From ff44dbaea023114f8dad29c16a8bcb7a8e0b12a5 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Fri, 17 Jan 2020 04:30:44 +0100
Subject: [PATCH] Update analytics code.

---
 .deploy/heroku/.env.heroku                  |  3 ++-
 .env.example                                | 10 ++++---
 .github/ISSUE_TEMPLATE/Bug_report.md        | 13 +++++----
 app/Http/Middleware/SecureHeaders.php       | 29 ++++++---------------
 config/firefly.php                          |  3 ++-
 resources/views/v1/layout/default.twig      | 24 ++++++++++-------
 resources/views/v1/layout/empty.twig        | 26 +++++++++++-------
 resources/views/v1/layout/guest.twig        | 26 +++++++++++-------
 tests/Unit/Middleware/SecureHeadersTest.php |  2 ++
 9 files changed, 73 insertions(+), 63 deletions(-)

diff --git a/.deploy/heroku/.env.heroku b/.deploy/heroku/.env.heroku
index c0fb83278b..78d8067adb 100644
--- a/.deploy/heroku/.env.heroku
+++ b/.deploy/heroku/.env.heroku
@@ -110,7 +110,8 @@ CER_PROVIDER=fixer
 FIXER_API_KEY=
 
 # If you wish to track your own behavior over Firefly III, set a valid analytics tracker ID here.
-ANALYTICS_ID=
+TRACKER_SITE_ID=
+TRACKER_URL=
 
 # Most parts of the database are encrypted by default, but you can turn this off if you want to.
 # This makes it easier to migrate your database. Not that some fields will never be decrypted.
diff --git a/.env.example b/.env.example
index b25b14f994..8585f0fc22 100644
--- a/.env.example
+++ b/.env.example
@@ -117,9 +117,6 @@ CER_PROVIDER=ratesapi
 # the free API up to the point where you might as well offer nothing.
 FIXER_API_KEY=
 
-# If you wish to track your own behavior over Firefly III, set a valid analytics tracker ID here.
-ANALYTICS_ID=
-
 # Firefly III has two options for user authentication. "eloquent" is the default,
 # and "ldap" for LDAP servers.
 # For full instructions on these settings please visit:
@@ -171,6 +168,13 @@ DISABLE_FRAME_HEADER=false
 # This is at your own risk.
 DISABLE_CSP_HEADER=false
 
+# If you wish to track your own behavior over Firefly III, set valid analytics tracker information here.
+# Nobody uses this except for me on the demo site. But hey, feel free to use this if you want to.
+# Do not prepend the TRACKER_URL with http:// or https://
+# The only tracker supported is Matomo.
+TRACKER_SITE_ID=
+TRACKER_URL=
+
 # You can fine tune the start-up of a Docker container by editing these environment variables.
 # Use this at your own risk. Disabling certain checks and features may result in lost of inconsistent data.
 # However if you know what you're doing you can significantly speed up container start times.
diff --git a/.github/ISSUE_TEMPLATE/Bug_report.md b/.github/ISSUE_TEMPLATE/Bug_report.md
index 4c1861cfd0..f8f985bebf 100644
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -16,11 +16,10 @@ I am running Firefly III version x.x.x, and my problem is:
 <!-- Please add extra info here, such as OS, browser, and the output from the /debug page of your Firefly III installation (click the version at the bottom). -->
 
 **Bonus points**
-<!-- Earn bonus points by:
+<!-- Earn bonus points by checking the boxes -->
 
-- Post a stacktrace from your log files
-- Add a screenshot
-- Make a drawing
-- Donate money (just kidding ;)
-- Replicate the problem on the demo site https://demo.firefly-iii.org/
--->
\ No newline at end of file
+- [ ] Nobody reported this bug before
+- [ ] I have added a stack trace from my log files.
+- [ ] I have added a screenshot.
+- [ ] I was able to replicate it on the demo site https://demo.firefly-iii.org/
+<!-- - [ ] I donated money (this is a joke :wink:)-->
diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index 7016100b97..5566c3b7a3 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -47,18 +47,17 @@ class SecureHeaders
         $nonce = base64_encode(random_bytes(16));
         app('view')->share('JS_NONCE', $nonce);
 
