fix(visitors): add unique-per-IP daily deduplication to visitor counter (#2)

- Add visitor_logs table (username, ip_hash, visit_date) with a unique
  index on (username, ip_hash, visit_date) so the same client IP is
  never counted more than once per calendar day.
- Hash the client IP with truncated SHA-256 for privacy.
- INSERT ... ON CONFLICT DO NOTHING is the single atomic write; an empty
  RETURNING array signals an already-counted visit (no increment).
- Add Drizzle migration 0001_visitor_logs.sql and update the journal.

Closes #2

Author: pphatdev

drizzle/0001_visitor_logs.sql

@@ -0,0 +1,9 @@
+CREATE TABLE IF NOT EXISTS `visitor_logs` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`username` text NOT NULL,
+	`ip_hash` text NOT NULL,
+	`visit_date` text NOT NULL,
+	`created_at` integer
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX IF NOT EXISTS `uq_visitor_log` ON `visitor_logs` (`username`,`ip_hash`,`visit_date`);

drizzle/meta/_journal.json

@@ -8,6 +8,13 @@
       "when": 1771919072157,
       "tag": "0000_supreme_bulldozer",
       "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1740369600000,
+      "tag": "0001_visitor_logs",
+      "breakpoints": true
     }
   ]
 }

src/controllers/badge.ts

@@ -1,6 +1,7 @@
+import crypto from 'node:crypto';
 import { Request, Response } from 'express';
 import { db } from '../db/index.js';
-import { badges } from '../db/schema.js';
+import { badges, visitorLogs } from '../db/schema.js';
 import { sql, eq } from 'drizzle-orm';
 import { GitHubClient } from '../utils/github-client.js';
 import { BadgeRenderer } from '../components/badge-renderer.js';
@@ -157,22 +158,61 @@ export class BadgeController {
         return res.send(svg);
     }
 
-    /** GET /badge/visitors — increments visit counter, never cached */
+    /** GET /badge/visitors — counts unique visitors per IP per calendar day. */
     static async getVisitors(req: Request, res: Response) {
         try {
             const username = BadgeController.requireUsername(req, res);
             if (!username) return;
 
-            const result = await db
-                .insert(badges)
-                .values({ username, visitors: 1 })
-                .onConflictDoUpdate({
-                    target: badges.username,
-                    set: { visitors: sql`${badges.visitors} + 1` },
-                })
+            // Resolve the real client IP (works behind reverse proxies)
+            const rawIp = (
+                (req.headers['x-forwarded-for'] as string | undefined)?.split(',')[0].trim() ||
+                req.socket?.remoteAddress ||
+                'unknown'
+            );
+
+            // Hash the IP for privacy — truncated SHA-256 is enough for dedup
+            const ipHash = crypto
+                .createHash('sha256')
+                .update(rawIp)
+                .digest('hex')
+                .slice(0, 16);
+
+            // Calendar date in UTC (YYYY-MM-DD)
+            const visitDate = new Date().toISOString().split('T')[0];
+
+            // Attempt to record this unique IP+date combination.
+            // If the row already exists the insert is a no-op (ON CONFLICT DO NOTHING)
+            // and `.returning()` returns an empty array — meaning we don't double-count.
+            const logInsert = await db
+                .insert(visitorLogs)
+                .values({ username, ip_hash: ipHash, visit_date: visitDate, created_at: Date.now() })
+                .onConflictDoNothing()
                 .returning();
 
-            const count = result[0]?.visitors ?? 1;
+            let count: number;
+
+            if (logInsert.length > 0) {
+                // New unique visit — atomically increment the stored total
+                const result = await db
+                    .insert(badges)
+                    .values({ username, visitors: 1 })
+                    .onConflictDoUpdate({
+                        target: badges.username,
+                        set: { visitors: sql`${badges.visitors} + 1` },
+                    })
+                    .returning();
+                count = result[0]?.visitors ?? 1;
+            } else {
+                // Same IP already counted today — serve the current total without mutating
+                const badge = await db
+                    .select({ visitors: badges.visitors })
+                    .from(badges)
+                    .where(eq(badges.username, username))
+                    .get();
+                count = badge?.visitors ?? 0;
+            }
+
             const options = BadgeController.parseOptions(req, 'visitors');
             const svg = BadgeRenderer.generateBadge(count, options);
 

src/db/schema.ts

@@ -1,4 +1,22 @@
-import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
+import { sqliteTable, text, integer, uniqueIndex } from "drizzle-orm/sqlite-core";
+
+export const visitorLogs = sqliteTable(
+    "visitor_logs",
+    {
+        id:         integer("id").primaryKey({ autoIncrement: true }),
+        username:   text("username").notNull(),
+        ip_hash:    text("ip_hash").notNull(),
+        visit_date: text("visit_date").notNull(), // YYYY-MM-DD
+        created_at: integer("created_at"),
+    },
+    (table) => ({
+        uqVisitorLog: uniqueIndex("uq_visitor_log").on(
+            table.username,
+            table.ip_hash,
+            table.visit_date,
+        ),
+    }),
+);
 
 export const badges = sqliteTable("badges", {
   username: text("username").primaryKey(),