fix: docs

Author: izadoesdev

apps/api/src/index.ts

@@ -1,5 +1,3 @@
-const UNAUTHORIZED_RE = /unauthorized/i;
-const FORBIDDEN_RE = /forbidden/i;
 import './polyfills/compression';
 import { auth } from '@databuddy/auth';
 import { appRouter, createTRPCContext } from '@databuddy/rpc';
@@ -57,54 +55,6 @@ const app = new Elysia()
 		const errorMessage = error instanceof Error ? error.message : String(error);
 		logger.error(errorMessage, { error });
 
-		if (
-			error instanceof Error &&
-			(UNAUTHORIZED_RE.test(error.message) || error.message === 'Unauthorized')
-		) {
-			return new Response(
-				JSON.stringify({
-					success: false,
-					error: 'Authentication required',
-					code: 'AUTH_REQUIRED',
-				}),
-				{
-					status: 401,
-					headers: { 'Content-Type': 'application/json' },
-				}
-			);
-		}
-
-		if (
-			error instanceof Error &&
-			(FORBIDDEN_RE.test(error.message) || error.message === 'Forbidden')
-		) {
-			return new Response(
-				JSON.stringify({
-					success: false,
-					error: 'Insufficient permissions',
-					code: 'FORBIDDEN',
-				}),
-				{
-					status: 403,
-					headers: { 'Content-Type': 'application/json' },
-				}
-			);
-		}
-
-		if (error instanceof Error && error.message === 'Website not found') {
-			return new Response(
-				JSON.stringify({
-					success: false,
-					error: 'Website not found',
-					code: 'NOT_FOUND',
-				}),
-				{
-					status: 404,
-					headers: { 'Content-Type': 'application/json' },
-				}
-			);
-		}
-
 		return new Response(
 			JSON.stringify({
 				success: false,

apps/api/src/middleware/website-auth.ts

@@ -13,71 +13,29 @@ function json(status: number, body: unknown) {
 export function websiteAuth() {
 	return new Elysia()
 		.onRequest(async ({ request }) => {
-			const url = new URL(request.url);
-			const websiteId = url.searchParams.get('website_id');
-
-			const apiKeySecret = request.headers.get('x-api-key');
-			const apiKey = apiKeySecret
-				? await getApiKeyFromHeader(request.headers)
-				: null;
-
-			const session = await auth.api.getSession({ headers: request.headers });
-			const hasSession = Boolean(session?.user);
-
-			// No website_id: require either session or valid API key
-			if (!websiteId) {
-				if (hasSession || apiKey) {
-					return;
-				}
-				return json(401, {
-					success: false,
-					error: 'Authentication required',
-					code: 'AUTH_REQUIRED',
-				});
-			}
-
-			const website = await getCachedWebsite(websiteId);
-			if (!website) {
-				return json(404, {
-					success: false,
-					error: 'Website not found',
-					code: 'NOT_FOUND',
-				});
-			}
-
-			if (website.isPublic) {
+			if (isPreflight(request)) {
 				return;
 			}
 
-			// Private website: allow if session exists OR key has read:data for website
-			if (hasSession) {
-				return;
+			const debug = shouldDebug();
+			const rid = Math.random().toString(36).slice(2, 8);
+			if (debug) {
+				console.time(`websiteAuth:${rid}`);
 			}
 
-			if (!apiKeySecret) {
-				return json(401, {
-					success: false,
-					error: 'Authentication required',
-					code: 'AUTH_REQUIRED',
-				});
-			}
+			const url = new URL(request.url);
+			const websiteId = url.searchParams.get('website_id');
+			const { sessionUser, apiKey, apiKeyPresent } =
+				await getAuthContext(request);
 
-			if (!apiKey) {
-				return json(401, {
-					success: false,
-					error: 'Invalid or expired API key',
-					code: 'AUTH_REQUIRED',
-				});
-			}
+			const outcome = websiteId
+				? await checkWebsiteAuth(websiteId, sessionUser, apiKey, apiKeyPresent)
+				: checkNoWebsiteAuth(sessionUser, apiKey);
 
