Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dashboard telemetry are sent to app.posthog.com regardless of user consent #3609

Closed
gberche-orange opened this issue Apr 4, 2023 · 10 comments
Assignees
Labels
bug 🐛 Something is not working as should be

Comments

@gberche-orange
Copy link
Contributor

gberche-orange commented Apr 4, 2023

Describe the bug

The dashboard seems sending analytics to app.posthog.com even before the user accepts the cookies

We use cookies to understand how users interact with Testkube by collecting and reporting information anonymously

Even after denying the cookies, posts to app.posthog.com are made.

To Reproduce
Steps to reproduce the behavior:

  1. Open the dashboard in a private window with browser tools
  2. don't yet accept nor decline cookies
  3. look at requests made to app.posthog.com
  4. deny cookies
  5. look at requests still made to app.posthog.com

posthog-4

Expected behavior

According to #2550

PostHog is only initialised if the user accepts the cookies

The analytics should therefore likely not be sent to app.posthog.com prior to use giving consent by accepting cookies, nor after the user denying cookies

Also, providing more transparency to users as to what information is shared would be useful. The current requests made to PostHog are currently hard to reason about from users, appearing as black box data sending

Here is curl capture from firefox requests
curl 'https://app.posthog.com/s/?compression=gzip-js&ip=1&_=1680620339336&ver=1.51.5' -X POST -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: */*' -H 'Accept-Language: en-US,fr-FR;q=0.8,fr;q=0.5,en;q=0.3' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: text/plain' -H 'Origin: https://testkube-ui.domain.org' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: https://testkube-ui.domain.org/' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'TE: trailers' --data-raw $'\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\xed\x93[k\x021\x10\x85\xffK\xf0q\x17&\x9b\xeb\xees\xa1\x08\xa5T\xe9SK\x91\x98K\x8d\xe2f\xdd\xc4Z\x91\xfe\xf7Fz\x11\x8aB}\xf1\xc9\xd733\x87a\xbe9\xcf;d\xdfl\x9bP\x83\x06\xb1U]\x9c\x85\x84\n\xd4\xf5\xa1\xb3}\xf26\xa2fw\xa8L\x8cJj\xaf\xa4mgQC\n\xf4#\xc4\xb0\xee\xf5\x97\xe4\rjj"\x0b\xf4\x8e\x1a(\xd0\x165\x98V\x1f\x05J~icR\xcb.\x0b\\\x02\xaf\x80\x10N\x19\xe4\xd2 \xda\x18}h\'\xfbY\x84\xa5\xa0ZW\x0e8\xc5S]\x02\xc5\xa2\xa65&\x15\x01\xc9K\xcd\x04\xa3UUb\xa7(@yhf\x98\x11\x95w\x1fl|k\xc2\xe6\xaf\x17\x17SZ\x82\xd5ZM\x05\xb55c\xce\xc8\xd3f\xaa6"{\xa5\xb0\xb0m\xb6\xe9fzr3\x1f\xbd\x1a\xeeW\x0fr\xd5\xcfF\xf7\xdc\xcd\x17\xeb[\xfb8\\\x00P\x1d\xfc\xcdx94\xd3\xa7\xbbq\x08\041O\x1a\x1f\x93ou\xfa]\x03\xa8U\x8e2\xcbjU\x02a\x005vN\x0bE\xd8\x91-\xbe\x9b\x1d3\x04\xe5\xfb\x04\xe7\xa2\xcd\x8c*)\xf3\xb9.\x81L\xd2S\xc4\x18\xad\xaf\xc4\xfeOL\xc8\xfc\xfb\x17\x09\xd9>HG\x89\xf1k\xc6\xce\041\xc6%\xbe\x0c\xb1\x93\xc0\xc4\x15\xd89\xc0X\x8e\xd8\xcb\'\x8dK\xd5)\xc9\x06\x00\x00'

