umami/src/pages/api/send.ts

import ipaddr from 'ipaddr.js';
import { isbot } from 'isbot';
import { COLLECTION_TYPE, HOSTNAME_REGEX, IP_REGEX } from 'lib/constants';
import { secret, visitSalt, uuid } from 'lib/crypto';
import { getIpAddress } from 'lib/detect';
import { useCors, useSession, useValidate } from 'lib/middleware';
import { CollectionType, YupRequest } from 'lib/types';
import { NextApiRequest, NextApiResponse } from 'next';
import {
  badRequest,
  createToken,
  forbidden,
  methodNotAllowed,
  ok,
  safeDecodeURI,
  send,
} from 'next-basics';
import { saveEvent, saveSessionData } from 'queries';
import * as yup from 'yup';

export interface CollectRequestBody {
  payload: {
    data: { [key: string]: any };
    hostname: string;
    ip: string;
    language: string;
    referrer: string;
    screen: string;
    title: string;
    url: string;
    website: string;
    name: string;
  };
  type: CollectionType;
}

export interface NextApiRequestCollect extends NextApiRequest {
  body: CollectRequestBody;
  session: {
    id: string;
    websiteId: string;
    visitId: string;
    ownerId: string;
    hostname: string;
    browser: string;
    os: string;
    device: string;
    screen: string;
    language: string;
    country: string;
    subdivision1: string;
    subdivision2: string;
    city: string;
    iat: number;
  };
  headers: { [key: string]: any };
  yup: YupRequest;
}

const schema = {
  POST: yup.object().shape({
    payload: yup
      .object()
      .shape({
        data: yup.object(),
        hostname: yup.string().matches(HOSTNAME_REGEX).max(100),
        ip: yup.string().matches(IP_REGEX),
        language: yup.string().max(35),
        referrer: yup.string(),
        screen: yup.string().max(11),
        title: yup.string(),
        url: yup.string(),
        website: yup.string().uuid().required(),
        name: yup.string().max(50),
      })
      .required(),
    type: yup
      .string()
      .matches(/event|identify/i)
      .required(),
  }),
};

export default async (req: NextApiRequestCollect, res: NextApiResponse) => {
  await useCors(req, res);

  if (req.method === 'POST') {
    if (!process.env.DISABLE_BOT_CHECK && isbot(req.headers['user-agent'])) {
      return ok(res);
    }

    await useValidate(schema, req, res);

    if (hasBlockedIp(req)) {
      return forbidden(res);
    }

    const { type, payload } = req.body;
    const { url, referrer, name: eventName, data: eventData, title } = payload;
    const pageTitle = safeDecodeURI(title);

    await useSession(req, res);

    const session = req.session;

    // expire visitId after 30 minutes
    session.visitId =
      !!session.iat && Math.floor(new Date().getTime() / 1000) - session.iat > 1800
        ? uuid(session.id, visitSalt())
        : session.visitId;

    session.iat = Math.floor(new Date().getTime() / 1000);

    if (type === COLLECTION_TYPE.event) {
      // eslint-disable-next-line prefer-const
      let [urlPath, urlQuery] = safeDecodeURI(url)?.split('?') || [];
      let [referrerPath, referrerQuery] = safeDecodeURI(referrer)?.split('?') || [];
      let referrerDomain = '';

      if (!urlPath) {
        urlPath = '/';
      }

      if (referrerPath?.startsWith('http')) {
        const refUrl = new URL(referrer);
        referrerPath = refUrl.pathname;
        referrerQuery = refUrl.search.substring(1);
        referrerDomain = refUrl.hostname.replace(/www\./, '');
      }

      if (process.env.REMOVE_TRAILING_SLASH) {
        urlPath = urlPath.replace(/(.+)\/$/, '$1');
      }

      await saveEvent({
        urlPath,
        urlQuery,
        referrerPath,
        referrerQuery,
        referrerDomain,
        pageTitle,
        eventName,
        eventData,
        ...session,
        sessionId: session.id,
        visitId: session.visitId,
      });
    }