-			const canRead = await hasWebsiteScope(apiKey, websiteId, 'read:data');
-			if (!canRead) {
-				return json(403, {
-					success: false,
-					error: 'Insufficient permissions',
-					code: 'FORBIDDEN',
-				});
+			if (debug) {
+				console.timeEnd(`websiteAuth:${rid}`);
 			}
+			return outcome;
 		})
 		.derive(async ({ request }) => {
 			const url = new URL(request.url);
@@ -95,3 +53,80 @@ export function websiteAuth() {
 			} as const;
 		});
 }
+
+function isPreflight(request: Request): boolean {
+	return request.method === 'OPTIONS' || request.method === 'HEAD';
+}
+
+function shouldDebug(): boolean {
+	return process.env.NODE_ENV === 'development';
+}
+
+async function getAuthContext(request: Request) {
+	const apiKeyPresent = request.headers.get('x-api-key') != null;
+	const apiKey = apiKeyPresent
+		? await getApiKeyFromHeader(request.headers)
+		: null;
+	const session = await auth.api.getSession({ headers: request.headers });
+	const sessionUser = session?.user ?? null;
+	return { sessionUser, apiKey, apiKeyPresent } as const;
+}
+
+function checkNoWebsiteAuth(
+	sessionUser: unknown,
+	apiKey: unknown
+): Response | null {
+	if (sessionUser || apiKey) {
+		return null;
+	}
+	return json(401, {
+		success: false,
+		error: 'Authentication required',
+		code: 'AUTH_REQUIRED',
+	});
+}
+
+async function checkWebsiteAuth(
+	websiteId: string,
+	sessionUser: unknown,
+	apiKey: Parameters<typeof hasWebsiteScope>[0] | null,
+	apiKeyPresent: boolean
+): Promise<Response | null> {
+	const website = await getCachedWebsite(websiteId);
+	if (!website) {
+		return json(404, {
+			success: false,
+			error: 'Website not found',
+			code: 'NOT_FOUND',
+		});
+	}
+	if (website.isPublic) {
+		return null;
+	}
+	if (sessionUser) {
+		return null;
+	}
+	if (!apiKeyPresent) {
+		return json(401, {
+			success: false,
+			error: 'Authentication required',
+			code: 'AUTH_REQUIRED',
+		});
+	}
+	if (!apiKey) {
+		return json(401, {
+			success: false,
+			error: 'Invalid or expired API key',
+			code: 'AUTH_REQUIRED',
+		});
+	}
+	const ok = await hasWebsiteScope(apiKey, websiteId, 'read:data');
+	if (!ok) {
+		return json(403, {
+			success: false,
+			error: 'Insufficient permissions',
+			code: 'FORBIDDEN',
+		});
+	}
+	return null;
+}

apps/docs/content/docs/Integrations/framer.mdx

@@ -7,18 +7,27 @@ description: Add privacy-first analytics to your Framer site
 
 Databuddy enables you to gather privacy-first analytics on user behavior, capture custom events, track performance metrics, and more within your Framer site - all while maintaining GDPR compliance without cookies.
 
+> TL;DR: Paste the inline loader below into Framer → Site Settings → General → Custom Code (Start of <head> tag). Replace `YOUR_CLIENT_ID` with your client ID. Publish, then check the dashboard.
+
 ## How to Add Databuddy to Framer
 
 ### 1. Get Your Tracking Script
 
 Navigate to your [Databuddy dashboard](https://app.databuddy.cc) and copy your tracking code snippet:
 
 ```html
-<script
-  src="https://cdn.databuddy.cc/databuddy.js"
-  data-site-id="YOUR_SITE_ID"
-  async
-></script>
+<script>
+  (function () {
+    var script = document.createElement("script");
+    script.async = true;
+    script.src = "https://cdn.databuddy.cc/databuddy.js";
+    script.setAttribute("data-client-id", "YOUR_CLIENT_ID");
+    script.setAttribute("data-track-screen-views", "true");
+    script.setAttribute("data-track-attributes", "true");
+    script.setAttribute("data-track-errors", "true");
+    document.head.appendChild(script);
+  })();
+</script>
 ```
 
 ### 2. Add the Script to Your Framer Project
@@ -46,9 +55,7 @@ Track custom interactions in your Framer components using data attributes:
 
 ```html
 <!-- Track button clicks -->
-<button data-track="cta_clicked" data-button-type="primary">
-  Get Started
-</button>
+<button data-track="cta_clicked" data-button-type="primary">Get Started</button>
 
 <!-- Track form submissions -->
 <form data-track="newsletter_signup" data-form-location="header">
@@ -61,13 +68,19 @@ Track custom interactions in your Framer components using data attributes:
 Enable performance tracking by updating your script configuration:
 
 ```html
-<script
-  src="https://cdn.databuddy.cc/databuddy.js"
-  data-site-id="YOUR_SITE_ID"
-  data-track-performance="true"
-  data-track-web-vitals="true"
-  async
-></script>
+<script>
+  (function () {
+    var script = document.createElement("script");
+    script.async = true;
+    script.src = "https://cdn.databuddy.cc/databuddy.js";
+    script.setAttribute("data-client-id", "YOUR_CLIENT_ID");
+    script.setAttribute("data-track-screen-views", "true");
+    script.setAttribute("data-track-performance", "true");
+    script.setAttribute("data-track-web-vitals", "true");
+    script.setAttribute("data-track-errors", "true");
+    document.head.appendChild(script);
+  })();
+</script>
 ```
 
 ## Benefits for Framer Sites
@@ -98,4 +111,4 @@ If analytics data isn't showing:
 3. Ensure you're viewing the correct date range
 4. Try visiting your site in an incognito window
 
-Need help? Contact our support team at [[email protected]](mailto:[email protected]). 
+Need help? Contact our support team at [[email protected]](mailto:[email protected]).