-        $response        = $next($request);
-        $googleScriptSrc = $this->getGoogleScriptSource();
-        $googleImgSrc    = $this->getGoogleImgSource();
-        $csp             = [
+        $response          = $next($request);
+        $trackingScriptSrc = $this->getTrackingScriptSource();
+        $csp               = [
             "default-src 'none'",
             "object-src 'self'",
-            sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $googleScriptSrc),
+            sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),
             "style-src 'self' 'unsafe-inline'",
             "base-uri 'self'",
             "font-src 'self' data:",
             "connect-src 'self'",
-            sprintf("img-src 'self' data: https://api.tiles.mapbox.com %s", $googleImgSrc),
+            sprintf("img-src 'self' data: https://api.tiles.mapbox.com %s", $trackingScriptSrc),
             "manifest-src 'self'",
         ];
 
@@ -99,27 +98,15 @@ class SecureHeaders
         return $response;
     }
 
-    /**
-     * @return string
-     */
-    private function getGoogleImgSource(): string
-    {
-        if ('' !== config('firefly.analytics_id')) {
-            return 'www.google-analytics.com';
-        }
-
-        return '';
-    }
-
     /**
      * Return part of a CSP header allowing scripts from Google.
      *
      * @return string
      */
-    private function getGoogleScriptSource(): string
+    private function getTrackingScriptSource(): string
     {
-        if ('' !== config('firefly.analytics_id')) {
-            return 'www.googletagmanager.com www.google-analytics.com';
+        if ('' !== (string)config('firefly.tracker_site_id') && '' !== (string)config('firefly.tracker_url')) {
+            return (string)config('firefly.tracker_url');
         }
 
         return '';
diff --git a/config/firefly.php b/config/firefly.php
index 8e2b3d9664..7febfeeff8 100644
--- a/config/firefly.php
+++ b/config/firefly.php
@@ -152,7 +152,8 @@ return [
     'trusted_proxies'        => env('TRUSTED_PROXIES', ''),
     'search_result_limit'    => env('SEARCH_RESULT_LIMIT', 50),
     'send_report_journals'   => envNonEmpty('SEND_REPORT_JOURNALS', true),
-    'analytics_id'           => env('ANALYTICS_ID', ''),
+    'tracker_site_id'        => env('TRACKER_SITE_ID', ''),
+    'tracker_url'            => env('TRACKER_URL', ''),
     'disable_frame_header'   => env('DISABLE_FRAME_HEADER', false),
     'disable_csp_header'     => env('DISABLE_CSP_HEADER', false),
     'login_provider'         => envNonEmpty('LOGIN_PROVIDER', 'eloquent'),
diff --git a/resources/views/v1/layout/default.twig b/resources/views/v1/layout/default.twig
index 404a2c781c..898986fa00 100644
--- a/resources/views/v1/layout/default.twig
+++ b/resources/views/v1/layout/default.twig
@@ -204,18 +204,22 @@
 {% endif %}
 {% block scripts %}{% endblock %}
 
-{% if config('firefly.analytics_id') != '' %}
-    <!-- Global site tag (gtag.js) - Google Analytics -->
-    <!-- This tag is only here because this instance of Firefly III was purposefully configured to include it -->
-    <!-- Your own installation will NOT include it -->
-    <script type="text/javascript" async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}" nonce="{{ JS_NONCE }}"></script>
+{% if config('firefly.tracker_site_id') != '' and config('firefly.tracker_url') != '' %}
+    <!-- This tracker tag is only here because this instance of Firefly III was purposefully configured to include it -->
+    <!-- Your own installation will NOT include it, unless you explicitely configure it to have it. -->
     <script type="text/javascript" nonce="{{ JS_NONCE }}">
-        window.dataLayer = window.dataLayer || [];
-        function gtag(){dataLayer.push(arguments);}
-        gtag('js', new Date());
-
-        gtag('config', '{{ config('firefly.analytics_id')  }}');
+        var _paq = window._paq || [];
+        _paq.push(['trackPageView']);
+        _paq.push(['enableLinkTracking']);
+        (function() {
+            var u="//{{ config('firefly.tracker_url') }}/";
+            _paq.push(['setTrackerUrl', u+'matomo.php']);
+            _paq.push(['setSiteId', '{{ config('firefly.tracker_site_id') }}']);
+            var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+            g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
+        })();
     </script>
+    <noscript><p><img src="//{{ config('firefly.tracker_url') }}/matomo.php?idsite=1&amp;rec=1" style="border:0;" alt="" /></p></noscript>
 {% endif %}
 