    if (type === COLLECTION_TYPE.identify) {
      if (!eventData) {
        return badRequest(res, 'Data required.');
      }

      await saveSessionData({
        websiteId: session.websiteId,
        sessionId: session.id,
        sessionData: eventData,
      });
    }

    const token = createToken(session, secret());

    return send(res, token);
  }

  return methodNotAllowed(res);
};

function hasBlockedIp(req: NextApiRequestCollect) {
  const ignoreIps = process.env.IGNORE_IP;

  if (ignoreIps) {
    const ips = [];

    if (ignoreIps) {
      ips.push(...ignoreIps.split(',').map(n => n.trim()));
    }

    const clientIp = getIpAddress(req);

    return ips.find(ip => {
      if (ip === clientIp) return true;

      // CIDR notation
      if (ip.indexOf('/') > 0) {
        const addr = ipaddr.parse(clientIp);
        const range = ipaddr.parseCIDR(ip);

        if (addr.kind() === range[0].kind() && addr.match(range)) return true;
      }
    });
  }

  return false;
}
Revert "reject" This reverts commit 5fd3ba38099212fa87ebadbb6cb8dc3871b362c5. 2022-10-06 22:35:38 +02:00			`import ipaddr from 'ipaddr.js';`
Upgraded isbot package. 2024-03-01 23:20:04 +01:00			`import { isbot } from 'isbot';`
Allow setting visitor IP when registering event through API 2024-01-24 13:25:37 +01:00			`import { COLLECTION_TYPE, HOSTNAME_REGEX, IP_REGEX } from 'lib/constants';`
include visitors metrics in websiteStats 2024-03-26 18:43:01 +01:00			`import { secret, visitSalt, uuid } from 'lib/crypto';`
Removed getJsonBody. 2023-08-31 01:40:32 +02:00			`import { getIpAddress } from 'lib/detect';`
Add api validations. 2023-08-20 07:23:15 +02:00			`import { useCors, useSession, useValidate } from 'lib/middleware';`
			`import { CollectionType, YupRequest } from 'lib/types';`
Initial Typescript models. 2022-11-15 22:21:14 +01:00			`import { NextApiRequest, NextApiResponse } from 'next';`
Updated encoding logic in tracker and send. 2024-03-27 05:46:57 +01:00			`import {`
			`badRequest,`
			`createToken,`
			`forbidden,`
			`methodNotAllowed,`
			`ok,`
			`safeDecodeURI,`
			`send,`
			`} from 'next-basics';`
Add api validations. 2023-08-20 07:23:15 +02:00			`import { saveEvent, saveSessionData } from 'queries';`
			`import * as yup from 'yup';`
Initial Typescript models. 2022-11-15 22:21:14 +01:00
Convert send to TS. 2023-03-30 20:18:57 +02:00			`export interface CollectRequestBody {`
			`payload: {`
			`data: { [key: string]: any };`
			`hostname: string;`
Allow setting visitor IP when registering event through API 2024-01-24 13:25:37 +01:00			`ip: string;`
Convert send to TS. 2023-03-30 20:18:57 +02:00			`language: string;`
			`referrer: string;`
			`screen: string;`
			`title: string;`
			`url: string;`
			`website: string;`
			`name: string;`
			`};`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00			`type: CollectionType;`
Convert send to TS. 2023-03-30 20:18:57 +02:00			`}`

