Make analytics endpoint dynamic: /t/{token} derived from APP_SECRET

The endpoint path is now /t/<8-char hash of APP_SECRET> instead of static /t. Token is injected via data-e attribute on body, read by JS. Server validates token on every hit, returns 404 if invalid. Changes with each APP_SECRET = impossible to hardcode in a blocker. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 12:22:59 +01:00
parent 0952bc6e17
commit a139f86b90
4 changed files with 20 additions and 4 deletions
--- a/templates/base.html.twig
+++ b/templates/base.html.twig
@@ -84,7 +84,7 @@
    {% endblock %}
    {% block head %}{% endblock %}
 </head>
-<body class="min-h-screen flex flex-col bg-[#fbfbfb] text-[#111827]" data-env="{{ app.environment }}" data-k="{{ analytics_key }}"{% if app.user and app.user.id is defined and app.request.cookies.get('e_ticket_consent') == 'accepted' %} data-uid="{{ app.user.id }}"{% endif %}>
+<body class="min-h-screen flex flex-col bg-[#fbfbfb] text-[#111827]" data-env="{{ app.environment }}" data-k="{{ analytics_key }}" data-e="{{ analytics_endpoint }}"{% if app.user and app.user.id is defined and app.request.cookies.get('e_ticket_consent') == 'accepted' %} data-uid="{{ app.user.id }}"{% endif %}>
    <header class="sticky top-0 z-50 bg-white border-b-4 border-gray-900">
        <nav class="mx-auto px-4 lg:px-8" role="navigation" aria-label="Navigation principale" itemscope itemtype="https://schema.org/SiteNavigationElement">
            <div class="flex justify-between items-center h-20">