/** * User Behavior Tracking (Silent) * * Fire-and-forget endpoint for frontend event tracking. * No auth required — logs anon + authenticated users. */ import { Router, Request, Response } from 'express'; import rateLimit from 'express-rate-limit'; import pool from '../db'; import { getAuthPayloadFromRequest } from '../middleware/auth'; const router = Router(); // Rate limit: 100/min per IP const behaviorLimiter = rateLimit({ windowMs: 60 * 1000, max: 100, standardHeaders: false, legacyHeaders: false, }); router.use(behaviorLimiter); // POST /api/behavior/track router.post('/track', async (req: Request, res: Response) => { try { const { events } = req.body; if (!events || !Array.isArray(events) || events.length === 0) { res.status(200).json({ ok: true }); // Silently accept empty return; } // Extract user info from token if available const authPayload = await getAuthPayloadFromRequest(req); const userId = authPayload?.userId || null; const ip = req.ip || req.socket.remoteAddress || null; const userAgent = req.headers['user-agent'] || null; // Batch insert (max 20 events per request) const batch = events.slice(0, 20); const values: any[] = []; const placeholders: string[] = []; let idx = 1; for (const evt of batch) { const eventUserId = typeof evt.user_id === 'string' && evt.user_id.trim().length > 0 ? evt.user_id.trim() : null; placeholders.push(`($${idx}, $${idx + 1}, $${idx + 2}, $${idx + 3}, $${idx + 4}, $${idx + 5})`); values.push( eventUserId ?? userId, evt.session_id || null, evt.event_type || 'unknown', evt.event_data ? JSON.stringify(evt.event_data) : null, ip, userAgent ); idx += 6; } if (placeholders.length > 0) { await pool.query( `INSERT INTO rm_user_behavior (user_id, session_id, event_type, event_data, ip_address, user_agent) VALUES ${placeholders.join(', ')}`, values ); } res.status(200).json({ ok: true }); } catch (err) { // Never fail — behavior tracking is non-critical console.error('Behavior track error:', err); res.status(200).json({ ok: true }); } }); export default router;