From 7a04e470418511d176c01b51ade139dc6fe29b7f Mon Sep 17 00:00:00 2001
From: toto <antitbone@jefaismonrhum.sdv.fr>
Date: Fri, 10 Apr 2026 01:05:04 +0200
Subject: [PATCH] fix(sql+api): fix view column mismatches and ClickHouse 24.8
 JOIN issue

- view_form_bruteforce_detected: add post_count, distinct_paths, first_seen, last_seen
- view_host_ip_ja4_rotation: add host, distinct_ja4, ja4_list, window_start
- Replace uniqExact/groupUniqArray with count()/groupArray (no nested-agg error)
- api.py campaigns/graph: move a.src_ip < b.src_ip from JOIN ON to WHERE
  (ClickHouse 24.8 forbids cross-table inequality in JOIN ON condition)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 services/dashboard/backend/routes/api.py |  2 +-
 shared/clickhouse/11_views.sql           | 31 ++++++++++++------------
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/services/dashboard/backend/routes/api.py b/services/dashboard/backend/routes/api.py
index c07f8bd..b928ca9 100644
--- a/services/dashboard/backend/routes/api.py
+++ b/services/dashboard/backend/routes/api.py
@@ -972,8 +972,8 @@ async def campaigns_graph() -> dict[str, Any]:
             f"FROM {_DB}.ml_detected_anomalies a "
             f"INNER JOIN {_DB}.ml_detected_anomalies b "
             "ON a.ja4 = b.ja4 AND a.campaign_id = b.campaign_id "
-            "AND a.src_ip < b.src_ip "
             "WHERE a.campaign_id >= 0 "
+            "AND a.src_ip < b.src_ip "
             "AND a.detected_at >= now() - INTERVAL 7 DAY "
             "AND b.detected_at >= now() - INTERVAL 7 DAY "
             "LIMIT 2000"
diff --git a/shared/clickhouse/11_views.sql b/shared/clickhouse/11_views.sql
index d708c48..15e7a0d 100644
--- a/shared/clickhouse/11_views.sql
+++ b/shared/clickhouse/11_views.sql
@@ -28,14 +28,13 @@ CREATE OR REPLACE VIEW ja4_processing.view_form_bruteforce_detected AS
 SELECT
     src_ip,
     host,
-    argMax(ja4, ja4_hits)                    AS ja4,
-    sum(ja4_hits)                            AS hits,
-    sum(ja4_posts)                           AS post_count,
-    -- Alias de compatibilité pour les anciens appels
-    sum(ja4_posts)                           AS query_params_count,
-    uniqExact(ja4)                           AS distinct_paths,
-    min(w_min)                               AS first_seen,
-    max(w_max)                               AS last_seen
+    argMax(ja4, ja4_hits)  AS ja4,
+    sum(ja4_hits)          AS hits,
+    sum(ja4_posts)         AS post_count,
+    sum(ja4_posts)         AS query_params_count,
+    count()                AS distinct_paths,
+    min(w_min)             AS first_seen,
+    max(w_max)             AS last_seen
 FROM (
     SELECT
         src_ip, host, ja4,
@@ -64,14 +63,14 @@ HAVING post_count >= 10;
 CREATE OR REPLACE VIEW ja4_processing.view_host_ip_ja4_rotation AS
 SELECT
     src_ip,
-    argMax(host, ja4_hits)                    AS host,
-    uniqExact(ja4)                            AS distinct_ja4,
-    uniqExact(ja4)                            AS distinct_ja4_count,
-    groupUniqArray(ja4)                       AS ja4_list,
-    sum(ja4_hits)                             AS total_hits,
-    max(w_max)                                AS window_start,
-    min(w_min)                                AS first_seen,
-    max(w_max)                                AS last_seen
+    argMax(host, ja4_hits)   AS host,
+    count()                  AS distinct_ja4,
+    count()                  AS distinct_ja4_count,
+    groupArray(ja4)          AS ja4_list,
+    sum(ja4_hits)            AS total_hits,
+    max(w_max)               AS window_start,
+    min(w_min)               AS first_seen,
+    max(w_max)               AS last_seen
 FROM (
     SELECT
         src_ip, host, ja4,