GPP in the setuid endpoint #2761
Conversation
guscarreon
changed the title
endpoints/setuid.go
Outdated
| if gdprQuerySignal == "1" && gdprConsent == "" { | ||
| return gdpr.RequestInfo{}, errors.New("gdpr_consent is required when gdpr=1") | ||
| } | ||
| if i, err := strconv.Atoi(gdprQuerySignal); err == nil { |
There was a problem hiding this comment.
If the GDPR signal was not present in the GPP query params, you're looking at the legacy GDPR query params. If gdprQuerySignal was not specified, we should be defaulting gdprSignal to SignalAmbiguous as you'll see in the code you deleted below. The perms object instantiated via permsBuilder in preventSyncsGDPR will properly handle the ambiguous signal.
There was a problem hiding this comment.
You're completely right. Made major corrections to this function in the next commit.
endpoints/setuid.go
Outdated
| if len(gppSID) > 0 && gppPrivacy.IsSIDInList(gppSID, gppConstants.SectionTCFEU2) { | ||
| gdprSignal = gdpr.SignalYes | ||
| signalSet = true | ||
| } |
There was a problem hiding this comment.
if the length of gppSID is greater than 0 but gppConstants.SectionTCFEU2 is not present in gppSID, should we be treating that as a SignalNo and not bother to consult the legacy query params? It looks like that is what we're doing in the cookie sync endpoint.
There was a problem hiding this comment.
Good catch. Logic was corrected
There was a problem hiding this comment.
Good catch. Logic was corrected
| expected testOutput | ||
| } | ||
| testSuite := []struct { | ||
| sDesc string |
There was a problem hiding this comment.
Is this sDesc value used anywhere in these tests? If not, could it be removed?
There was a problem hiding this comment.
Corrected in df562e9
There was a problem hiding this comment.
From looking at the requirements doc referenced in the description, it appears we aren't detecting or providing any debug information indicating mismatched data when the gdpr signal is set in the GPPSID and in the original location at regs.gdpr. This also appears to be true with respect to the consent strings. Was this intentionally omitted? I see that detected mismatches are meant to be reported as debug warnings, however, at first glance I'm not seeing support for debug mode on this endpoint so perhaps that's the reason we aren't handling it?
There was a problem hiding this comment.
Discussed offline. There's no need to add debug functionality to these endpoints. The setuid and cookie sync endpoints currently support adding warnings to the response. This PR adds the appropriate warnings for the setuid endpoint. The cookie sync warnings will be added in another PR.
| } | ||
|
|
||
| if i := gppPrivacy.IndexOfSID(gpp, gppConstants.SectionTCFEU2); i >= 0 { | ||
| gdprConsent = gpp.Sections[i].GetValue() |
There was a problem hiding this comment.
The requirements for the cookie sync and setuid endpoints state that if the gdpr consent string is provided in the GPP container and also in the query string, we just compare and warn without copying. That would mean the query string value takes precedence. I wasn't sure if that was the intention but after looking at the same requirements for the auction endpoint I see this same compare requirement but with the following note right after it: "Prebid should prefer the string originally in user.consent". We should confirm the intended behavior. and if the logic is similar for the gdpr flag.
There was a problem hiding this comment.
Discussed offline. The requirements do not appear to be up to date. It was agreed upon that we should always favor the GPP values over the legacy values.
There was a problem hiding this comment.
An edge case was identified that does not appear to be called out in the spec. If both GPP and the legacy location contain consent strings, we will always favor the GPP string, even if it is malformed. For now we will report the error found in the GPP string rather than falling back to the legacy location. This can always be added later. We can discuss with the committee.
endpoints/cookie_sync.go
Outdated
| } | ||
| return gdpr.SignalNo, strconv.Itoa(int(gdpr.SignalNo)), nil | ||
| func extractGDPRSignal(requestGDPR *int, gppSidStr string) (gdpr.Signal, string, error) { | ||
|
|
There was a problem hiding this comment.
Nitpick: Could you remove this blank line?
There was a problem hiding this comment.
Changes in this file were discarded
endpoints/setuid.go
Outdated
| @@ -154,6 +158,7 @@ func NewSetUIDEndpoint(cfg *config.Configuration, syncersByBidder map[string]use | |||
| w.Header().Add("Content-Type", httputil.Pixel1x1PNG.ContentType) | |||
| w.Header().Add("Content-Length", strconv.Itoa(len(httputil.Pixel1x1PNG.Content))) | |||
| w.WriteHeader(http.StatusOK) | |||
| // signal, consent, error := parseGDPRFromGPP(query) | |||
endpoints/setuid.go
Outdated
| if err != nil { | ||
|
|
||
| if !errortypes.IsWarning(err) && err != nil { | ||
| //if err != nil { |
| // first and the 'gdpr' and 'gdpr_consent' query params second. If found in both, throws a | ||
| // warning. Can also throw a parsing or validation error | ||
| func extractGDPRInfo(query url.Values) (reqInfo gdpr.RequestInfo, err error) { | ||
|
|
There was a problem hiding this comment.
Nitpick: Can this line be deleted?
endpoints/setuid.go
Outdated
| } | ||
|
|
||
| // If warning, or there was no GDPR data in the GPP wrapper | ||
| //if (err != nil && isWarning) || (reqInfo.Consent == "" && reqInfo.GDPRSignal == gdpr.SignalAmbiguous) { |
There was a problem hiding this comment.
Can this comment be deleted?
endpoints/setuid.go
Outdated
|
|
||
| legacySignal, legacyConsent, err := parseLegacyGDPRFields(query, reqInfo.GDPRSignal, reqInfo.Consent) | ||
| isWarning := errortypes.IsWarning(err) | ||
| // If not warning, throw error |
There was a problem hiding this comment.
I think this comment can be deleted since the flow of the code explains what it's doing nicely.
endpoints/setuid.go
Outdated
| return gdpr.SignalAmbiguous, "", errors.New("the gdpr query param must be either 0 or 1. You gave " + gdprQuerySignal) | ||
| } | ||
|
|
||
| if i, err := strconv.Atoi(gdprQuerySignal); err == nil { |
There was a problem hiding this comment.
Since there are only 2 possible values, would a case statement be more efficient? This could even be combined with the above check, so if it does not match one of the two values, the default case is the above error.
There was a problem hiding this comment.
Makes perfect sense. Modified
| @@ -20,7 +20,7 @@ func isFatal(err error) bool { | |||
| return !ok || s.Severity() == SeverityFatal | |||
| } | |||
|
|
|||
| func isWarning(err error) bool { | |||
| func IsWarning(err error) bool { | |||
There was a problem hiding this comment.
Since this is now being exported, might want to make a comment to explain that an error can only be a warning if it is a warning type from this package. There is no magic to divine that a random error is intended to only be a warning.
There was a problem hiding this comment.
Added a comment here and similar one in the definition of the Warning type. Let me know if you agree with the wording
Requires #2756
This pull request is a continuation of GPP Phase 2, more info in this document and issue #2380. Makes the
/setuidendpoint handler to prioritize the GPP string values, parsed with thego-gpplibrary, over the GDPR param values it currently takes into account.