Make analytics endpoint dynamic: /t/{token} derived from APP_SECRET

The endpoint path is now /t/<8-char hash of APP_SECRET> instead of static /t. Token is injected via data-e attribute on body, read by JS. Server validates token on every hit, returns 404 if invalid. Changes with each APP_SECRET = impossible to hardcode in a blocker. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 12:22:59 +01:00
parent 0952bc6e17
commit a139f86b90
4 changed files with 20 additions and 4 deletions
--- a/assets/modules/analytics.js
+++ b/assets/modules/analytics.js
@@ -1,4 +1,4 @@
-const ENDPOINT = '/t'
+let ENDPOINT = '/t'
 const SK_UID = '_u'
 const SK_HASH = '_h'

@@ -86,7 +86,9 @@ async function trackPageView(visitor) {

 export async function initAnalytics() {
    const keyB64 = document.body.dataset.k
-    if (!keyB64) return
+    const ep = document.body.dataset.e
+    if (!keyB64 || !ep) return
+    ENDPOINT = ep

    try {
        encKey = await importKey(keyB64)
--- a/src/Controller/AnalyticsController.php
+++ b/src/Controller/AnalyticsController.php
@@ -11,17 +11,25 @@ use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Messenger\MessageBusInterface;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\Routing\Attribute\Route;

 class AnalyticsController extends AbstractController
 {
-    #[Route('/t', name: 'app_analytics_track', methods: ['POST'])]
+    #[Route('/t/{token}', name: 'app_analytics_track', methods: ['POST'])]
    public function track(
+        string $token,
+        #[Autowire('%kernel.secret%')] string $appSecret,
        Request $request,
        AnalyticsCryptoService $crypto,
        EntityManagerInterface $em,
        MessageBusInterface $bus,
    ): Response {
+        $expectedToken = substr(hash('sha256', $appSecret.'_endpoint'), 0, 8);
+        if (!hash_equals($expectedToken, $token)) {
+            return new Response('', 404);
+        }
+
        $body = $request->getContent();
        $envelope = json_decode($body, true);

--- a/src/Twig/AnalyticsExtension.php
+++ b/src/Twig/AnalyticsExtension.php
@@ -3,20 +3,26 @@
 namespace App\Twig;

 use App\Service\AnalyticsCryptoService;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Twig\Extension\AbstractExtension;
 use Twig\Extension\GlobalsInterface;

 class AnalyticsExtension extends AbstractExtension implements GlobalsInterface
 {
+    private string $endpointToken;
+
    public function __construct(
        private AnalyticsCryptoService $crypto,
+        #[Autowire('%kernel.secret%')] string $appSecret,
    ) {
+        $this->endpointToken = substr(hash('sha256', $appSecret.'_endpoint'), 0, 8);
    }

    public function getGlobals(): array
    {
        return [
            'analytics_key' => $this->crypto->getKeyForJs(),
+            'analytics_endpoint' => '/t/'.$this->endpointToken,
        ];
    }
 }
--- a/templates/base.html.twig
+++ b/templates/base.html.twig
@@ -84,7 +84,7 @@
    {% endblock %}
    {% block head %}{% endblock %}
 </head>
-<body class="min-h-screen flex flex-col bg-[#fbfbfb] text-[#111827]" data-env="{{ app.environment }}" data-k="{{ analytics_key }}"{% if app.user and app.user.id is defined and app.request.cookies.get('e_ticket_consent') == 'accepted' %} data-uid="{{ app.user.id }}"{% endif %}>
+<body class="min-h-screen flex flex-col bg-[#fbfbfb] text-[#111827]" data-env="{{ app.environment }}" data-k="{{ analytics_key }}" data-e="{{ analytics_endpoint }}"{% if app.user and app.user.id is defined and app.request.cookies.get('e_ticket_consent') == 'accepted' %} data-uid="{{ app.user.id }}"{% endif %}>
    <header class="sticky top-0 z-50 bg-white border-b-4 border-gray-900">
        <nav class="mx-auto px-4 lg:px-8" role="navigation" aria-label="Navigation principale" itemscope itemtype="https://schema.org/SiteNavigationElement">
            <div class="flex justify-between items-center h-20">