kunthawat/moreminimore-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e463a038c9a7decf0c481548c8c479bc18d66fb3
moreminimore-website/PDPA-COMPLIANCE.md
Kunthawat Greethong 7552b875e9 feat: Add full PDPA compliance with cookie consent and admin dashboard 
Features implemented:
- Cookie consent banner (Accept/Reject) with localStorage storage
- Conditional Umami Analytics loading (only with consent)
- Admin dashboard at /admin/consent-logs with password protection
- API endpoints for consent logging (POST/GET/DELETE)
- Updated Privacy Policy with all 14 PDPA Section 36 requirements
- Updated Terms & Conditions with 17 comprehensive sections
- Astro DB integration with consent logging schema
- Production-ready Dockerfile with SQLite support
- Start command for Easypanel deployment

Files added:
- src/components/consent/CookieBanner.astro
- src/pages/api/consent/index.ts
- src/pages/api/consent/[sessionId]/index.ts
- src/pages/admin/consent-logs.astro
- db/schema.ts
- .env.example
- PDPA-COMPLIANCE.md

Files modified:
- src/layouts/Layout.astro (CookieBanner + conditional Umami)
- src/pages/privacy-policy.astro (full PDPA compliance)
- src/pages/terms-and-conditions.astro (comprehensive update)
- astro.config.mjs (Node adapter + DB)
- Dockerfile (production build with DB)
- package.json (dependencies + start script)

Deployment notes:
- CHANGE ADMIN_PASSWORD from default 'changeme'
- Run with: npm run start
- Docker: docker build -t moreminimore:latest .
2026-03-10 12:59:17 +07:00

4.4 KiB
Raw Blame History

PDPA Compliance Guide - MoreMiniMore Website

Features Implemented

This website is now PDPA-compliant with the following features:

1. Cookie Consent System

  • Component: src/components/consent/CookieBanner.astro
  • Features:
    • Accept All / Reject All buttons (equal prominence)
    • Stores consent in localStorage
    • Slides up from bottom on first visit
    • Thai language with link to Privacy Policy
    • Dispatches 'consentGiven' event for other components

2. Conditional Analytics Loading

  • Integration: Umami Analytics
  • Behavior: Only loads when user accepts analytics cookies
  • Implementation: In src/layouts/Layout.astro

3. Consent API Endpoints

  • POST /api/consent - Log new consent
  • GET /api/consent - Retrieve consent logs (admin)
  • DELETE /api/consent/:sessionId - Right to be forgotten

4. Admin Dashboard

  • URL: /admin/consent-logs
  • Features:
    • Password-protected access
    • View last 100 consent records
    • Statistics (total, acceptance rate, etc.)
    • Delete individual records
    • Export CSV (coming soon)
  • Default Password: changeme (MUST change in production!)

5. Updated Legal Pages

  • Privacy Policy: All 14 PDPA Section 36 requirements
  • Terms & Conditions: 17 comprehensive sections
  • Both in Thai language with professional legal terminology

🔧 Configuration

Environment Variables

Create a .env file in the root directory:

# Copy from example
cp .env.example .env

# Edit with your values
nano .env

Required Variables:

# Admin password (CHANGE THIS!)
ADMIN_PASSWORD=your-secure-password-here

# Database (for production)
ASTRO_DB_REMOTE_URL=file:./data/consent.db

Optional Variables:

# Umami Analytics
UMAMI_WEBSITE_ID=xxx-xxx-xxx
UMAMI_DOMAIN=analytics.example.com

🚀 Deployment

Docker (Recommended)

# Build image
docker build -t moreminimore:latest .

# Run container
docker run -d \
  -p 80:80 \
  -e NODE_ENV=production \
  -e ASTRO_DB_REMOTE_URL=file:/app/data/consent.db \
  -e HOST=0.0.0.0 \
  -e PORT=80 \
  -e ADMIN_PASSWORD=your-secure-password \
  --name moreminimore \
  moreminimore:latest

Easypanel Auto-Deploy

The website is configured for automatic deployment via Easypanel:

  1. Push changes to Gitea main branch
  2. Easypanel auto-builds (~3 minutes)
  3. New version deployed automatically

Environment Variables in Easypanel:

  • Set all variables from .env.example
  • Use strong ADMIN_PASSWORD
  • Configure database if using remote SQLite/Turso

📊 Managing Consent Logs

Access Admin Dashboard

  1. Navigate to: https://your-domain.com/admin/consent-logs
  2. Enter admin password
  3. View consent records

Export Data

Click "Export CSV" button to download consent logs (feature in development)

Right to be Forgotten

Users can request deletion by:

  1. Contacting: contact@moreminimore.com
  2. Admin deletes record via dashboard
  3. Or via API: DELETE /api/consent/:sessionId

📝 PDPA Compliance Checklist

Before Going Live:

  • Change ADMIN_PASSWORD from default
  • Test cookie consent banner appears
  • Verify Umami loads only with consent
  • Review Privacy Policy for accuracy
  • Review Terms & Conditions for accuracy
  • Test admin dashboard access
  • Enable HTTPS (required for PDPA)
  • Set up regular backups

Ongoing Maintenance:

  • Review consent logs monthly
  • Update legal pages when laws change
  • Keep admin password secure
  • Monitor for consent withdrawals
  • Document data processing activities

🔒 Security Notes

Current Implementation:

  • Client-side password check (development)
  • Production should use server-side authentication

Recommended Improvements:

  1. Add server-side session management
  2. Implement rate limiting on admin page
  3. Add IP whitelist for admin access
  4. Use HTTPS only
  5. Regular security audits

📞 Support

For questions about PDPA compliance or this implementation:

📚 Resources

Last Updated: March 10, 2026
Version: 1.0.0

Reference in New Issue View Git Blame Copy Permalink