Hacker News new | ask | show | jobs
by Avfrosta 569 days ago
Hello HN, realized I should introduce myself and not just my project. I building stuff on the web and this is the second time something I created actually goes LIVE.

Before this I created a website displaying snow conditions for a few hundred locations in Sweden. I love skiing and ski-touring and wanted a better way to find the best conditions.

Right now I don't have much time to work on my projects since I'm doing mandatory millitary service, which is part of the reason Simplytics.dev took so long to launch. But I'm hoping I might soon make my first buck selling zeros and ones.

Id love to recieve feedback, Hugo
2 comments
georg-stone 569 days ago
I signed up for an account and it seems you are showing a code snippet with an API key for client-side code. How do you handle authorization? Can anybody use up my 50k events if they steal the key?
link
Avfrosta 569 days ago
No, that key is verified against your domain connected to your user credentials. Meaning that if someone else uses you key on their website, their POST request to my server will be declined because their domain is not the domain you provided.

But you're right, might be a good idea to change the name of the key or work it out completely, it does look like it could be a vulnerability from an outsiders persepctive.

link
solardev 564 days ago
OP, how does this scheme work? If the client is authoritative, that means anybody can just copy that network request and spam you with fake data for that domain. Indeed, if I copy that network request and curl it with changed headers, I still get a 200, which suggests that this is the case...

I'm also concerned about your claim for GDPR compliance. Keeping an IP address for a day and then incrementing against it is still storing personal information, even if it's not in a cookie. Using a server to do the tracking doesn't automatically exempt it from cookie notices.

Storing the IP address for a day doesn't automatically make it non-PII, either. At the very least you should be hashing it. See what Plausible does at https://plausible.io/data-policy or read up on the GDPR discussion at https://ec.europa.eu/justice/article-29/documentation/opinio...

link
piterrro 564 days ago
Is the ski website up? Im planning a trip to Sweden and would love to track conditions there!
link