 </body>
diff --git a/resources/views/v1/layout/empty.twig b/resources/views/v1/layout/empty.twig
index 3892bef7a5..431e26b842 100644
--- a/resources/views/v1/layout/empty.twig
+++ b/resources/views/v1/layout/empty.twig
@@ -42,18 +42,24 @@
 </div>
 
 <script src="v1/js/app.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
-{% if config('firefly.analytics_id')  != '' %}
-    <!-- Global site tag (gtag.js) - Google Analytics -->
-    <!-- This tag is only here because this instance of Firefly III was purposefully configured to include it -->
-    <!-- Your own installation will NOT include it -->
-    <script type="text/javascript" async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" nonce="{{ JS_NONCE }}">
-        window.dataLayer = window.dataLayer || [];
-        function gtag(){dataLayer.push(arguments);}
-        gtag('js', new Date());
 
-        gtag('config', '{{ config('firefly.analytics_id')  }}');
+{% if config('firefly.tracker_site_id') != '' and config('firefly.tracker_url') != '' %}
+    <!-- This tracker tag is only here because this instance of Firefly III was purposefully configured to include it -->
+    <!-- Your own installation will NOT include it, unless you explicitely configure it to have it. -->
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
+        var _paq = window._paq || [];
+        _paq.push(['trackPageView']);
+        _paq.push(['enableLinkTracking']);
+        (function() {
+            var u="//{{ config('firefly.tracker_url') }}/";
+            _paq.push(['setTrackerUrl', u+'matomo.php']);
+            _paq.push(['setSiteId', '{{ config('firefly.tracker_site_id') }}']);
+            var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+            g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
+        })();
     </script>
+    <noscript><p><img src="//{{ config('firefly.tracker_url') }}/matomo.php?idsite=1&amp;rec=1" style="border:0;" alt="" /></p></noscript>
 {% endif %}
+
 </body>
 </html>
diff --git a/resources/views/v1/layout/guest.twig b/resources/views/v1/layout/guest.twig
index 648859cdba..9e560c4598 100644
--- a/resources/views/v1/layout/guest.twig
+++ b/resources/views/v1/layout/guest.twig
@@ -57,18 +57,24 @@
 </div>
 <script src="v1/js/app.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 <script type="text/javascript" src="v1/js/ff/guest.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-{% if config('firefly.analytics_id')  != '' %}
-    <!-- Global site tag (gtag.js) - Google Analytics -->
-    <!-- This tag is only here because this instance of Firefly III was purposefully configured to include it -->
-    <!-- Your own installation will NOT include it -->
-    <script type="text/javascript" async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" nonce="{{ JS_NONCE }}">
-        window.dataLayer = window.dataLayer || [];
-        function gtag(){dataLayer.push(arguments);}
-        gtag('js', new Date());
 
-        gtag('config', '{{ config('firefly.analytics_id')  }}');
+{% if config('firefly.tracker_site_id') != '' and config('firefly.tracker_url') != '' %}
+    <!-- This tracker tag is only here because this instance of Firefly III was purposefully configured to include it -->
+    <!-- Your own installation will NOT include it, unless you explicitely configure it to have it. -->
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
+        var _paq = window._paq || [];
+        _paq.push(['trackPageView']);
+        _paq.push(['enableLinkTracking']);
+        (function() {
+            var u="//{{ config('firefly.tracker_url') }}/";
+            _paq.push(['setTrackerUrl', u+'matomo.php']);
+            _paq.push(['setSiteId', '{{ config('firefly.tracker_site_id') }}']);
+            var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+            g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
+        })();
     </script>
+    <noscript><p><img src="//{{ config('firefly.tracker_url') }}/matomo.php?idsite=1&amp;rec=1" style="border:0;" alt="" /></p></noscript>
 {% endif %}
+
 </body>
 </html>
diff --git a/tests/Unit/Middleware/SecureHeadersTest.php b/tests/Unit/Middleware/SecureHeadersTest.php
index 6972f7f01a..23e862a3cf 100644
--- a/tests/Unit/Middleware/SecureHeadersTest.php
+++ b/tests/Unit/Middleware/SecureHeadersTest.php
@@ -71,6 +71,8 @@ class SecureHeadersTest extends TestCase
     }
 
     /**
+     * TODO this test tests nothing.
+     *
      * @covers \FireflyIII\Http\Middleware\SecureHeaders
      */
     public function testMiddlewareGoogleAnalytics(): void