fix: implement UTC-day-skipped analytics client rotation

Reuse clients across todaysand yesterday hashes, and rewrite yesterday matches
to today hash instead of introducing another identity column. This keeps the
identity model simple, preserves short-lived continuity across adjacent UTC
midnights, and still rotates a client once a UTC day was skipped.

Also move page-view dedup ahead of session updates so duplicate hits do not
inflate page_view_count, duration, or exit metrics. Add the migration to merge
duplicate clients, enforce unique (site_id, hash), and update tests/docs for the
new rotation strategy

Author: l-you

ANALYTICS.md

@@ -8,9 +8,11 @@ Server-generated visitor ID computed from minimized request signals:
 - Hash algorithm: truncated HMAC-SHA-256
 - Key derivation: site-scoped, daily key derived from a server secret
 - Inputs: internal site ID, truncated IP prefix, browser family, device class
-- Daily rotation: visitor ID changes every UTC day
+- UTC-day-skipped rotation: the server checks today's and yesterday's hash
+- Adjacent-day reuse: if only yesterday matches, the same client row is rewritten to today's hash
+- New client only after a full UTC day was skipped
 - No client-side storage or cookies
-- Same visitor receives consistent ID throughout the day
+- Same visitor receives a consistent ID within the day and across an adjacent UTC midnight
 - Country is not part of the visitor ID
 - The server secret helps reduce the impact of database-only leaks by making visitor IDs harder to recompute outside the app
 
@@ -28,6 +30,7 @@ Filters non-human traffic:
 Prevents duplicate counting:
 - 10-second deduplication window per visitor per page
 - Filters double-clicks, script reloads, same-path SPA updates within 10s
+- Duplicate hits are ignored before page-view counters or session exit metrics change
 - Ensures accurate page view metrics
 
 ## Query Parameters
@@ -56,7 +59,7 @@ Tracks browsing sessions:
 ## Privacy
 
 - No client-side cookies or persistent identifiers
-- Visitor IDs rotate daily
+- Visitor IDs use UTC-day-skipped rotation
 - Visitor IDs are derived server-side from minimized signals
 - Site-scoped keying prevents reuse across sites
 - Keyed visitor IDs reduce the value of database-only leaks

PRIVACY.md

@@ -14,7 +14,7 @@ Lovely Eye is self-hosted analytics. The site owner is the data controller. This
 
 ## Visitor Identifiers
 
-We derive a daily-rotating visitor identifier on the server. It is based on a keyed hash of site ID, truncated IP prefix, browser family, and device class. It changes every UTC day and is not a persistent identifier. This keyed approach helps reduce the impact of database-only leaks because the stored analytics rows do not include enough information to recompute the identifier on their own.
+We derive a keyed visitor identifier on the server from site ID, truncated IP prefix, browser family, and device class. The hash is computed per UTC day, but the server reuses the same client across `today` and `yesterday`; if only yesterday matches, that row is rewritten to today's hash. A new client is created only after a UTC day was skipped, so the identifier is still short-lived and not persistent. This keyed approach helps reduce the impact of database-only leaks because the stored analytics rows do not include enough information to recompute the identifier on their own.
 
 ## IP Addresses Under GDPR
 

README.md

@@ -7,7 +7,7 @@ Self-hosted web analytics with a Go backend and React dashboard. Built for low-r
 
 ## Features
 
-- **Privacy-first**: no analytics cookies, daily visitor ID rotation with a keyed server-side visitor ID
+- **Privacy-first**: no analytics cookies, keyed server-side visitor identity with UTC-day-skipped rotation
 - **Bot filtering**: excludes crawlers, scrapers, monitoring bots.
 - **Lightweight**: runtime consumes around ~15MB of RAM on AMD processor.
 - **SQLite and PostgreSQL** supported.
@@ -146,7 +146,7 @@ After you started your containers:
 
 Country tracking downloads the GeoIP database on demand when at least one site enables it. If the download fails, the dashboard will show the error in site settings.
 
-Analytics visitor identity is server-generated, rotates daily in UTC, and is derived from a keyed hash of site ID, truncated IP prefix, browser family, and device class. Country tracking is kept separate from visitor identity. The dedicated analytics identity secret helps reduce the impact of database-only leaks, because visitor IDs cannot be recomputed from stored analytics data alone.
+Analytics visitor identity is server-generated and derived from a keyed hash of site ID, truncated IP prefix, browser family, and device class. The hash is computed per UTC day, but the server reuses the same client across `today` and `yesterday`; if only yesterday matches, that row is rewritten to today's hash. Country tracking stays separate from visitor identity, sessions still expire after 30 minutes of inactivity, and the dedicated analytics identity secret helps reduce the impact of database-only leaks because visitor IDs cannot be recomputed from stored analytics data alone.
 
