π Problem Statement
Currently, DevCard has no way for users to know how many times their card was viewed or which links were tapped. This is a significant missing feature β developers sharing their DevCard at hackathons, conferences, or on resumes have zero visibility into engagement.
There is also no backend infrastructure for tracking these events in a privacy-respecting way. Without this, users can't measure the impact of their DevCard.
π― Proposed Solution
Build a server-side, privacy-preserving analytics backend with the following components:
1. Database Schema (new tables)
-- Tracks card view counts (aggregated, no personal data)
card_views (
id UUID PRIMARY KEY,
card_id VARCHAR NOT NULL,
viewed_at TIMESTAMP NOT NULL,
country_code VARCHAR(2), -- from CF-IPCountry header, NOT raw IP
referrer VARCHAR -- domain only, e.g. "twitter.com"
)
-- Tracks individual link tap events
card_link_taps (
id UUID PRIMARY KEY,
card_id VARCHAR NOT NULL,
platform VARCHAR NOT NULL, -- "github" | "linkedin" | "twitter" etc.
tapped_at TIMESTAMP NOT NULL
)
2. New API Endpoints
| Method |
Endpoint |
Description |
POST |
/api/analytics/view/:cardId |
Record a card view (server-side, no IP stored) |
POST |
/api/analytics/tap/:cardId |
Record a link tap with platform name |
GET |
/api/analytics/:cardId |
Fetch aggregated stats for the card owner |
3. Response Shape for GET /api/analytics/:cardId
{
"cardId": "abc123",
"totalViews": 342,
"last7Days": 87,
"last30Days": 210,
"topReferrers": ["twitter.com", "linkedin.com"],
"linkTaps": {
"github": 120,
"linkedin": 95,
"twitter": 60
}
}4. Privacy Rules (strict)
- β No raw IP addresses stored β ever
- β No User-Agent strings stored
- β
Only country code extracted from
CF-IPCountry header (Vercel/Cloudflare provides this)
- β
Only domain extracted from
Referer header (no full URL paths)
- β
Only the card owner can access their own analytics via authenticated
GET
- β
POST endpoints are public (called client-side on card view/tap)
π οΈ Implementation Plan
π Security Considerations
- The
GET endpoint must validate that the requesting user owns the cardId
POST endpoints should be rate-limited per hashed-IP (hash + discard raw IP immediately)- Add bot detection heuristics (e.g., skip recording if
User-Agent is a known bot β but don't store the UA)
π¦ Tech Stack Expected
- Next.js API Routes (
/app/api/ or /pages/api/)
- Prisma / existing DB ORM used in the project
- Redis (optional, for rate limiting β can use Upstash if not already present)
β
Acceptance Criteria
π·οΈ Labels Suggested
enhancement backend privacy api intermediate gssoc26
π€ Contributor Note
I am a GSSOC 2026 contributor and would like to be assigned this issue. I have experience with Next.js API routes, Prisma, and REST API design. Happy to discuss the implementation approach before starting.
π Problem Statement
Currently, DevCard has no way for users to know how many times their card was viewed or which links were tapped. This is a significant missing feature β developers sharing their DevCard at hackathons, conferences, or on resumes have zero visibility into engagement.
There is also no backend infrastructure for tracking these events in a privacy-respecting way. Without this, users can't measure the impact of their DevCard.
π― Proposed Solution
Build a server-side, privacy-preserving analytics backend with the following components:
1. Database Schema (new tables)
2. New API Endpoints
POST/api/analytics/view/:cardIdPOST/api/analytics/tap/:cardIdGET/api/analytics/:cardId3. Response Shape for
GET /api/analytics/:cardId{ "cardId": "abc123", "totalViews": 342, "last7Days": 87, "last30Days": 210, "topReferrers": ["twitter.com", "linkedin.com"], "linkTaps": { "github": 120, "linkedin": 95, "twitter": 60 } }4. Privacy Rules (strict)
CF-IPCountryheader (Vercel/Cloudflare provides this)Refererheader (no full URL paths)GETπ οΈ Implementation Plan
card_viewsandcard_link_tapstables to DB schema (migration file)POST /api/analytics/view/:cardIdβ insert aggregated view recordPOST /api/analytics/tap/:cardIdβ insert tap event with platformGET /api/analytics/:cardIdβ auth-protected, returns aggregated statsGETendpoint (only card owner can read)POSTendpoints to prevent fake inflation (e.g., 1 view per IP per card per hour using a hashed IP)π Security Considerations
GETendpoint must validate that the requesting user owns thecardIdPOSTendpoints should be rate-limited per hashed-IP (hash + discard raw IP immediately)User-Agentis a known bot β but don't store the UA)π¦ Tech Stack Expected
/app/api/or/pages/api/)β Acceptance Criteria
GETendpoint returns correct aggregated statsπ·οΈ Labels Suggested
enhancementbackendprivacyapiintermediategssoc26π€ Contributor Note
I am a GSSOC 2026 contributor and would like to be assigned this issue. I have experience with Next.js API routes, Prisma, and REST API design. Happy to discuss the implementation approach before starting.