gdpr.special-features.sf1.enforce = false does not prevent IP masking when SF1 is absent from the TCF consent string #4423
Description
Setting gdpr.special-features.sf1.enforce = false should allow to disable IP masking, regardless of what the publisher's TCF consent string signals. In practice, this configuration seems to have no effect — bidders still receive masked device.ip / device.ipv6 values whenever SF1 is not opted into in the consent string.
Steps to Reproduce
- Set
gdpr.special-features.sf1.enforce = falsein the application config - Send an auction request with a valid TCFv2 consent string that does not include a SF1 opt-in.
Example String:CQgn4eRQgn4eREYAAAENCZCAAP_AAAAAAAAAI7Nd_X__bX9n-_7_6ft0eY1f9_r37uQzDhfNs-8F3L_W_LwX32E7NF36tq4KmR4ku1bBIQNtHMnUDUmxaolVrzHsak2cpyNKJ_JkknsZe2dYGF9Pn9lD-YKZ7_5_9_f52T_9_9_-39z3_9f___dv_-__-vjf_599n_v9fV_78_Kf9______-____________8AAAAAA.II7Nd_X__bX9n-_7_6ft0eY1f9_r37uQzDhfNs-8F3L_W_LwX32E7NF36tq4KmR4ku1bBIQNtHMnUDUmxaolVrzHsak2cpyNKJ_JkknsZe2dYGF9Pn9lD-YKZ7_5_9_f52T_9_9_-39z3_9f___dv_-__-vjf_599n_v9fV_78_Kf9______-____________8A - Observe the bid requests forwarded to bidders =>
device.ip/device.ipv6are masked
Expected Behavior
With sf1.enforce = false, Prebid Server should forward the unmasked IP address to bidders regardless of the SF1 signal in the consent string.
Actual Behavior
The IP address is always masked when a valid TCFv2 consent string is present and SF1 is not opted in, regardless of the sf1.enforce = false config.
Root Cause (as far as i can tell)
There seems to be two separate IP masking layers in the codebase. The early one (in TcfDefinerService) masks the IP based solely on the raw consent string, without using the sf1.enforce config. It runs before the the enforcement layer (SpecialFeaturesStrategy) and its result is irreversible, because by the time the later layer correctly honours sf1.enforce = false, the device IP has already been overwritten.
Impact
Publishers who are not requesting Special Feature 1 and rely on sf1.enforce = false to opt out of IP masking enforcement cannot achieve the intended behaviour. The config option is effectively broken for this use case. This is something that works with the Go-Version of Prebid-Server.