Initial Typescript models. 2022-11-15 22:21:14 +01:00			`export interface NextApiRequestCollect extends NextApiRequest {`
Convert send to TS. 2023-03-30 20:18:57 +02:00			`body: CollectRequestBody;`
Initial Typescript models. 2022-11-15 22:21:14 +01:00			`session: {`
			`id: string;`
			`websiteId: string;`
update visitId hash and expiration logic 2024-03-26 01:47:53 +01:00			`visitId: string;`
Add usage. 2023-05-16 05:41:12 +02:00			`ownerId: string;`
Initial Typescript models. 2022-11-15 22:21:14 +01:00			`hostname: string;`
			`browser: string;`
			`os: string;`
			`device: string;`
			`screen: string;`
			`language: string;`
			`country: string;`
add subdivision1/2, cities to query logic 2023-02-20 18:04:20 +01:00			`subdivision1: string;`
			`subdivision2: string;`
			`city: string;`
Add iat to session object 2024-03-26 01:49:13 +01:00			`iat: number;`
Initial Typescript models. 2022-11-15 22:21:14 +01:00			`};`
Convert send to TS. 2023-03-30 20:18:57 +02:00			`headers: { [key: string]: any };`
Add api validations. 2023-08-20 07:23:15 +02:00			`yup: YupRequest;`
Initial Typescript models. 2022-11-15 22:21:14 +01:00			`}`

Add api validations. 2023-08-20 07:23:15 +02:00			`const schema = {`
			`POST: yup.object().shape({`
			`payload: yup`
			`.object()`
			`.shape({`
			`data: yup.object(),`
			`hostname: yup.string().matches(HOSTNAME_REGEX).max(100),`
Allow setting visitor IP when registering event through API 2024-01-24 13:25:37 +01:00			`ip: yup.string().matches(IP_REGEX),`
Add api validations. 2023-08-20 07:23:15 +02:00			`language: yup.string().max(35),`
Updated validations for send payload. 2024-02-28 00:09:57 +01:00			`referrer: yup.string(),`
Add api validations. 2023-08-20 07:23:15 +02:00			`screen: yup.string().max(11),`
Updated validations for send payload. 2024-02-28 00:09:57 +01:00			`title: yup.string(),`
			`url: yup.string(),`
Add api validations. 2023-08-20 07:23:15 +02:00			`website: yup.string().uuid().required(),`
			`name: yup.string().max(50),`
			`})`
			`.required(),`
			`type: yup`
			`.string()`
			`.matches(/event\|identify/i)`
			`.required(),`
			`}),`
			`};`

Initial Typescript models. 2022-11-15 22:21:14 +01:00			`export default async (req: NextApiRequestCollect, res: NextApiResponse) => {`
Revert "reject" This reverts commit 5fd3ba38099212fa87ebadbb6cb8dc3871b362c5. 2022-10-06 22:35:38 +02:00			`await useCors(req, res);`

Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`if (req.method === 'POST') {`
Allow embedding of share page. 2023-11-12 05:45:09 +01:00			`if (!process.env.DISABLE_BOT_CHECK && isbot(req.headers['user-agent'])) {`
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`return ok(res);`
			`}`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00
Update useValidate calls. 2023-09-30 05:24:48 +02:00			`await useValidate(schema, req, res);`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00
Removed hostname lookup. 2023-11-28 20:03:55 +01:00			`if (hasBlockedIp(req)) {`
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`return forbidden(res);`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00			`}`

Removed hostname lookup. 2023-11-28 20:03:55 +01:00			`const { type, payload } = req.body;`
Updated encoding logic in tracker and send. 2024-03-27 05:46:57 +01:00			`const { url, referrer, name: eventName, data: eventData, title } = payload;`
			`const pageTitle = safeDecodeURI(title);`
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00
			`await useSession(req, res);`

			`const session = req.session;`

update visitId hash and expiration logic 2024-03-26 01:47:53 +01:00			`// expire visitId after 30 minutes`
			`session.visitId =`
			`!!session.iat && Math.floor(new Date().getTime() / 1000) - session.iat > 1800`
include visitors metrics in websiteStats 2024-03-26 18:43:01 +01:00			`? uuid(session.id, visitSalt())`
update visitId hash and expiration logic 2024-03-26 01:47:53 +01:00			`: session.visitId;`

