Merge pull request #3294 from umami-software/analytics

v2.17.0
2025-12-06 01:18:00 +01:00 · 2025-03-07 21:23:42 -08:00 · 2025-03-07 21:23:42 -08:00 · 36c4645e5b
commit 36c4645e5b
parent 2e84fc62b1 97c687ff05
42 changed files with 395 additions and 114 deletions
--- a/.eslintrc.json
+++ b/.eslintrc.json
@ -3,6 +3,7 @@
    "browser": true,
    "es2020": true,
    "node": true,
+    "jquery": true,
    "jest": true
  },
  "parser": "@typescript-eslint/parser",
@ -14,6 +15,7 @@
    "sourceType": "module"
  },
  "extends": [
+    "plugin:@typescript-eslint/eslint-recommended",
    "plugin:@typescript-eslint/recommended",
    "eslint:recommended",
    "plugin:prettier/recommended",
@ -33,12 +35,14 @@
    "react/prop-types": "off",
    "import/no-anonymous-default-export": "off",
    "import/no-named-as-default": "off",
+    "css-modules/no-unused-class": "off",
    "@next/next/no-img-element": "off",
    "@typescript-eslint/no-empty-function": "off",
    "@typescript-eslint/no-explicit-any": "off",
    "@typescript-eslint/no-var-requires": "off",
    "@typescript-eslint/no-empty-interface": "off",
-    "@typescript-eslint/no-unused-vars": ["error", { "ignoreRestSiblings": true }]
+    "@typescript-eslint/no-unused-vars": ["error", { "ignoreRestSiblings": true }],
+    "@typescript-eslint/no-namespace": ["error", { "allowDeclarations": true }]
  },
  "globals": {
    "React": "writable"
--- a/cypress/e2e/api.cy.ts
+++ b/cypress/e2e/api.cy.ts
@ -0,0 +1,29 @@
+describe('Website tests', () => {
+  Cypress.session.clearAllSavedSessions();
+
+  beforeEach(() => {
+    cy.login(Cypress.env('umami_user'), Cypress.env('umami_password'));
+  });
+
+  //let userId;
+
+  it('creates a user.', () => {
+    cy.fixture('users').then(data => {
+      const userPost = data.userPost;
+      cy.request({
+        method: 'POST',
+        url: '/api/users',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: Cypress.env('authorization'),
+        },
+        body: userPost,
+      }).then(response => {
+        //userId = response.body.id;
+        expect(response.status).to.eq(200);
+        expect(response.body).to.have.property('username', 'cypress1');
+        expect(response.body).to.have.property('role', 'User');
+      });
+    });
+  });
+});
--- a/cypress/e2e/login.cy.ts
+++ b/cypress/e2e/login.cy.ts
@ -1,22 +1,36 @@
 describe('Login tests', () => {
+  beforeEach(() => {
+    cy.visit('/login');
+  });
+
  it(
    'logs user in with correct credentials and logs user out',
    {
      defaultCommandTimeout: 10000,
    },
    () => {
-      cy.visit('/login');
-      cy.getDataTest('input-username').find('input').click();
-      cy.getDataTest('input-username').find('input').type(Cypress.env('umami_user'), { delay: 50 });
-      cy.getDataTest('input-password').find('input').click();
+      cy.getDataTest('input-username').find('input').as('inputUsername').click();
+      cy.get('@inputUsername').type(Cypress.env('umami_user'), { delay: 0 });
+      cy.get('@inputUsername').click();
      cy.getDataTest('input-password')
        .find('input')
-        .type(Cypress.env('umami_password'), { delay: 50 });
+        .type(Cypress.env('umami_password'), { delay: 0 });
      cy.getDataTest('button-submit').click();
      cy.url().should('eq', Cypress.config().baseUrl + '/dashboard');
-      cy.getDataTest('button-profile').click();
-      cy.getDataTest('item-logout').click();
-      cy.url().should('eq', Cypress.config().baseUrl + '/login');
+      cy.logout();
    },
  );
+
+  it('login with blank inputs or incorrect credentials', () => {
+    cy.getDataTest('button-submit').click();
+    cy.contains(/Required/i).should('be.visible');
+
+    cy.getDataTest('input-username').find('input').as('inputUsername');
+    cy.get('@inputUsername').click();
+    cy.get('@inputUsername').type(Cypress.env('umami_user'), { delay: 0 });
+    cy.get('@inputUsername').click();
+    cy.getDataTest('input-password').find('input').type('wrongpassword', { delay: 0 });
+    cy.getDataTest('button-submit').click();
+    cy.contains(/Incorrect username and\/or password./i).should('be.visible');
+  });
 });
--- a/cypress/e2e/user.cy.ts
+++ b/cypress/e2e/user.cy.ts
@ -0,0 +1,65 @@
+describe('Website tests', () => {
+  Cypress.session.clearAllSavedSessions();
+
+  beforeEach(() => {
+    cy.login(Cypress.env('umami_user'), Cypress.env('umami_password'));
+    cy.visit('/settings/users');
+  });
+
+  it('Add a User', () => {
+    // add user
+    cy.contains(/Create user/i).should('be.visible');
+    cy.getDataTest('button-create-user').click();