 ## Custom Events
 

server/CONTRIBUTING.md

@@ -29,8 +29,11 @@
 
 ## Analytics identity
 
-- Visitor identity is server-generated and rotates daily in UTC
+- Visitor identity is server-generated and uses UTC-day-skipped rotation
 - Identity is derived from a keyed hash of: site ID, truncated IP prefix (`/24` for IPv4, `/64` for IPv6), browser family, and device class
+- The server checks today's and yesterday's hash; if only yesterday matches, it rewrites that client row to today's hash
+- A new client is created only after a full UTC day was skipped
+- Sessions still use 30-minute inactivity
 - Country tracking stays separate from visitor identity and is only used for reporting when enabled
 - Set `ANALYTICS_IDENTITY_SECRET` to control the identity key explicitly
 - If `ANALYTICS_IDENTITY_SECRET` is unset, the server falls back to `JWT_SECRET`

server/e2e/README.md

@@ -6,4 +6,4 @@ No source code as test dependencies. Exceptions:
 - basic types/constants for data integrity
 - generated operations: `import operations "github.com/lovely-eye/server/e2e/generated"`
 
-Analytics e2e tests should use a fixed `ANALYTICS_IDENTITY_SECRET` so visitor identity stays deterministic across test runs.
+Analytics e2e tests should use a fixed `ANALYTICS_IDENTITY_SECRET` so visitor identity stays deterministic across test runs, including the UTC-day-skipped `today`/`yesterday` client reuse path.

server/internal/README.md

@@ -14,4 +14,4 @@ Modules:
 - `./models` - Domain models with [Bun](https://github.com/uptrace/bun) annotations. Defines User, Site, Client, Session, Event, and event definition entities.
 - `./repository` - Data access layer. Provides CRUD operations for all models using [Bun ORM](https://github.com/uptrace/bun).
 - `./server` - Application bootstrap and HTTP server setup. Wires all dependencies and configures routes.
-- `./services` - Business logic layer. Contains SiteService and AnalyticsService with domain operations, including pseudonymous visitor identity and session handling.
+- `./services` - Business logic layer. Contains SiteService and AnalyticsService with domain operations, including pseudonymous visitor identity with UTC-day-skipped rotation and 30-minute session handling.

server/internal/auth/README.md

@@ -29,7 +29,7 @@ No CSRF tokens needed. See [discussion](https://www.reddit.com/r/node/comments/1
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `JWT_SECRET` | generated at startup if empty | Secret key for signing tokens. Must be at least 32 characters when set. Set it explicitly in production if sessions should survive restarts. |
-| `ANALYTICS_IDENTITY_SECRET` | falls back to `JWT_SECRET` | Optional dedicated secret for analytics visitor identity. Must be at least 32 characters when set. Helps reduce the impact of database-only leaks by making visitor IDs harder to recompute. |
+| `ANALYTICS_IDENTITY_SECRET` | falls back to `JWT_SECRET` | Optional dedicated secret for analytics visitor identity. Must be at least 32 characters when set. Analytics uses it for the daily UTC hashes behind UTC-day-skipped rotation, and it helps reduce the impact of database-only leaks by making visitor IDs harder to recompute. |
 | `JWT_ACCESS_EXPIRY_MINUTES` | `15` | Access token lifetime in minutes |
 | `JWT_REFRESH_DAYS` | `7` | Refresh token lifetime in days |
 | `SECURE_COOKIES` | `true` | Set to `true` in production (requires HTTPS) |

server/internal/models/models.go

@@ -85,15 +85,16 @@ type Country struct {
 	Name string `bun:"name,notnull,type:varchar(128)" json:"name"`
 }
 
-// Client represents a pseudonymous visitor identity within the current rotation window.
-// Stores coarse client attributes used for analytics breakdowns.
+// Client represents a pseudonymous visitor identity resolved by UTC-day-skipped
+// rotation. The stored hash is a daily UTC key; matching yesterday rewrites the
+// same row to today's hash so continuity survives adjacent UTC-day boundaries.
 type Client struct {
 	bun.BaseModel `bun:"table:clients,alias:c"`
 
-	ID         int64  `bun:"id,pk,autoincrement" json:"id"`
-	SiteID     int64  `bun:"site_id,notnull" json:"site_id"`
-	Hash       string `bun:"hash,notnull,type:varchar(64)" json:"hash"` // Truncated HMAC-SHA-256 hex over site-scoped, minimized visitor signals
-	Country    string `bun:"country,type:varchar(2)" json:"country"`
+	ID         int64            `bun:"id,pk,autoincrement" json:"id"`
+	SiteID     int64            `bun:"site_id,notnull,unique:clients_site_id_hash" json:"site_id"`
+	Hash       string           `bun:"hash,notnull,type:varchar(64),unique:clients_site_id_hash" json:"hash"` // Truncated HMAC-SHA-256 hex over site-scoped daily UTC visitor signals
+	Country    string           `bun:"country,type:varchar(2)" json:"country"`
 	Device     ClientDevice     `bun:"device,notnull,default:0" json:"device"`
 	Browser    ClientBrowser    `bun:"browser,notnull,default:0" json:"browser"`
 	OS         ClientOS         `bun:"os,notnull,default:0" json:"os"`