Skip to content

Commit 5c520bc

Browse files
lane711claude
andcommitted
docs(www): update feature documentation for v2.16.0
Updated pages: plugins/analytics (Event Tracking API), security (CSRF improvements, BruteForceDetector resilience) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent f4c14d0 commit 5c520bc

2 files changed

Lines changed: 124 additions & 2 deletions

File tree

www/src/app/plugins/analytics/page.mdx

Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ export const sections = [
55
{ title: 'Tracking Page Views', id: 'tracking-page-views' },
66
{ title: 'Custom Events', id: 'custom-events' },
77
{ title: 'API Reference', id: 'api-reference' },
8+
{ title: 'Event Tracking API', id: 'event-tracking-api' },
89
{ title: 'Analytics Service', id: 'analytics-service' },
910
{ title: 'Admin Dashboard', id: 'admin-dashboard' },
1011
{ title: 'Configuration', id: 'configuration' },
@@ -393,6 +394,125 @@ All analytics endpoints require authentication with `admin` or `analytics:read`
393394
</Col>
394395
</Row>
395396

397+
### Event Tracking API <span className="px-2 py-0.5 text-xs font-bold bg-emerald-100 dark:bg-emerald-900/30 text-emerald-700 dark:text-emerald-300 rounded">NEW in v2.16.0</span>
398+
399+
The `/api/events` endpoint provides a public HTTP API for tracking events from client-side code, external services, or any HTTP client. No authentication required for tracking; admin auth required for querying.
400+
401+
<Row>
402+
<Col>
403+
**Track a single event:**
404+
405+
**Request Body:**
406+
- `event` (required) - Event name
407+
- `category` - Event category (default: `general`)
408+
- `data` - Additional metadata object
409+
- `path` - Page URL path
410+
- `session_id` - Session identifier
411+
- `user_id` - User identifier
412+
</Col>
413+
<Col>
414+
<CodeGroup title="Track Single Event">
415+
416+
```bash
417+
curl -X POST 'https://your-app.workers.dev/api/events' \
418+
-H 'Content-Type: application/json' \
419+
-d '{
420+
"event": "button_click",
421+
"category": "ui",
422+
"data": { "button": "signup", "variant": "hero" },
423+
"path": "/pricing"
424+
}'
425+
```
426+
427+
</CodeGroup>
428+
429+
<CodeGroup title="Response">
430+
431+
```json
432+
{
433+
"success": true,
434+
"id": "evt_abc123"
435+
}
436+
```
437+
438+
</CodeGroup>
439+
</Col>
440+
</Row>
441+
442+
<Row>
443+
<Col>
444+
**Track batch events (up to 100):**
445+
446+
Send an array of events in a single request for better performance.
447+
</Col>
448+
<Col>
449+
<CodeGroup title="Batch Track">
450+
451+
```bash
452+
curl -X POST 'https://your-app.workers.dev/api/events' \
453+
-H 'Content-Type: application/json' \
454+
-d '[
455+
{ "event": "page_view", "path": "/home" },
456+
{ "event": "page_view", "path": "/about" },
457+
{ "event": "click", "category": "nav", "data": { "target": "pricing" } }
458+
]'
459+
```
460+
461+
</CodeGroup>
462+
463+
<CodeGroup title="Response">
464+
465+
```json
466+
{
467+
"success": true,
468+
"count": 3
469+
}
470+
```
471+
472+
</CodeGroup>
473+
</Col>
474+
</Row>
475+
476+
<Row>
477+
<Col>
478+
**Query events** (admin auth required):
479+
480+
**Query Parameters:**
481+
- `event` - Filter by event name
482+
- `category` - Filter by category
483+
- `limit` - Max results (default: 100)
484+
- `offset` - Pagination offset
485+
</Col>
486+
<Col>
487+
<CodeGroup title="Query Events">
488+
489+
```bash
490+
curl -X GET 'https://your-app.workers.dev/api/events?category=ui&limit=50' \
491+
-H 'Authorization: Bearer YOUR_TOKEN'
492+
```
493+
494+
</CodeGroup>
495+
</Col>
496+
</Row>
497+
498+
<Row>
499+
<Col>
500+
**Get event stats** (admin auth required):
501+
502+
Returns aggregated counts grouped by event name.
503+
</Col>
504+
<Col>
505+
<CodeGroup title="Event Stats">
506+
507+
```bash
508+
curl -X GET 'https://your-app.workers.dev/api/events/stats' \
509+
-H 'Authorization: Bearer YOUR_TOKEN'
510+
```
511+
512+
</CodeGroup>
513+
</Col>
514+
</Row>
515+
396516
---
397517

398518
## Analytics Service

www/src/app/security/page.mdx

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,8 @@ SonicJS enforces role-based permissions across all routes:
4747
### CSRF Protection
4848
- Signed double-submit cookie pattern on all state-changing endpoints
4949
- Automatic token generation and validation
50-
- Exempt: public read-only API endpoints
50+
- Exempt: safe methods (GET, HEAD, OPTIONS), auth routes, public form submissions, event tracking API, Stripe webhooks, and search API
51+
- Requests with `Authorization` header (Bearer token or API key) bypass CSRF — CSRF only applies to cookie-authenticated sessions
5152

5253
### CORS Configuration
5354
- Cross-origin requests restricted to explicitly allowed origins via `CORS_ORIGINS` environment variable
@@ -106,7 +107,7 @@ SonicJS includes a built-in **Security Audit Plugin** that provides security eve
106107

107108
### How Lockouts Work
108109

109-
When brute-force detection is enabled, the plugin uses Cloudflare KV for fast lockout state:
110+
When brute-force detection is enabled, the plugin uses Cloudflare KV for fast lockout state. If the `CACHE_KV` binding is not available, the brute-force detector gracefully degrades — all KV-dependent methods return safe defaults instead of crashing:
110111

111112
1. Each failed login increments counters for the IP and email address
112113
2. When an IP exceeds the threshold, it is locked and receives `429 Too Many Requests` on subsequent login attempts
@@ -139,6 +140,7 @@ All security audit data is available via authenticated admin API endpoints:
139140

140141
| Version | Date | Changes |
141142
|---------|------|---------|
143+
| v2.16.0 | Apr 2026 | BruteForceDetector KV resilience, CSRF exempt path expansion, Authorization header bypass for API clients |
142144
| v2.9.0 | Apr 2026 | RBAC enforcement on all admin routes |
143145
| v2.8.3 | Mar 2026 | SQL injection fix, XSS fixes (reflected + stored), PBKDF2 hashing, CSRF protection, rate limiting, CORS restrictions, security headers, JWT secret to env var |
144146
| v2.8.2 | Mar 2026 | Public form XSS sanitization, content API access restrictions |

0 commit comments

Comments
 (0)