Fix #2167, don't login until absolutely necessary, and allow submissi…

…on POST /event with a non-signed non-cookie deviceId

server/src/server.js

@@ -426,7 +426,10 @@ app.post("/event", function (req, res) {
   if (typeof bodyObj !== "object") {
     throw new Error(`Got unexpected req.body type: ${typeof bodyObj}`);
   }
-  hashUserId(req.deviceId).then((userUuid) => {
+  // We allow clients to signal events with a deviceId even if they haven't logged in yet,
+  // by putting deviceId into the request body:
+  let deviceId = req.deviceId || bodyObj.deviceId;
+  hashUserId(deviceId).then((userUuid) => {
     let userAnalytics = ua(config.gaId, userUuid.toString(), {strictCidFormat: false});
     if (config.debugGoogleAnalytics) {
       userAnalytics = userAnalytics.debug();

webextension/background/analytics.js

@@ -1,4 +1,4 @@
-/* globals main */
+/* globals main, auth */
 
 window.analytics = (function () {
   let exports = {};
@@ -16,6 +16,7 @@ window.analytics = (function () {
     };
     // FIXME: add cdX and other details from req.js
     req.send(JSON.stringify({
+      deviceId: auth.getDeviceId(),
       event: eventCategory,
       action,
       label

webextension/background/auth.js

@@ -12,7 +12,6 @@ window.auth = (function () {
   chrome.storage.local.get(["registrationInfo"], (result) => {
     if (result.registrationInfo) {
       registrationInfo = result.registrationInfo;
-      login();
     } else {
       registrationInfo = generateRegistrationInfo();
       chrome.storage.local.set({
@@ -21,10 +20,13 @@ window.auth = (function () {
         console.info("Device authentication saved");
       });
       console.info("Generating new device authentication ID", registrationInfo);
-      register();
     }
   });
 
+  exports.getDeviceId = function () {
+    return registrationInfo && registrationInfo.deviceId;
+  };
+
   function generateRegistrationInfo() {
     let info = {
       deviceId: "anon" + makeUuid() + "",