Implemented analytics.
I took the design from
Herman at Bear Blog
to log the requesting using a CSS background-image URL on a
body:hover #analytics where #analytics is an empty div. The referrer
is passed as a parameter. Each request URL path has a random string so
that multiple requests are not cached. The request's referrer itself
is the visited page. The IP is hashed and logs are deleted after 8
days; the hashing algorithm was initially md5 but I changed it to
HMAC SHA1 with an app secret
to better comply with the GDPR. Finally, logged in users are
discounted for their own site.
I had to rewrite my log rotation code in hourly.local because
newsyslog sleeps for 5 seconds upon every run, and I was running it
once per user. Instead it now builds a single rotate.conf and runs
once for all users.
I also fixed a mistake where I was using the same salt for every
password. This was due to a misunderstanding of how hashing salts
work. It worth using Mojo::Util generate_secret instead of rolling
my own random secret generator for 2FA secrets.
Heinz managed to rate limit himself
via relayd so I reconfigured for more generous per-second requests.