+    cy.getDataTest('input-username').find('input').as('inputName').click();
+    cy.get('@inputName').type('Test-user', { delay: 0 });
+    cy.getDataTest('input-password').find('input').as('inputPassword').click();
+    cy.get('@inputPassword').type('testPasswordCypress', { delay: 0 });
+    cy.getDataTest('dropdown-role').click();
+    cy.getDataTest('dropdown-item-user').click();
+    cy.getDataTest('button-submit').click();
+    cy.get('td[label="Username"]').should('contain.text', 'Test-user');
+    cy.get('td[label="Role"]').should('contain.text', 'User');
+  });
+
+  it('Edit a User role and password', () => {
+    // edit user
+    cy.get('table tbody tr')
+      .contains('td', /Test-user/i)
+      .parent()
+      .within(() => {
+        cy.getDataTest('link-button-edit').click(); // Clicks the button inside the row
+      });
+    cy.getDataTest('input-password').find('input').as('inputPassword').click();
+    cy.get('@inputPassword').type('newPassword', { delay: 0 });
+    cy.getDataTest('dropdown-role').click();
+    cy.getDataTest('dropdown-item-viewOnly').click();
+    cy.getDataTest('button-submit').click();
+
+    cy.visit('/settings/users');
+    cy.get('table tbody tr')
+      .contains('td', /Test-user/i)
+      .parent()
+      .should('contain.text', 'View only');
+
+    cy.logout();
+    cy.url().should('eq', Cypress.config().baseUrl + '/login');
+    cy.getDataTest('input-username').find('input').as('inputUsername').click();
+    cy.get('@inputUsername').type('Test-user', { delay: 0 });
+    cy.get('@inputUsername').click();
+    cy.getDataTest('input-password').find('input').type('newPassword', { delay: 0 });
+    cy.getDataTest('button-submit').click();
+    cy.url().should('eq', Cypress.config().baseUrl + '/dashboard');
+  });
+
+  it('Delete a website', () => {
+    // delete user
+    cy.get('table tbody tr')
+      .contains('td', /Test-user/i)
+      .parent()
+      .within(() => {
+        cy.getDataTest('button-delete').click(); // Clicks the button inside the row
+      });
+    cy.contains(/Are you sure you want to delete Test-user?/i).should('be.visible');
+    cy.getDataTest('button-confirm').click();
+  });
+});
--- a/cypress/e2e/website.cy.ts
+++ b/cypress/e2e/website.cy.ts
@ -10,10 +10,10 @@ describe('Website tests', () => {
    cy.visit('/settings/websites');
    cy.getDataTest('button-website-add').click();
    cy.contains(/Add website/i).should('be.visible');
-    cy.getDataTest('input-name').find('input').click();
-    cy.getDataTest('input-name').find('input').type('Add test', { delay: 50 });
+    cy.getDataTest('input-name').find('input').as('inputUsername').click();
+    cy.getDataTest('input-name').find('input').type('Add test', { delay: 0 });
    cy.getDataTest('input-domain').find('input').click();
-    cy.getDataTest('input-domain').find('input').type('addtest.com', { delay: 50 });
+    cy.getDataTest('input-domain').find('input').type('addtest.com', { delay: 0 });
    cy.getDataTest('button-submit').click();
    cy.get('td[label="Name"]').should('contain.text', 'Add test');
    cy.get('td[label="Domain"]').should('contain.text', 'addtest.com');
@ -41,10 +41,10 @@ describe('Website tests', () => {
    cy.contains(/Details/i).should('be.visible');
    cy.getDataTest('input-name').find('input').click();
    cy.getDataTest('input-name').find('input').clear();
-    cy.getDataTest('input-name').find('input').type('Updated website', { delay: 50 });
+    cy.getDataTest('input-name').find('input').type('Updated website', { delay: 0 });
    cy.getDataTest('input-domain').find('input').click();
    cy.getDataTest('input-domain').find('input').clear();
-    cy.getDataTest('input-domain').find('input').type('updatedwebsite.com', { delay: 50 });
+    cy.getDataTest('input-domain').find('input').type('updatedwebsite.com', { delay: 0 });
    cy.getDataTest('button-submit').click({ force: true });
    cy.getDataTest('input-name').find('input').should('have.value', 'Updated website');
    cy.getDataTest('input-domain').find('input').should('have.value', 'updatedwebsite.com');
--- a/cypress/fixtures/users.json
+++ b/cypress/fixtures/users.json
@ -0,0 +1,17 @@
+{
+  "userGet": {
+    "name": "cypress",
+    "email": "password",
+    "role": "User"
+  },
+  "userPost": {
+    "username": "cypress1",
+    "password": "password",
+    "role": "User"
+  },
+  "userDelete": {
+    "name": "Charlie",
+    "email": "charlie@example.com",
+    "age": 35
+  }
+}
--- a/cypress/support/e2e.ts
+++ b/cypress/support/e2e.ts
@ -5,6 +5,12 @@ Cypress.Commands.add('getDataTest', (value: string) => {
  return cy.get(`[data-test=${value}]`);
 });