curl 'https://app.posthog.com/s/?compression=gzip-js&ip=1&_=1680620345340&ver=1.51.5' -X POST -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: */*' -H 'Accept-Language: en-US,fr-FR;q=0.8,fr;q=0.5,en;q=0.3' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: text/plain' -H 'Origin: https://testkube-ui.domain.org' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: https://testkube-ui.domain.org/' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'TE: trailers' --data-raw $'\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\xed\x92\xcbK\x031\x10\xc6\xff\x97\xd0\xe3.L6\x93dw\xcf\x82\x08\xe2\x0bO\x8a\x944\x0f\x1bK7k\x13_H\xffw\xa7\xf8(J{\xf0\xe2\xc9[\xf8\xe6\xf7}\x99d\xe6\xfa\x95\xf9G?\x14\xd6\xb3I\x1e\xcc\x98\xe7\xa9\xb0\x8a\x8d\xab4\xfaU\x89>\xb3\xfeu[\x99:S\xccF)/\xa3g\xbd\xa8\xd8\xa7\x90\xd3\xc3\xca\x92\xc4\xc9\x9br,1\rd\xa5\xf4g\xd6+\xa1*\xf6\xc2zT\xb2b\xd1\x11\x84\x9a\x94\x12\x97\xfe4\x84\xec\xe9rX\xdf\xac\xdf\x95\\\xccr$D\xb5\xa0\x1a\x10\x88\x8dn\xa84\xc9>g\n\x9dn\xfc\x8c\xb7\x1a\xadm\x02(\xe43[\x03r\xdda\xc7E#\xa0U\xb5\x95Zb\xd3\xd4<\x18\x04\xa8\xb7\xb0\xe4R\x18z\xdd\xe4)\x0e.=\xfd\xccRz\x865xk\xcdL\xa3\xef\xa4\x0c\xae\xdd\x1ff:\xa7)\xab\xa4\x85\x1f(f\x9c\xdb\xe9\xc1\xdd\xf9\xadS\xf1\xfe\xac\xbd_\xcd\xcfOT\xb8[<\x1c\xfa\xcb\xa3\x05\x00\xda\x14\x0f.\x96Gnvu|\x91R"\xa7\x8b\xb9\xc4\xc1\x96\xaf6\x00\xbd\x09(\xbd\xecL\rB\x02t<\x04\xab\x8d\x90;\xba\xf8\x80\x83t\x82\xd1\xff\xa4\x8f\x8f\xe4\xa0\xf4\xba\xfa\x8b\xa1b\xf3>TM\xd5\xddC\xadQt\x9b^6\xb4\xa2X\xa2%t\x9ftK\xa7o\xb4h\xf5\xfe-\xd0\xff[\xf0\x8b-\x90J\xado\xde\x00\xb2?\x88\xdb\xdb\x03\x00\x00'

Version / Cluster

  • Which testkube version? helm chart version 1.10.101
  • What Kubernetes cluster? (e.g. GKE, EKS, Openshift etc, local KinD, local Minikube)
  • What Kubernetes version?

Screenshots
If applicable, add CLI commands/output to help explain your problem.

Additional context
Add any other context about the problem here.

@gberche-orange gberche-orange added the bug 🐛 Something is not working as should be label Apr 4, 2023
@vsukhin vsukhin added this to Testkube Apr 4, 2023
@github-project-automation github-project-automation bot moved this to 🆕 New in Testkube Apr 4, 2023
@gberche-orange gberche-orange changed the title dashboard telemetry are sent to app.posthog.com before user giving consent dashboard telemetry are sent to app.posthog.com regardless of user consent Apr 4, 2023
@rangoo94 rangoo94 self-assigned this Apr 4, 2023
@rangoo94 rangoo94 moved this from 🆕 New to 🏗 In progress in Testkube Apr 4, 2023
@rangoo94 rangoo94 moved this from 🏗 In progress to 👀 In review in Testkube Apr 4, 2023
@rangoo94
Copy link
Member

rangoo94 commented Apr 5, 2023

HI @gberche-orange, thank you for the report!

The fix is waiting for review, so it will be soon merged and should be available with the next release. It will fully disable tracking, when you either haven't accepted the tracking on the dashboard, or the TestKube instance has disabled telemetry.

Our tracking is set for 2 reasons:

We plan to prepare the document that will cover the tracking details in testkube#3615.

As I see, the curl examples you've sent in the ticket have compression=gzip-js parameter, so you have to decompress it with gunzip:

kubeshop:dawid ~ % echo $'\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\xed\x92\xcbK\x031\x10\xc6\xff\x97\xd0\xe3.L6\x93dw\xcf\x82\x08\xe2\x0bO\x8a\x944\x0f\x1bK7k\x13_H\xffw\xa7\xf8(J{\xf0\xe2\xc9[\xf8\xe6\xf7}\x99d\xe6\xfa\x95\xf9G?\x14\xd6\xb3I\x1e\xcc\x98\xe7\xa9\xb0\x8a\x8d\xab4\xfaU\x89>\xb3\xfeu[\x99:S\xccF)/\xa3g\xbd\xa8\xd8\xa7\x90\xd3\xc3\xca\x92\xc4\xc9\x9br,1\rd\xa5\xf4g\xd6+\xa1*\xf6\xc2zT\xb2b\xd1\x11\x84\x9a\x94\x12\x97\xfe4\x84\xec\xe9rX\xdf\xac\xdf\x95\\\xccr$D\xb5\xa0\x1a\x10\x88\x8dn\xa84\xc9>g\n\x9dn\xfc\x8c\xb7\x1a\xadm\x02(\xe43[\x03r\xdda\xc7E#\xa0U\xb5\x95Zb\xd3\xd4<\x18\x04\xa8\xb7\xb0\xe4R\x18z\xdd\xe4)\x0e.=\xfd\xccRz\x865xk\xcdL\xa3\xef\xa4\x0c\xae\xdd\x1ff:\xa7)\xab\xa4\x85\x1f(f\x9c\xdb\xe9\xc1\xdd\xf9\xadS\xf1\xfe\xac\xbd_\xcd\xcfOT\xb8[<\x1c\xfa\xcb\xa3\x05\x00\xda\x14\x0f.\x96Gnvu|\x91R"\xa7\x8b\xb9\xc4\xc1\x96\xaf6\x00\xbd\x09(\xbd\xecL\rB\x02t<\x04\xab\x8d\x90;\xba\xf8\x80\x83t\x82\xd1\xff\xa4\x8f\x8f\xe4\xa0\xf4\xba\xfa\x8b\xa1b\xf3>TM\xd5\xddC\xadQt\x9b^6\xb4\xa2X\xa2%t\x9ftK\xa7o\xb4h\xf5\xfe-\xd0\xff[\xf0\x8b-\x90J\xado\xde\x00\xb2?\x88\xdb\xdb\x03\x00\x00' | gunzip | jq
gunzip: (stdin): trailing garbage ignored
[
  {
    "event": "$snapshot",
    "properties": {
      "$snapshot_data": {
        "type": 3,
        "data": {
          "source": 1,
          "positions": [
            {
              "x": 636,
              "y": 465,
              "id": 1476,
              "timeOffset": 0
            }
          ]
        },
        "timestamp": 1680620344272
      },
      "$session_id": "1874cc2f0641bc-04179491323086-c575422-1fa400-1874cc2f065153a",
      "$window_id": "1874cc2f0667b4-0eccab74e955fd8-c575422-1fa400-1874cc2f06a9d7",
      "token": "phc_DjQgd6iqP8qrhQN6fjkuGeTIk004coiDRmIdbZLRooo",
      "distinct_id": "18704eaf45e59a-0350091ffc7a35-c575422-1fa400-18704eaf45f5d3"
    },
    "offset": 1067
  },
  {
    "event": "$snapshot",
    "properties": {
      "$snapshot_data": {
        "type": 3,
        "data": {
          "source": 1,
          "positions": [
            {
              "x": 642,
              "y": 471,
              "id": 1476,
              "timeOffset": -439
            },
            {
              "x": 663,
              "y": 509,
              "id": 1489,
              "timeOffset": -387
            }
          ]
        },
        "timestamp": 1680620344772
      },
      "$session_id": "1874cc2f0641bc-04179491323086-c575422-1fa400-1874cc2f065153a",
      "$window_id": "1874cc2f0667b4-0eccab74e955fd8-c575422-1fa400-1874cc2f06a9d7",
      "token": "phc_DjQgd6iqP8qrhQN6fjkuGeTIk004coiDRmIdbZLRooo",
      "distinct_id": "18704eaf45e59a-0350091ffc7a35-c575422-1fa400-18704eaf45f5d3"
    },
    "offset": 566
  }
]

@rangoo94
Copy link
Member

rangoo94 commented Apr 5, 2023

The fix has been merged into main, so it should be available in the next release.

@gberche-orange
Copy link
Contributor Author

thanks a lot @rangoo94 !

I tried to test but I'm currently blocked by kubeshop/helm-charts#453

@gberche-orange
Copy link
Contributor Author

@rangoo94 , unfortunately while testing with helm chart version 1.10.321, I only observed the situation got worse:

  • the consent overlay disappears immediately without user action (click or keyboard)
  • telemetry is still sent regardless of user consent

kube-consent-disappear

@rangoo94
Copy link
Member

rangoo94 commented Apr 7, 2023

Hi @gberche-orange, sorry, looks like the front end was not updated with 1.10.321 version. Please try the latest 1.10.337 version.

If it goes about the video, I believe that most likely you have telemetry disabled on the cluster, and the frontend shows the cookie notice until received information from the backend that it shouldn't. The network calls were because of this previous bug, which was fixed in the newest version.

@gberche-orange
Copy link
Contributor Author

Thanks @rangoo94

With version 1.10.337, and telemetry disabled from the cli, I'm properly observing the telemetry calls are not sent to the upstream services, and the consent overlay is disabled early on.

However, it seems to me that when I'm enabling the telemetry from the cli, the front-end is still not sending telemetry calls, nor displaying the user consent overlay.

kube-consent-disappear-2

I properly see the following front-end call to https://testkube-api.mydomain.org/results/v1/config with response

{"id":"","clusterId":"clusterb418fa91c9eb41032e413ec63f2310a3","enableTelemetry":true}

I'm testing this on firefox 102.9.0esr (64-bit) on windows.

@rangoo94
Copy link
Member

rangoo94 commented Apr 11, 2023

@gberche-orange, thanks for reporting, and sorry, that was actually a newly introduced bug. The cookies banner wasn't displayed, so it didn't track anything without a consent. The fix has landed in main, and is available in the latest 1.10.369 helm chart version.

@gberche-orange
Copy link
Contributor Author

Thanks @rangoo94. I'm away from desk for 10 days, I'll test and report back on my return.

@rangoo94
Copy link
Member

Hi @gberche-orange, did you have a chance to test if it works fine for you?

@gberche-orange
Copy link
Contributor Author

@rangoo94 sorry for late response, with version 1.11.210, the telemetry optin and opt-out from cli work as expected during the user scenario of user consenting and user rejecting consent.

Thanks for the fixes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐛 Something is not working as should be
Projects
Status: Done
Development

No branches or pull requests

2 participants