Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling of third-party integrations for self-hosted deployments #6420

Open
1 of 4 tasks
almereyda opened this issue Mar 31, 2024 · 3 comments
Open
1 of 4 tasks

Disabling of third-party integrations for self-hosted deployments #6420

almereyda opened this issue Mar 31, 2024 · 3 comments

Comments

@almereyda
Copy link

almereyda commented Mar 31, 2024
edited
Loading

What happened?

When running the current Docker distribution, requests are made to third-party sources.

  • Cloudflare
    grafik
  • Mixpanel

When telemetry is disabled in the user account, Mixpanel will become silent, even on the login form when logged out, but Cloudflare remains active.

In both cases we also see requests to:

  • https://affine.pro/favicon.ico
    which perfectly acts as a tracking pixel
  • https://app.affine.pro/ in the redirect_uri after sending a POST request to /api/auth/sign-in
    This is responded to with a 406, and upon a second try with a 200 and login works, despite malconfigured

This can be understood as a breach of privacy and could lead to illegal behaviour, esp. in the EU with regards to the GDPR.

Two resolution vectors offer themselves:

  • It is possible to disable (and configure) the third-party integrations to Cloudflare and Mixpanel (individually and) with an environmental variable.
  • It is possible to configure the redirect_uri parameter.
  • The favicon is hosted locally.

Distribution version

Linux

What browsers are you seeing the problem on if you're using web version?

No response

Are you self-hosting?

  • Yes

Relevant log output

POST /api/auth/sign-in?redirect_uri=https%3A%2F%2Fapp.affine.pro%2F HTTP/1.1
Host: localhost:3010
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: de,en-GB;q=0.8,fr;q=0.6,en;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:3010/
content-type: application/json
Content-Length: 50
Origin: http://localhost:3010
Connection: keep-alive
Cookie: JSESSIONID=1stz32knsdjvv1grovwo4nabgb; myaigent=0e8b44c680564edeb224fe5037db6b48; CSRF-Token-PF4SZ=kXofeD9pcZbQgNJvqEqqj3KaTgFmT6Ci; pagure_local_cookie=; cockpit=dj0yO2s9NzdmZWFlNDBmMDA2ZTg2ZDI1NTEyZmY5ZWZkNTJiMzQxOGU3OWQ4YTQ1ZDdmZWY1NWRjMGI4NWQ4YzNmMWM4MQ==; sessions=%7B%7D; PHPSESSID=d172e820064987f1fc70d65b22ae3786; session=.eJwdjlFrgzAURv_KyHMHSbRuE_ogGMFCIo5IuPelpDbFxvpiV-JS-t9n9_TBB-dwHuRwnt1tIPnPfHcbcricSP4gb0eSk0aLFE01gm5TmKpJ8S7iJBfg-wF1HZX_voKBRZp2q3wfYOoSqYsgtQhYwi_qgqtSXcHXoSkFlUZs5cvh60RFwVCPy8oHVUKqvKAqqguaLr4YGYsUp47KEtev8uj3Y2PUujhILdceCMAhRb_28XZHnhtyv7n5v5-w98w6e3L0Iztb9klZz3rOE2YpZ8cvZjNHnn8dj1Ah.FmaP8w.BEujifcEbjQpnfEn1rmYzVkuuKM; argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcmdvY2QiLCJzdWIiOiJhZG1pbjpsb2dpbiIsImV4cCI6MTY3Mzk1NTE5NywibmJmIjoxNjczODY4Nzk3LCJpYXQiOjE2NzM4Njg3OTcsImp0aSI6IjBiNmU2YTY4LTJlZjktNDU4Yy04MGZhLWUyOGRlZTdlODAwMSJ9.HIz-f9vi1PP06ANzzI9E3nm7IV4W6lCt7HgRx4RpUEk; alps_session=fGsYgf1CJNyoYQvGr7o3CiG8kXQBC7s-oTsh7-272dE=
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
POST /track/?verbose=1&ip=1&_=1711882453809 undefined
Host: api-js.mixpanel.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: de,en-GB;q=0.8,fr;q=0.6,en;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 2321
Origin: http://localhost:3010
Connection: keep-alive
Referer: http://localhost:3010/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

GET /cdn-cgi/challenge-platform/h/g/cmg/1/gPgxBmu7dknlu4yVXsBLaw0eWk%2B%2FWEsazG1n%2B18Du1w%3D HTTP/3
Host: challenges.cloudflare.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: image/avif,image/webp,*/*
Accept-Language: de,en-GB;q=0.8,fr;q=0.6,en;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/32m8u/1x00000000000000000000AA/auto/normal
Alt-Used: challenges.cloudflare.com
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin



### Anything else?

- [ ] Docker distribution is added to issue template as an option for choice. It is currently implied when checking the box for self-hosting.
@affine-issue-bot
Copy link

affine-issue-bot bot commented Mar 31, 2024
edited
Loading

Issue Status: 💡 Open

💡 Open

We want to implement the fix or feature in the near future. We can’t promise it will appear in the next public release, but it’s on our short list.

This is an automatic reply by the bot.

@EYHN
Copy link
Member

EYHN commented Apr 1, 2024

@almereyda
Copy link
Author

almereyda commented Apr 2, 2024
edited
Loading

Thank you!

Sorry for having bothered you, if this was the case.

Upon review, I'm seeing there are more mentions to app.affine.pro in https://github.com/toeverything/AFFiNE/pull/6425/files#diff-34fa70f6f51a4276612515c7bf9671e64310d0fa1601ca6a41d6d510137747a9L31-L32

Should those be removed or made configurable, too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
AFFiNE Project
Status: 💡 Open
Milestone
No milestone
Development

No branches or pull requests
2 participants
@almereyda @EYHN