			`session.iat = Math.floor(new Date().getTime() / 1000);`

Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`if (type === COLLECTION_TYPE.event) {`
			`// eslint-disable-next-line prefer-const`
Updated encoding logic in tracker and send. 2024-03-27 05:46:57 +01:00			`let [urlPath, urlQuery] = safeDecodeURI(url)?.split('?') \|\| [];`
			`let [referrerPath, referrerQuery] = safeDecodeURI(referrer)?.split('?') \|\| [];`
Fixed search for postgresql. 2024-03-26 06:51:10 +01:00			`let referrerDomain = '';`
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00
			`if (!urlPath) {`
			`urlPath = '/';`
			`}`

			`if (referrerPath?.startsWith('http')) {`
			`const refUrl = new URL(referrer);`
			`referrerPath = refUrl.pathname;`
			`referrerQuery = refUrl.search.substring(1);`
			`referrerDomain = refUrl.hostname.replace(/www\./, '');`
			`}`

			`if (process.env.REMOVE_TRAILING_SLASH) {`
Fixed remove trailing slash logic. 2024-03-12 04:56:36 +01:00			`urlPath = urlPath.replace(/(.+)\/$/, '$1');`
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`}`

			`await saveEvent({`
			`urlPath,`
			`urlQuery,`
			`referrerPath,`
			`referrerQuery,`
			`referrerDomain,`
			`pageTitle,`
			`eventName,`
			`eventData,`
			`...session,`
			`sessionId: session.id,`
update visitId hash and expiration logic 2024-03-26 01:47:53 +01:00			`visitId: session.visitId,`
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`});`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00			`}`

Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`if (type === COLLECTION_TYPE.identify) {`
			`if (!eventData) {`
			`return badRequest(res, 'Data required.');`
			`}`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00
Updated types. 2024-01-14 11:21:39 +01:00			`await saveSessionData({`
			`websiteId: session.websiteId,`
			`sessionId: session.id,`
			`sessionData: eventData,`
			`});`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00			`}`

Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`const token = createToken(session, secret());`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`return send(res, token);`
			`}`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00
Fixed missing docker middleware. 2023-08-31 08:53:05 +02:00			`return methodNotAllowed(res);`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00			`};`
Feat/um 202 event data new (#1841) * Add event_data base. * Add url_path. * Add eventData back. * Finish event_data relational. * resolve comments. 2023-03-23 22:01:15 +01:00
Removed hostname lookup. 2023-11-28 20:03:55 +01:00			`function hasBlockedIp(req: NextApiRequestCollect) {`
Revert "reject" This reverts commit 5fd3ba38099212fa87ebadbb6cb8dc3871b362c5. 2022-10-06 22:35:38 +02:00			`const ignoreIps = process.env.IGNORE_IP;`

Removed hostname lookup. 2023-11-28 20:03:55 +01:00			`if (ignoreIps) {`
Revert "reject" This reverts commit 5fd3ba38099212fa87ebadbb6cb8dc3871b362c5. 2022-10-06 22:35:38 +02:00			`const ips = [];`

			`if (ignoreIps) {`
			`ips.push(...ignoreIps.split(',').map(n => n.trim()));`
			`}`

			`const clientIp = getIpAddress(req);`

Report parameters. 2023-06-15 08:48:11 +02:00			`return ips.find(ip => {`
Revert "reject" This reverts commit 5fd3ba38099212fa87ebadbb6cb8dc3871b362c5. 2022-10-06 22:35:38 +02:00			`if (ip === clientIp) return true;`

			`// CIDR notation`
			`if (ip.indexOf('/') > 0) {`
			`const addr = ipaddr.parse(clientIp);`
			`const range = ipaddr.parseCIDR(ip);`

			`if (addr.kind() === range[0].kind() && addr.match(range)) return true;`
			`}`
			`});`
update send 2023-03-16 00:06:51 +01:00			`}`
Removed hostname lookup. 2023-11-28 20:03:55 +01:00
			`return false;`
Feat/um 305 unique session ch (#2065) * Add session_data / session redis to CH. * Add mysql migration. 2023-06-01 06:46:49 +02:00			`}`