hard-coded URLs

[JohnnyJayJay]

The source code for this app contains hard references to your personal domain androz2091.fr in a bunch of places. This introduces a big problem: Even when hosted privately, the app makes requests to your resources. This should not happen, because that makes it impossible to truly "self"-host an instance of this app. Furthermore, this is - in my opinion - a big privacy issue, especially since there doesn't seem to be a privacy policy (depending on what the analytics part of the app does, this may actually be illegal).

There should be no hard references to any private URL in the source code. If some external service is inevitably required somewhere, it should be made configurable.

[Androz2091]

Hello, Indeed two private domains are called when using the app:

• analytics.androz2091.fr. This is an app called Umami, which is an open source analytics server that counts page views and visitors. So not any data from your package is sent to it and this is not required - feel free to remove the line from the index.html file 👍

• diswho.androz2091.fr. This is an important app which is, again, open source. You can self-host it, even if it's pretty hard (because you will probably need a google captcha key). This is only used to resolve user IDs from your data package to user objects (used for the top dms leaderboard). Again, nothing is stored in the server and your requests are anonymous.

This may not be the best solutions and I am open to other suggestions to reduce the usage to external services, to make the app as independent as possible. (maybe by adding an input to users can specify a bot token that can be used to resolve the user IDs without diswho... ?)

[JohnnyJayJay]

To be clear, I'm not suggesting any parts of the app were made in bad faith. It's a privacy issue as soon as external services are used in a way that isn't transparent enough, not just when you actually grab personal data. It's apparent from the source code and request monitoring that this doesn't happen here :smile:

Thank you for the explanations. Here are my 2 cents regarding a possible solution:

• Make analytics configurable (for other domains) or at least opt-in via a configuration or environment variable (this shouldn't be too hard to add)
• The second service seems crucial to the core functionality of the app, so it's fair to keep this as a requirement. A way to improve this could be:
  • Require users (hosting the app) to set an address for the diswho instance to use (again via a config or an env variable)
  • Make it possible to not use captchas when hosting diswho (since it's not required for personal or limited scale use)
• Finally, and possibly most importantly: you should check what legal notices you need to include for your public instance. I can almost guarantee that you need a privacy policy and especially under GDPR (I take it you're French) the law is very strict. I'm not a legal expert though, so I can't really help with any specifics in this area.