fix(analytics): relay umami events via nextjs proxy without exposing website id to client

.gitea/workflows/deploy.yml

@@ -202,7 +202,7 @@ jobs:
             NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }}
             NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
             DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }}
-            NEXT_PUBLIC_UMAMI_WEBSITE_ID=${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
+            UMAMI_WEBSITE_ID=${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
             UMAMI_API_ENDPOINT=${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
             NPM_TOKEN=${{ secrets.REGISTRY_PASS }}
           tags: registry.infra.mintel.me/mintel/klz-cables.com:${{ needs.prepare.outputs.image_tag }}
@@ -254,7 +254,7 @@ jobs:
       GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
 
       # Analytics
-      NEXT_PUBLIC_UMAMI_WEBSITE_ID:    ${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
+      UMAMI_WEBSITE_ID:    ${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
       UMAMI_API_ENDPOINT:  ${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
     steps:
       - name: Checkout repository
@@ -321,7 +321,7 @@ jobs:
             echo "COOKIE_DOMAIN=$COOKIE_DOMAIN"
             echo ""
             echo "# Analytics"
-            echo "NEXT_PUBLIC_UMAMI_WEBSITE_ID=$NEXT_PUBLIC_UMAMI_WEBSITE_ID"
+            echo "UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID"
             echo "UMAMI_API_ENDPOINT=$UMAMI_API_ENDPOINT"
             echo ""
             echo "TARGET=$TARGET"

app/stats/api/send/route.ts

@@ -0,0 +1,92 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerAppServices } from '@/lib/services/create-services.server';
+import { config } from '@/lib/config';
+
+/**
+ * Smart Proxy for Umami Analytics.
+ *
+ * This Route Handler receives tracking events from the browser,
+ * injects the secret UMAMI_WEBSITE_ID, and forwards them to the
+ * internal Umami API endpoint.
+ *
+ * This ensures:
+ * 1. The Website ID is NOT leaked to the client bundle.
+ * 2. The Umami API endpoint is hidden behind our domain.
+ * 3. We have full control over the tracking data.
+ */
+export async function POST(request: NextRequest) {
+  const services = getServerAppServices();
+  const logger = services.logger.child({ component: 'umami-smart-proxy' });
+
+  try {
+    const body = await request.json();
+    const { type, payload } = body;
+
+    // Inject the secret websiteId from server config
+    const websiteId = config.analytics.umami.websiteId;
+    if (!websiteId) {
+      logger.warn('Umami tracking received but no Website ID configured on server');
+      return NextResponse.json({ status: 'ignored' }, { status: 200 });
+    }
+
+    // Prepare the enhanced payload with the secret ID
+    const enhancedPayload = {
+      ...payload,
+      website: websiteId,
+    };
+
+    const umamiEndpoint = config.analytics.umami.apiEndpoint;
+
+    // Log the event (internal only)
+    logger.debug('Forwarding analytics event', {
+      type,
+      url: payload.url,
+      website: websiteId.slice(0, 8) + '...',
+    });
+
+    const response = await fetch(`${umamiEndpoint}/api/send`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'User-Agent': request.headers.get('user-agent') || 'KLZ-Smart-Proxy',
+        'X-Forwarded-For': request.headers.get('x-forwarded-for') || '',
+      },
+      body: JSON.stringify({ type, payload: enhancedPayload }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      logger.error('Umami API responded with error', {
+        status: response.status,
+        error: errorText.slice(0, 100),
+      });
+      return new NextResponse(errorText, { status: response.status });
+    }
+
+    return NextResponse.json({ status: 'ok' });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    const errorStack = error instanceof Error ? error.stack : undefined;
+
+    // Console error to ensure it appears in logs even if logger fails
+    console.error('CRITICAL PROXY ERROR:', {
+      message: errorMessage,
+      stack: errorStack,
+      endpoint: config.analytics.umami.apiEndpoint,
+    });
+
+    logger.error('Failed to proxy analytics request', {
+      error: errorMessage,
+      stack: errorStack,
+    });
+
+    return NextResponse.json(
+      {
+        error: 'Internal Server Error',
+        details: errorMessage, // Expose error for debugging
+        endpoint: config.analytics.umami.apiEndpoint ? 'configured' : 'missing',
+      },
+      { status: 500 },
+    );
+  }
+}

lib/config.ts

@@ -35,9 +35,9 @@ function createConfig() {
 
     analytics: {
       umami: {
-        websiteId: env.NEXT_PUBLIC_UMAMI_WEBSITE_ID,
+        websiteId: env.UMAMI_WEBSITE_ID,
         apiEndpoint: env.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me',
-        enabled: Boolean(env.NEXT_PUBLIC_UMAMI_WEBSITE_ID),
+        enabled: typeof window !== 'undefined' || Boolean(env.UMAMI_WEBSITE_ID),
       },
     },
 

lib/env.ts

@@ -31,7 +31,7 @@ const envExtension = {
   INFRA_DIRECTUS_TOKEN: z.string().optional(),
 
   // Analytics
-  NEXT_PUBLIC_UMAMI_WEBSITE_ID: z.string().optional(),
+  UMAMI_WEBSITE_ID: z.string().optional(),
   UMAMI_API_ENDPOINT: z.string().optional(),
 
   // Mail Configuration

next.config.mjs

@@ -348,10 +348,6 @@ const nextConfig = {
     }
 
     return [
-      {
-        source: '/stats/:path*',
-        destination: `${umamiUrl}/:path*`,
-      },
       {
         source: '/cms/:path*',
         destination: `${directusUrl}/:path*`,