+Cypress.Commands.add('logout', () => {
+  cy.getDataTest('button-profile').click();
+  cy.getDataTest('item-logout').click();
+  cy.url().should('eq', Cypress.config().baseUrl + '/login');
+});
+
 Cypress.Commands.add('login', (username: string, password: string) => {
  cy.session([username, password], () => {
    cy.request({
--- a/cypress/support/index.d.ts
+++ b/cypress/support/index.d.ts
@ -1,4 +1,5 @@
 /// <reference types="cypress" />
+/* global JQuery */

 declare namespace Cypress {
  interface Chainable {
@ -7,6 +8,11 @@ declare namespace Cypress {
     * @example cy.getDataTest('greeting')
     */
    getDataTest(value: string): Chainable<JQuery<HTMLElement>>;
+    /**
+     * Custom command to logout through UI.
+     * @example cy.logout()
+     */
+    logout(): Chainable<JQuery<HTMLElement>>;
    /**
     * Custom command to login user into the app.
     * @example cy.login('admin', 'password)
--- a/next.config.js
+++ b/next.config.js
@ -59,15 +59,29 @@ const trackerHeaders = [
  },
 ];

+const apiHeaders = [
+  {
+    key: 'Access-Control-Allow-Origin',
+    value: '*'
+  },
+  {
+    key: 'Access-Control-Allow-Headers',
+    value: '*'
+  },
+  {
+    key: 'Access-Control-Allow-Methods',
+    value: 'GET, DELETE, POST, PUT'
+  },
+  {
+    key: 'Access-Control-Max-Age',
+    value: corsMaxAge || '86400'
+  },
+];
+
 const headers = [
  {
    source: '/api/:path*',
-    headers: [
-      { key: 'Access-Control-Allow-Origin', value: '*' },
-      { key: 'Access-Control-Allow-Headers', value: '*' },
-      { key: 'Access-Control-Allow-Methods', value: 'GET, DELETE, POST, PUT' },
-      { key: 'Access-Control-Max-Age', value: corsMaxAge || '86400' },
-    ],
+    headers: apiHeaders
  },
  {
    source: '/:path*',
@ -89,6 +103,11 @@ if (trackerScriptURL) {
 }

 if (collectApiEndpoint) {
+  headers.push({
+    source: collectApiEndpoint,
+    headers: apiHeaders,
+  });
+
  rewrites.push({
    source: collectApiEndpoint,
    destination: '/api/send',
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "umami",
-  "version": "2.16.1",
+  "version": "2.17.0",
  "description": "A simple, fast, privacy-focused alternative to Google Analytics.",
  "author": "Umami Software, Inc. <hello@umami.is>",
  "license": "MIT",
--- a/scripts/check-db.js
+++ b/scripts/check-db.js
@ -82,9 +82,11 @@ async function checkV1Tables() {
 }

 async function applyMigration() {
-  console.log(execSync('prisma migrate deploy').toString());
+  if (!process.env.SKIP_DB_MIGRATION) {
+    console.log(execSync('prisma migrate deploy').toString());

-  success('Database is up to date.');
+    success('Database is up to date.');
+  }
 }

 (async () => {
--- a/src/app/(main)/reports/ReportDeleteButton.tsx
+++ b/src/app/(main)/reports/ReportDeleteButton.tsx
@ -39,7 +39,9 @@ export function ReportDeleteButton({
      <Modal title={formatMessage(labels.deleteReport)}>
        {(close: () => void) => (
          <ConfirmationForm
-            message={formatMessage(messages.confirmDelete, { target: <b>{reportName}</b> })}
+            message={formatMessage(messages.confirmDelete, {
+              target: <b key={messages.confirmDelete.id}>{reportName}</b>,
+            })}
            isLoading={isPending}
            error={error}
            onConfirm={handleConfirm.bind(null, close)}
--- a/src/app/(main)/settings/teams/TeamLeaveForm.tsx
+++ b/src/app/(main)/settings/teams/TeamLeaveForm.tsx
@ -34,7 +34,9 @@ export function TeamLeaveForm({
  return (
    <ConfirmationForm
      buttonLabel={formatMessage(labels.leave)}
-      message={formatMessage(messages.confirmLeave, { target: <b>{teamName}</b> })}
+      message={formatMessage(messages.confirmLeave, {
+        target: <b key={messages.confirmLeave.id}>{teamName}</b>,
+      })}
      onConfirm={handleConfirm}
      onClose={onClose}
      isLoading={isPending}
--- a/src/app/(main)/settings/users/UserAddButton.tsx
+++ b/src/app/(main)/settings/users/UserAddButton.tsx
@ -15,7 +15,7 @@ export function UserAddButton({ onSave }: { onSave?: () => void }) {

  return (
    <ModalTrigger>
-      <Button variant="primary">
+      <Button data-test="button-create-user" variant="primary">
        <Icon>
          <Icons.Plus />
        </Icon>
--- a/src/app/(main)/settings/users/UserAddForm.tsx
+++ b/src/app/(main)/settings/users/UserAddForm.tsx
@ -12,6 +12,7 @@ import {
 } from 'react-basics';
 import { useApi, useMessages } from '@/components/hooks';
 import { ROLES } from '@/lib/constants';
+import { messages } from '@/components/messages';

 export function UserAddForm({ onSave, onClose }) {
  const { post, useMutation } = useApi();
@ -44,26 +45,43 @@ export function UserAddForm({ onSave, onClose }) {
  return (
    <Form onSubmit={handleSubmit} error={error}>
      <FormRow label={formatMessage(labels.username)}>
-        <FormInput name="username" rules={{ required: formatMessage(labels.required) }}>
+        <FormInput
+          data-test="input-username"
+          name="username"
+          rules={{ required: formatMessage(labels.required) }}
+        >
          <TextField autoComplete="new-username" />
        </FormInput>
      </FormRow>
      <FormRow label={formatMessage(labels.password)}>
-        <FormInput name="password" rules={{ required: formatMessage(labels.required) }}>
+        <FormInput
+          data-test="input-password"
+          name="password"
+          rules={{
+            required: formatMessage(labels.required),
+            minLength: { value: 8, message: formatMessage(messages.minPasswordLength, { n: 8 }) },
+          }}
+        >
          <PasswordField autoComplete="new-password" />
        </FormInput>
      </FormRow>
      <FormRow label={formatMessage(labels.role)}>
        <FormInput name="role" rules={{ required: formatMessage(labels.required) }}>
-          <Dropdown renderValue={renderValue}>
-            <Item key={ROLES.viewOnly}>{formatMessage(labels.viewOnly)}</Item>
-            <Item key={ROLES.user}>{formatMessage(labels.user)}</Item>
-            <Item key={ROLES.admin}>{formatMessage(labels.admin)}</Item>
+          <Dropdown data-test="dropdown-role" renderValue={renderValue}>
+            <Item data-test="dropdown-item-viewOnly" key={ROLES.viewOnly}>
+              {formatMessage(labels.viewOnly)}
+            </Item>
+            <Item data-test="dropdown-item-user" key={ROLES.user}>
+              {formatMessage(labels.user)}
+            </Item>
+            <Item data-test="dropdown-item-admin" key={ROLES.admin}>
+              {formatMessage(labels.admin)}
+            </Item>
          </Dropdown>
        </FormInput>
      </FormRow>
      <FormButtons flex>
-        <SubmitButton variant="primary" disabled={false}>
+        <SubmitButton data-test="button-submit" variant="primary" disabled={false}>
          {formatMessage(labels.save)}
        </SubmitButton>
        <Button disabled={isPending} onClick={onClose}>
--- a/src/app/(main)/settings/users/UserDeleteButton.tsx
+++ b/src/app/(main)/settings/users/UserDeleteButton.tsx
@ -16,7 +16,7 @@ export function UserDeleteButton({

