" — the QR code endpoint must behave consistently and not leak data. - How does the download link behave when the event URL is long? The QR code must be generated at sufficient error-correction level to remain scannable even for longer URLs. ## Requirements ### Functional Requirements - **FR-001**: The event page MUST display a QR code that encodes the public event URL. - **FR-002**: The QR code MUST be generated entirely server-side — no external QR code service or third-party API may be contacted. - **FR-003**: The QR code MUST be downloadable as a file suitable for printing (SVG or high-resolution PNG). - **FR-004**: The QR code download MUST be served from a direct backend endpoint — the actual file download MUST NOT require client-side generation. - **FR-005**: The QR code MUST be accessible to any visitor holding the event link; no organizer token or RSVP is required. - **FR-006**: No personal data, IP address, or identifier MUST be transmitted to any third party when the QR code is generated or downloaded. - **FR-007**: The QR code MUST remain available and downloadable after the event has expired. - **FR-008**: The QR code endpoint MUST return a consistent "event not found" response if the event does not exist — no partial data or error traces may be exposed. ### Key Entities - **QRCode**: Virtual — no independent storage. Generated on demand from the event token and the public event URL. Not persisted. ## Success Criteria ### Measurable Outcomes - **SC-001**: A visitor can view a QR code on any event page without performing any additional action (no login, no RSVP). - **SC-002**: The downloaded file scans correctly to the event URL in at least two independent QR reader applications. - **SC-003**: No outbound network request to an external service is made during QR code generation (verifiable via network inspection). - **SC-004**: The QR code endpoint returns a valid file for both active and expired events. - **SC-005**: The download link works without JavaScript (direct server endpoint).