posthog-js
posthog-js copied to clipboard
Autocapture tracks the response URL from OpenId redirect, including Auth Code
I am assessing Posthog for use in my organisation, and in playing with the AutoCapture functionality have found an issue which may be a security issue when using AutoCapture.
When authenticating using an OpenId/Oauth2 Auth Code flow you are redirected back to the application with a URL like: myapp.com/callback-oidc?code=SOME_SECRET_VALUE
By default this entire URL is tracked as a PageView event.
While Auth Codes are typically very short lived, it would be a bad practice to leak them into an analytics tool, and also makes the URL unique which hurts the ability to aggregate page views later. Perhaps there is a bigger piece around shifting query-params into event properties, which would fix both issues and allow the existing blacklist option to remove auth codes?
Apologies if this is already a solved problem, I couldn't find anything related in Issues, and am finding the docs a little light on manipulating captured events. A cursory read of the source makes me think there's no capability to filter (beyond the blacklist option) or mutate events, built into this library?