  return (
    <ModalTrigger disabled={userId === user?.id}>
-      <Button disabled={userId === user?.id} variant="quiet">
+      <Button data-test="button-delete" disabled={userId === user?.id} variant="quiet">
        <Icon>
          <Icons.Trash />
        </Icon>
--- a/src/app/(main)/settings/users/UserDeleteForm.tsx
+++ b/src/app/(main)/settings/users/UserDeleteForm.tsx
@ -19,7 +19,9 @@ export function UserDeleteForm({ userId, username, onSave, onClose }) {

  return (
    <ConfirmationForm
-      message={formatMessage(messages.confirmDelete, { target: <b>{username}</b> })}
+      message={formatMessage(messages.confirmDelete, {
+        target: <b key={messages.confirmDelete.id}>{username}</b>,
+      })}
      onConfirm={handleConfirm}
      onClose={onClose}
      buttonLabel={formatMessage(labels.delete)}
--- a/src/app/(main)/settings/users/UsersTable.tsx
+++ b/src/app/(main)/settings/users/UsersTable.tsx
@ -44,7 +44,7 @@ export function UsersTable({
              <>
                <UserDeleteButton userId={id} username={username} />
                <LinkButton href={`/settings/users/${id}`}>
-                  <Icon>
+                  <Icon data-test="link-button-edit">
                    <Icons.Edit />
                  </Icon>
                  <Text>{formatMessage(labels.edit)}</Text>
--- a/src/app/(main)/settings/users/[userId]/UserEditForm.tsx
+++ b/src/app/(main)/settings/users/[userId]/UserEditForm.tsx
@ -62,6 +62,7 @@ export function UserEditForm({ userId, onSave }: { userId: string; onSave?: () =
      </FormRow>
      <FormRow label={formatMessage(labels.password)}>
        <FormInput
+          data-test="input-password"
          name="password"
          rules={{
            minLength: { value: 8, message: formatMessage(messages.minPasswordLength, { n: 8 }) },
@ -73,16 +74,24 @@ export function UserEditForm({ userId, onSave }: { userId: string; onSave?: () =
      {user.id !== login.id && (
        <FormRow label={formatMessage(labels.role)}>
          <FormInput name="role" rules={{ required: formatMessage(labels.required) }}>
-            <Dropdown renderValue={renderValue}>
-              <Item key={ROLES.viewOnly}>{formatMessage(labels.viewOnly)}</Item>
-              <Item key={ROLES.user}>{formatMessage(labels.user)}</Item>
-              <Item key={ROLES.admin}>{formatMessage(labels.admin)}</Item>
+            <Dropdown data-test="dropdown-role" renderValue={renderValue}>
+              <Item data-test="dropdown-item-viewOnly" key={ROLES.viewOnly}>
+                {formatMessage(labels.viewOnly)}
+              </Item>
+              <Item data-test="dropdown-item-user" key={ROLES.user}>
+                {formatMessage(labels.user)}
+              </Item>
+              <Item data-test="dropdown-item-admin" key={ROLES.admin}>
+                {formatMessage(labels.admin)}
+              </Item>
            </Dropdown>
          </FormInput>
        </FormRow>
      )}
      <FormButtons>
-        <SubmitButton variant="primary">{formatMessage(labels.save)}</SubmitButton>
+        <SubmitButton data-test="button-submit" variant="primary">
+          {formatMessage(labels.save)}
+        </SubmitButton>
      </FormButtons>
    </Form>
  );
--- a/src/app/(main)/teams/[teamId]/settings/members/TeamMemberRemoveButton.tsx
+++ b/src/app/(main)/teams/[teamId]/settings/members/TeamMemberRemoveButton.tsx
@ -43,7 +43,9 @@ export function TeamMemberRemoveButton({
      <Modal title={formatMessage(labels.removeMember)}>
        {(close: () => void) => (
          <ConfirmationForm
-            message={formatMessage(messages.confirmRemove, { target: <b>{userName}</b> })}
+            message={formatMessage(messages.confirmRemove, {
+              target: <b key={messages.confirmRemove.id}>{userName}</b>,
+            })}
            isLoading={isPending}
            error={error}
            onConfirm={handleConfirm.bind(null, close)}
--- a/src/app/(main)/websites/[websiteId]/realtime/RealtimeLog.tsx
+++ b/src/app/(main)/websites/[websiteId]/realtime/RealtimeLog.tsx
@ -71,9 +71,10 @@ export function RealtimeLog({ data }: { data: RealtimeData }) {

    if (__type === TYPE_EVENT) {
      return formatMessage(messages.eventLog, {
-        event: <b>{eventName || formatMessage(labels.unknown)}</b>,
+        event: <b key="b">{eventName || formatMessage(labels.unknown)}</b>,
        url: (
          <a
+            key="a"
            href={`//${website?.domain}${url}`}
            className={styles.link}
            target="_blank"
@ -100,10 +101,10 @@ export function RealtimeLog({ data }: { data: RealtimeData }) {

    if (__type === TYPE_SESSION) {
      return formatMessage(messages.visitorLog, {
-        country: <b>{countryNames[country] || formatMessage(labels.unknown)}</b>,
-        browser: <b>{BROWSERS[browser]}</b>,
-        os: <b>{OS_NAMES[os] || os}</b>,
-        device: <b>{formatMessage(labels[device] || labels.unknown)}</b>,
+        country: <b key="country">{countryNames[country] || formatMessage(labels.unknown)}</b>,
+        browser: <b key="browser">{BROWSERS[browser]}</b>,
+        os: <b key="os">{OS_NAMES[os] || os}</b>,
+        device: <b key="device">{formatMessage(labels[device] || labels.unknown)}</b>,
      });
    }
  };
--- a/src/app/(main)/websites/[websiteId]/sessions/SessionsWeekly.tsx
+++ b/src/app/(main)/websites/[websiteId]/sessions/SessionsWeekly.tsx
@ -62,10 +62,10 @@ export function SessionsWeekly({ websiteId }: { websiteId: string }) {
                <div className={styles.header}>
                  {format(getDayOfWeekAsDate(index), 'EEE', { locale: dateLocale })}
                </div>
-                {day?.map((hour: number) => {
+                {day?.map((hour: number, j) => {
                  const pct = hour / max;
                  return (
-                    <div key={hour} className={classNames(styles.cell)}>
+                    <div key={j} className={classNames(styles.cell)}>
                      {hour > 0 && (
                        <TooltipPopup
                          label={`${formatMessage(labels.visitors)}: ${hour}`}
--- a/src/app/api/auth/login/route.ts
+++ b/src/app/api/auth/login/route.ts
@ -26,7 +26,7 @@ export async function POST(request: Request) {
  const user = await getUserByUsername(username, { includePassword: true });

