toeverything / AFFiNE

There can be more than Notion and Miro. AFFiNE(pronounced [ə‘fain]) is a next-gen knowledge base that brings planning, sorting and creating all together. Privacy first, open-source, customizable and ready to use.
https://affine.pro
Other
42.19k stars 2.75k forks source link

Disabling of third-party integrations for self-hosted deployments #6420

Open almereyda opened 7 months ago

almereyda commented 7 months ago

What happened?

When running the current Docker distribution, requests are made to third-party sources.

When telemetry is disabled in the user account, Mixpanel will become silent, even on the login form when logged out, but Cloudflare remains active.

In both cases we also see requests to:

This can be understood as a breach of privacy and could lead to illegal behaviour, esp. in the EU with regards to the GDPR.

Two resolution vectors offer themselves:

Distribution version

Linux

What browsers are you seeing the problem on if you're using web version?

No response

Are you self-hosting?

Relevant log output

POST /api/auth/sign-in?redirect_uri=https%3A%2F%2Fapp.affine.pro%2F HTTP/1.1
Host: localhost:3010
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: de,en-GB;q=0.8,fr;q=0.6,en;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:3010/
content-type: application/json
Content-Length: 50
Origin: http://localhost:3010
Connection: keep-alive
Cookie: JSESSIONID=1stz32knsdjvv1grovwo4nabgb; myaigent=0e8b44c680564edeb224fe5037db6b48; CSRF-Token-PF4SZ=kXofeD9pcZbQgNJvqEqqj3KaTgFmT6Ci; pagure_local_cookie=; cockpit=dj0yO2s9NzdmZWFlNDBmMDA2ZTg2ZDI1NTEyZmY5ZWZkNTJiMzQxOGU3OWQ4YTQ1ZDdmZWY1NWRjMGI4NWQ4YzNmMWM4MQ==; sessions=%7B%7D; PHPSESSID=d172e820064987f1fc70d65b22ae3786; session=.eJwdjlFrgzAURv_KyHMHSbRuE_ogGMFCIo5IuPelpDbFxvpiV-JS-t9n9_TBB-dwHuRwnt1tIPnPfHcbcricSP4gb0eSk0aLFE01gm5TmKpJ8S7iJBfg-wF1HZX_voKBRZp2q3wfYOoSqYsgtQhYwi_qgqtSXcHXoSkFlUZs5cvh60RFwVCPy8oHVUKqvKAqqguaLr4YGYsUp47KEtev8uj3Y2PUujhILdceCMAhRb_28XZHnhtyv7n5v5-w98w6e3L0Iztb9klZz3rOE2YpZ8cvZjNHnn8dj1Ah.FmaP8w.BEujifcEbjQpnfEn1rmYzVkuuKM; argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcmdvY2QiLCJzdWIiOiJhZG1pbjpsb2dpbiIsImV4cCI6MTY3Mzk1NTE5NywibmJmIjoxNjczODY4Nzk3LCJpYXQiOjE2NzM4Njg3OTcsImp0aSI6IjBiNmU2YTY4LTJlZjktNDU4Yy04MGZhLWUyOGRlZTdlODAwMSJ9.HIz-f9vi1PP06ANzzI9E3nm7IV4W6lCt7HgRx4RpUEk; alps_session=fGsYgf1CJNyoYQvGr7o3CiG8kXQBC7s-oTsh7-272dE=
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
POST /track/?verbose=1&ip=1&_=1711882453809 undefined
Host: api-js.mixpanel.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: de,en-GB;q=0.8,fr;q=0.6,en;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 2321
Origin: http://localhost:3010
Connection: keep-alive
Referer: http://localhost:3010/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
GET /cdn-cgi/challenge-platform/h/g/cmg/1/gPgxBmu7dknlu4yVXsBLaw0eWk%2B%2FWEsazG1n%2B18Du1w%3D HTTP/3
Host: challenges.cloudflare.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: image/avif,image/webp,*/*
Accept-Language: de,en-GB;q=0.8,fr;q=0.6,en;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/32m8u/1x00000000000000000000AA/auto/normal
Alt-Used: challenges.cloudflare.com
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin


### Anything else?

- [ ] Docker distribution is added to issue template as an option for choice. It is currently implied when checking the box for self-hosting.
affine-issue-bot[bot] commented 7 months ago

Issue Status: 💡 Open

💡 Open

We want to implement the fix or feature in the near future. We can’t promise it will appear in the next public release, but it’s on our short list.

This is an automatic reply by the bot.

EYHN commented 7 months ago
almereyda commented 7 months ago

Thank you!

Sorry for having bothered you, if this was the case.

Upon review, I'm seeing there are more mentions to app.affine.pro in https://github.com/toeverything/AFFiNE/pull/6425/files#diff-34fa70f6f51a4276612515c7bf9671e64310d0fa1601ca6a41d6d510137747a9L31-L32

Should those be removed or made configurable, too?

JokerQyou commented 1 day ago

Dispite #6424 already merged, AFFiNE 0.17.0-nightly-2335e8a seems to ignore TELEMTRY_ENABLE=false option. The frontend still sends request to telemetry.affine.run.