admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make analytics endpoint dynamic: /t/{token} derived from APP_SECRET

Browse Source 
The endpoint path is now /t/<8-char hash of APP_SECRET> instead of
static /t. Token is injected via data-e attribute on body, read by JS.
Server validates token on every hit, returns 404 if invalid.
Changes with each APP_SECRET = impossible to hardcode in a blocker.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-03-26 12:22:59 +01:00
parent 0952bc6e17
commit a139f86b90
4 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
assets/modules/analytics.js
View File

@@ -1,4 +1,4 @@
const ENDPOINT = '/t'
let ENDPOINT = '/t'
const SK_UID = '_u'
const SK_HASH = '_h'
@@ -86,7 +86,9 @@ async function trackPageView(visitor) {
export async function initAnalytics() {
const keyB64 = document.body.dataset.k
if (!keyB64) return
const ep = document.body.dataset.e
if (!keyB64 || !ep) return
ENDPOINT = ep
try {
encKey = await importKey(keyB64)