  if (!user || !checkPassword(password, user.password)) {
-    return unauthorized();
+    return unauthorized('message.incorrect-username-password');
  }

  const { id, role, createdAt } = user;
--- a/src/app/api/batch/route.ts
+++ b/src/app/api/batch/route.ts
@ -0,0 +1,39 @@
+import { z } from 'zod';
+import * as send from '@/app/api/send/route';
+import { parseRequest } from '@/lib/request';
+import { json, serverError } from '@/lib/response';
+
+const schema = z.array(z.object({}).passthrough());
+
+export async function POST(request: Request) {
+  try {
+    const { body, error } = await parseRequest(request, schema, { skipAuth: true });
+
+    if (error) {
+      return error();
+    }
+
+    const errors = [];
+
+    let index = 0;
+    for (const data of body) {
+      const newRequest = new Request(request, { body: JSON.stringify(data) });
+      const response = await send.POST(newRequest);
+
+      if (!response.ok) {
+        errors.push({ index, response: await response.json() });
+      }
+
+      index++;
+    }
+
+    return json({
+      size: body.length,
+      processed: body.length - errors.length,
+      errors: errors.length,
+      details: errors,
+    });
+  } catch (e) {
+    return serverError(e);
+  }
+}
--- a/src/app/api/reports/journey/route.ts
+++ b/src/app/api/reports/journey/route.ts
@ -9,8 +9,8 @@ export async function POST(request: Request) {
  const schema = z.object({
    ...reportParms,
    steps: z.coerce.number().min(3).max(7),
-    startStep: z.string(),
-    endStep: z.string(),
+    startStep: z.string().optional(),
+    endStep: z.string().optional(),
  });

  const { auth, body, error } = await parseRequest(request, schema);
--- a/src/app/api/send/route.ts
+++ b/src/app/api/send/route.ts
@ -1,31 +1,34 @@
 import { z } from 'zod';
 import { isbot } from 'isbot';
-import { createToken, parseToken } from '@/lib/jwt';
+import { startOfHour, startOfMonth } from 'date-fns';
 import clickhouse from '@/lib/clickhouse';
 import { parseRequest } from '@/lib/request';
 import { badRequest, json, forbidden, serverError } from '@/lib/response';
 import { fetchSession, fetchWebsite } from '@/lib/load';
 import { getClientInfo, hasBlockedIp } from '@/lib/detect';
-import { secret, uuid, visitSalt } from '@/lib/crypto';
-import { COLLECTION_TYPE, DOMAIN_REGEX } from '@/lib/constants';
+import { createToken, parseToken } from '@/lib/jwt';
+import { secret, uuid, hash } from '@/lib/crypto';
+import { COLLECTION_TYPE } from '@/lib/constants';
+import { anyObjectParam, urlOrPathParam } from '@/lib/schema';
+import { safeDecodeURI, safeDecodeURIComponent } from '@/lib/url';
 import { createSession, saveEvent, saveSessionData } from '@/queries';
-import { urlOrPathParam } from '@/lib/schema';

 const schema = z.object({
  type: z.enum(['event', 'identify']),
  payload: z.object({
    website: z.string().uuid(),
-    data: z.object({}).passthrough().optional(),
-    hostname: z.string().regex(DOMAIN_REGEX).max(100).optional(),
+    data: anyObjectParam.optional(),
+    hostname: z.string().max(100).optional(),
    language: z.string().max(35).optional(),
    referrer: urlOrPathParam.optional(),
    screen: z.string().max(11).optional(),
    title: z.string().optional(),
-    url: urlOrPathParam,
+    url: urlOrPathParam.optional(),
    name: z.string().max(50).optional(),
    tag: z.string().max(50).optional(),
    ip: z.string().ip().optional(),
    userAgent: z.string().optional(),
+    timestamp: z.coerce.number().int().optional(),
  }),
 });

@ -55,6 +58,7 @@ export async function POST(request: Request) {
      data,
      title,
      tag,
+      timestamp,
    } = payload;

    // Cache check
@ -87,7 +91,13 @@ export async function POST(request: Request) {
      return forbidden();
    }

-    const sessionId = uuid(websiteId, ip, userAgent);
+    const createdAt = timestamp ? new Date(timestamp * 1000) : new Date();
+    const now = Math.floor(new Date().getTime() / 1000);
+
+    const sessionSalt = hash(startOfMonth(createdAt).toUTCString());
+    const visitSalt = hash(startOfHour(createdAt).toUTCString());
+
+    const sessionId = uuid(websiteId, ip, userAgent, sessionSalt);

    // Find session
    if (!clickhouse.enabled && !cache?.sessionId) {
@ -119,13 +129,12 @@ export async function POST(request: Request) {
    }

    // Visit info
-    const now = Math.floor(new Date().getTime() / 1000);
-    let visitId = cache?.visitId || uuid(sessionId, visitSalt());
+    let visitId = cache?.visitId || uuid(sessionId, visitSalt);
    let iat = cache?.iat || now;

    // Expire visit after 30 minutes
-    if (now - iat > 1800) {
-      visitId = uuid(sessionId, visitSalt());
+    if (!timestamp && now - iat > 1800) {
+      visitId = uuid(sessionId, visitSalt);
      iat = now;
    }

