Add optional more aggressive salting (fixes #95)

TEMPLATE.env

@@ -76,3 +76,10 @@ SHOW_THIRD_PARTY_ICONS=True
 
 # Should Shynet block collection of IP addresses globally?
 BLOCK_ALL_IPS=False
+
+# Should Shynet include the date and site ID when hashing users?
+# This will prevent any possibility of cross-site tracking provided
+# that IP collection is also disabled, and external keys (primary
+# keys) aren't supplied. It will also prevent sessions from spanning
+# one day to another.
+AGGRESSIVE_HASH_SALTING=True

shynet/analytics/tasks.py

@@ -1,5 +1,4 @@
 import ipaddress
-import json
 import logging
 from hashlib import sha256
 
@@ -9,6 +8,7 @@ from celery import shared_task
 from django.conf import settings
 from django.core.cache import cache
 from django.db.models import Q
+from django.utils import timezone
 
 from core.models import Service
 
@@ -78,6 +78,9 @@ def ingress_request(
         association_id_hash = sha256()
         association_id_hash.update(str(ip).encode("utf-8"))
         association_id_hash.update(str(user_agent).encode("utf-8"))
+        if settings.AGGRESSIVE_HASH_SALTING:
+            association_id_hash.update(str(service.pk).encode("utf-8"))
+            association_id_hash.update(str(timezone.now().date().isoformat()).encode("utf-8"))
         session_cache_path = (
             f"session_association_{service.pk}_{association_id_hash.hexdigest()}"
         )

shynet/shynet/settings.py

@@ -324,3 +324,6 @@ SHOW_THIRD_PARTY_ICONS = os.getenv("SHOW_THIRD_PARTY_ICONS", "True") == "True"
 
 # Should Shynet never collect any IP?
 BLOCK_ALL_IPS = os.getenv("BLOCK_ALL_IPS", "False") == "True"
+
+# Include date and service ID in salt?
+AGGRESSIVE_HASH_SALTING = os.getenv("AGGRESSIVE_HASH_SALTING", "False") == True