@ -160,12 +169,12 @@ export async function POST(request: Request) {
        websiteId,
        sessionId,
        visitId,
-        urlPath,
+        urlPath: safeDecodeURI(urlPath),
        urlQuery,
-        referrerPath,
+        referrerPath: safeDecodeURI(referrerPath),
        referrerQuery,
        referrerDomain,
-        pageTitle: title,
+        pageTitle: safeDecodeURIComponent(title),
        eventName: name,
        eventData: data,
        hostname: hostname || urlDomain,
@ -179,6 +188,7 @@ export async function POST(request: Request) {
        subdivision2,
        city,
        tag,
+        createdAt,
      });
    }

@ -191,12 +201,13 @@ export async function POST(request: Request) {
        websiteId,
        sessionId,
        sessionData: data,
+        createdAt,
      });
    }

    const token = createToken({ websiteId, sessionId, visitId, iat }, secret());

-    return json({ cache: token });
+    return json({ cache: token, sessionId, visitId });
  } catch (e) {
    return serverError(e);
  }
--- a/src/app/api/users/[userId]/route.ts
+++ b/src/app/api/users/[userId]/route.ts
@ -1,9 +1,8 @@
-import { z } from 'zod';
-import { canUpdateUser, canViewUser, canDeleteUser } from '@/lib/auth';
-import { getUser, getUserByUsername, updateUser, deleteUser } from '@/queries';
-import { json, unauthorized, badRequest, ok } from '@/lib/response';
-import { hashPassword } from '@/lib/auth';
+import { canDeleteUser, canUpdateUser, canViewUser, hashPassword } from '@/lib/auth';
 import { parseRequest } from '@/lib/request';
+import { badRequest, json, ok, unauthorized } from '@/lib/response';
+import { deleteUser, getUser, getUserByUsername, updateUser } from '@/queries';
+import { z } from 'zod';

 export async function GET(request: Request, { params }: { params: Promise<{ userId: string }> }) {
  const { auth, error } = await parseRequest(request);
@ -26,7 +25,7 @@ export async function GET(request: Request, { params }: { params: Promise<{ user
 export async function POST(request: Request, { params }: { params: Promise<{ userId: string }> }) {
  const schema = z.object({
    username: z.string().max(255),
-    password: z.string().max(255),
+    password: z.string().max(255).optional(),
    role: z.string().regex(/admin|user|view-only/i),
  });

--- a/src/app/api/users/route.ts
+++ b/src/app/api/users/route.ts
@ -8,6 +8,7 @@ import { createUser, getUserByUsername } from '@/queries';

 export async function POST(request: Request) {
  const schema = z.object({
+    id: z.string().uuid().optional(),
    username: z.string().max(255),
    password: z.string(),
    role: z.string().regex(/admin|user|view-only/i),
@ -23,7 +24,7 @@ export async function POST(request: Request) {
    return unauthorized();
  }

-  const { username, password, role } = body;
+  const { id, username, password, role } = body;

  const existingUser = await getUserByUsername(username, { showDeleted: true });

@ -32,7 +33,7 @@ export async function POST(request: Request) {
  }

  const user = await createUser({
-    id: uuid(),
+    id: id || uuid(),
    username,
    password: hashPassword(password),
    role: role ?? ROLES.user,
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@ -23,7 +23,7 @@ export default function ({ children }) {
        <meta name="theme-color" content="#2f2f2f" media="(prefers-color-scheme: dark)" />
        <meta name="robots" content="noindex,nofollow" />
      </head>
-      <body>
+      <body suppressHydrationWarning>
        <Providers>{children}</Providers>
      </body>
    </html>
--- a/src/app/login/LoginForm.tsx
+++ b/src/app/login/LoginForm.tsx
@ -16,7 +16,7 @@ import Logo from '@/assets/logo.svg';
 import styles from './LoginForm.module.css';

 export function LoginForm() {
-  const { formatMessage, labels } = useMessages();
+  const { formatMessage, labels, getMessage } = useMessages();
  const router = useRouter();
  const { post, useMutation } = useApi();
  const { mutate, error, isPending } = useMutation({
@ -40,7 +40,7 @@ export function LoginForm() {
        <Logo />
      </Icon>
      <div className={styles.title}>umami</div>
-      <Form className={styles.form} onSubmit={handleSubmit} error={error}>
+      <Form className={styles.form} onSubmit={handleSubmit} error={getMessage(error)}>
        <FormRow label={formatMessage(labels.username)}>
          <FormInput
            data-test="input-username"
--- a/src/components/common/ConfirmationForm.tsx
+++ b/src/components/common/ConfirmationForm.tsx
@ -27,7 +27,12 @@ export function ConfirmationForm({
    <Form error={error}>
      <p>{message}</p>
      <FormButtons flex>
-        <LoadingButton isLoading={isLoading} onClick={onConfirm} variant={buttonVariant}>
+        <LoadingButton
+          data-test="button-confirm"
+          isLoading={isLoading}
+          onClick={onConfirm}
+          variant={buttonVariant}
+        >
          {buttonLabel || formatMessage(labels.ok)}
        </LoadingButton>
        <Button onClick={onClose}>{formatMessage(labels.cancel)}</Button>
--- a/src/components/common/TypeConfirmationForm.tsx
+++ b/src/components/common/TypeConfirmationForm.tsx
@ -35,7 +35,9 @@ export function TypeConfirmationForm({
  return (
    <Form onSubmit={onConfirm} error={error}>
      <p>
-        {formatMessage(messages.actionConfirmation, { confirmation: <b>{confirmationValue}</b> })}
+        {formatMessage(messages.actionConfirmation, {
+          confirmation: <b key={messages.actionConfirmation.id}>{confirmationValue}</b>,
+        })}
      </p>
      <FormRow label={formatMessage(labels.confirm)}>
        <FormInput name="confirm" rules={{ validate: value => value === confirmationValue }}>
--- a/src/components/metrics/ReferrersTable.tsx
+++ b/src/components/metrics/ReferrersTable.tsx
@ -69,11 +69,10 @@ export function ReferrersTable({ allowFilter, ...props }: ReferrersTableProps) {
          if (!groups[domain]) {
            groups[domain] = 0;
          }
-          groups[domain] += y;
-        } else {
-          groups._other += y;
+          groups[domain] += +y;
        }
      }
+      groups._other += +y;
    }

    return Object.keys(groups)
--- a/src/lib/constants.ts
+++ b/src/lib/constants.ts
@ -397,6 +397,14 @@ export const PAID_AD_PARAMS = [
  'epik=',
  'ttclid=',
  'scid=',
+  'aid=',
+  'pc_id=',
+  'ad_id=',
+  'rdt_cid=',
+  'ob_click_id=',
+  'utm_medium=cpc',
+  'utm_medium=paid',
+  'utm_medium=paid_social',
 ];

 export const GROUPED_DOMAINS = [
--- a/src/lib/crypto.ts
+++ b/src/lib/crypto.ts
@ -1,5 +1,4 @@
 import crypto from 'crypto';
-import { startOfHour, startOfMonth } from 'date-fns';
 import prand from 'pure-rand';
 import { v4, v5 } from 'uuid';

@ -77,20 +76,8 @@ export function secret() {
  return hash(process.env.APP_SECRET || process.env.DATABASE_URL);
 }

-export function salt() {
-  const ROTATING_SALT = hash(startOfMonth(new Date()).toUTCString());
-
-  return hash(secret(), ROTATING_SALT);
-}
-
-export function visitSalt() {
-  const ROTATING_SALT = hash(startOfHour(new Date()).toUTCString());
-
-  return hash(secret(), ROTATING_SALT);
-}
-
 export function uuid(...args: any) {
  if (!args.length) return v4();

-  return v5(hash(...args, salt()), v5.DNS);
+  return v5(hash(...args, secret()), v5.DNS);
 }
--- a/src/lib/prisma.ts
+++ b/src/lib/prisma.ts
@ -192,7 +192,9 @@ async function parseFilters(
  options: QueryOptions = {},
 ) {
  const website = await fetchWebsite(websiteId);
-  const joinSession = Object.keys(filters).find(key => SESSION_COLUMNS.includes(key));
+  const joinSession = Object.keys(filters).find(key =>
+    ['referrer', ...SESSION_COLUMNS].includes(key),
+  );

  return {
    joinSession:
--- a/src/lib/request.ts
+++ b/src/lib/request.ts
@ -1,4 +1,4 @@
-import { ZodObject } from 'zod';
+import { z, ZodSchema } from 'zod';
 import { FILTER_COLUMNS } from '@/lib/constants';
 import { badRequest, unauthorized } from '@/lib/response';
 import { getAllowedUnits, getMinimumUnit } from '@/lib/date';
@ -15,7 +15,7 @@ export async function getJsonBody(request: Request) {

 export async function parseRequest(
  request: Request,
-  schema?: ZodObject<any>,
+  schema?: ZodSchema,
  options?: { skipAuth: boolean },
 ): Promise<any> {
  const url = new URL(request.url);
@ -24,12 +24,21 @@ export async function parseRequest(
  let error: () => void | undefined;
  let auth = null;

+  const getErrorMessages = (error: z.ZodError) => {
+    return Object.entries(error.format())
+      .map(([key, value]) => {
+        const messages = (value as any)._errors;
+        return messages ? `${key}: ${messages.join(', ')}` : null;
+      })
+      .filter(Boolean);
+  };
+
  if (schema) {
    const isGet = request.method === 'GET';
    const result = schema.safeParse(isGet ? query : body);

    if (!result.success) {
-      error = () => badRequest(result.error);
+      error = () => badRequest(getErrorMessages(result.error));
    } else if (isGet) {
      query = result.data;
    } else {
--- a/src/lib/schema.ts
+++ b/src/lib/schema.ts
@ -36,6 +36,8 @@ export const unitParam = z.string().refine(value => UNIT_TYPES.includes(value),

 export const roleParam = z.enum(['team-member', 'team-view-only', 'team-manager']);

+export const anyObjectParam = z.object({}).passthrough();
+
 export const urlOrPathParam = z.string().refine(
  value => {
    try {
--- a/src/queries/sql/events/saveEvent.ts
+++ b/src/queries/sql/events/saveEvent.ts
@ -29,6 +29,7 @@ export async function saveEvent(args: {
  subdivision2?: string;
  city?: string;
  tag?: string;
+  createdAt?: Date;
 }) {
  return runQuery({
    [PRISMA]: () => relationalQuery(args),
@ -49,6 +50,7 @@ async function relationalQuery(data: {
  eventName?: string;
  eventData?: any;
  tag?: string;
+  createdAt?: Date;
 }) {
  const {
    websiteId,
@ -63,6 +65,7 @@ async function relationalQuery(data: {
    eventData,
    pageTitle,
    tag,
+    createdAt,
  } = data;
  const websiteEventId = uuid();

@ -81,6 +84,7 @@ async function relationalQuery(data: {
      eventType: eventName ? EVENT_TYPE.customEvent : EVENT_TYPE.pageView,
      eventName: eventName ? eventName?.substring(0, EVENT_NAME_LENGTH) : null,
      tag,
+      createdAt,
    },
  });

@ -92,6 +96,7 @@ async function relationalQuery(data: {
      urlPath: urlPath?.substring(0, URL_LENGTH),
      eventName: eventName?.substring(0, EVENT_NAME_LENGTH),
      eventData,
+      createdAt,
    });
  }

@ -121,6 +126,7 @@ async function clickhouseQuery(data: {
  subdivision2?: string;
  city?: string;
  tag?: string;
+  createdAt?: Date;
 }) {
  const {
    websiteId,
@ -139,12 +145,12 @@ async function clickhouseQuery(data: {
    subdivision2,
    city,
    tag,
+    createdAt,
    ...args
  } = data;
  const { insert, getUTCString } = clickhouse;
  const { sendMessage } = kafka;
  const eventId = uuid();
-  const createdAt = getUTCString();

  const message = {
    ...args,
@ -170,7 +176,7 @@ async function clickhouseQuery(data: {
    event_type: eventName ? EVENT_TYPE.customEvent : EVENT_TYPE.pageView,
    event_name: eventName ? eventName?.substring(0, EVENT_NAME_LENGTH) : null,
    tag: tag,
-    created_at: createdAt,
+    created_at: getUTCString(createdAt),
  };

  if (kafka.enabled) {
--- a/src/queries/sql/events/saveEventData.ts
+++ b/src/queries/sql/events/saveEventData.ts
@ -15,7 +15,7 @@ export async function saveEventData(data: {
  urlPath?: string;
  eventName?: string;
  eventData: DynamicData;
-  createdAt?: string;
+  createdAt?: Date;
 }) {
  return runQuery({
    [PRISMA]: () => relationalQuery(data),
@ -27,8 +27,9 @@ async function relationalQuery(data: {
  websiteId: string;
  eventId: string;
  eventData: DynamicData;
+  createdAt?: Date;
 }): Promise<Prisma.BatchPayload> {
-  const { websiteId, eventId, eventData } = data;
+  const { websiteId, eventId, eventData, createdAt } = data;

  const jsonKeys = flattenJSON(eventData);

@ -42,6 +43,7 @@ async function relationalQuery(data: {
    numberValue: a.dataType === DATA_TYPE.number ? a.value : null,
    dateValue: a.dataType === DATA_TYPE.date ? new Date(a.value) : null,
    dataType: a.dataType,
+    createdAt,
  }));

  return prisma.client.eventData.createMany({
@ -56,7 +58,7 @@ async function clickhouseQuery(data: {
  urlPath?: string;
  eventName?: string;
  eventData: DynamicData;
-  createdAt?: string;
+  createdAt?: Date;
 }) {
  const { websiteId, sessionId, eventId, urlPath, eventName, eventData, createdAt } = data;

@ -77,7 +79,7 @@ async function clickhouseQuery(data: {
      string_value: getStringValue(value, dataType),
      number_value: dataType === DATA_TYPE.number ? value : null,
      date_value: dataType === DATA_TYPE.date ? getUTCString(value) : null,
-      created_at: createdAt,
+      created_at: getUTCString(createdAt),
    };
  });

--- a/src/queries/sql/sessions/saveSessionData.ts
+++ b/src/queries/sql/sessions/saveSessionData.ts
@ -11,6 +11,7 @@ export async function saveSessionData(data: {
  websiteId: string;
  sessionId: string;
  sessionData: DynamicData;
+  createdAt?: Date;
 }) {
  return runQuery({
    [PRISMA]: () => relationalQuery(data),
@ -22,9 +23,10 @@ export async function relationalQuery(data: {
  websiteId: string;
  sessionId: string;
  sessionData: DynamicData;
+  createdAt?: Date;
 }) {
  const { client } = prisma;
-  const { websiteId, sessionId, sessionData } = data;
+  const { websiteId, sessionId, sessionData, createdAt } = data;

  const jsonKeys = flattenJSON(sessionData);

@ -37,6 +39,7 @@ export async function relationalQuery(data: {
    numberValue: a.dataType === DATA_TYPE.number ? a.value : null,
    dateValue: a.dataType === DATA_TYPE.date ? new Date(a.value) : null,
    dataType: a.dataType,
+    createdAt,
  }));

  const existing = await client.sessionData.findMany({
@ -77,12 +80,12 @@ async function clickhouseQuery(data: {
  websiteId: string;
  sessionId: string;
  sessionData: DynamicData;
+  createdAt?: Date;
 }) {
-  const { websiteId, sessionId, sessionData } = data;
+  const { websiteId, sessionId, sessionData, createdAt } = data;

  const { insert, getUTCString } = clickhouse;
  const { sendMessage } = kafka;
-  const createdAt = getUTCString();

  const jsonKeys = flattenJSON(sessionData);

@ -95,7 +98,7 @@ async function clickhouseQuery(data: {
      string_value: getStringValue(value, dataType),
      number_value: dataType === DATA_TYPE.number ? value : null,
      date_value: dataType === DATA_TYPE.date ? getUTCString(value) : null,
-      created_at: createdAt,
+      created_at: getUTCString(createdAt),
    };
  });

--- a/src/tracker/index.js
+++ b/src/tracker/index.js
@ -1,11 +1,12 @@
 (window => {
  const {
    screen: { width, height },
-    navigator: { language },
+    navigator: { language, doNotTrack: ndnt, msDoNotTrack: msdnt },
    location,
    document,
    history,
    top,
+    doNotTrack,
  } = window;
  const { hostname, href, origin } = location;
  const { currentScript, referrer } = document;
@ -21,6 +22,7 @@
  const hostUrl = attr(_data + 'host-url');
  const tag = attr(_data + 'tag');
  const autoTrack = attr(_data + 'auto-track') !== _false;
+  const dnt = attr(_data + 'do-not-track') === _true;
  const excludeSearch = attr(_data + 'exclude-search') === _true;
  const excludeHash = attr(_data + 'exclude-hash') === _true;
  const domain = attr(_data + 'domains') || '';
@ -46,6 +48,11 @@
    tag: tag ? tag : undefined,
  });

+  const hasDoNotTrack = () => {
+    const dnt = doNotTrack || ndnt || msdnt;
+    return dnt === 1 || dnt === '1' || dnt === 'yes';
+  };
+
  /* Event handlers */

  const handlePush = (state, title, url) => {
@ -182,7 +189,8 @@
    disabled ||
    !website ||
    (localStorage && localStorage.getItem('umami.disabled')) ||
-    (domain && !domains.includes(hostname));
+    (domain && !domains.includes(hostname)) ||
+    (dnt && hasDoNotTrack());

  const send = async (payload, type = 'event') => {
    if (trackingDisabled()) return;