Add Edge Cookie (EC) sync support for trusted-server integration#98
Add Edge Cookie (EC) sync support for trusted-server integration#98ChristianPavilonis wants to merge 1 commit intomainfrom
Conversation
Implement mocktioneer as a full EC sync partner with three new endpoints: - GET /sync/start: pixel sync redirect chain (sets mtkid, redirects to TS /sync) - GET /sync/done: callback endpoint completing the redirect chain - GET /resolve: S2S pull sync resolution (deterministic UID from ec_hash+IP) Also adds OpenRTB 2.6 user.eids support and EC identity metadata in creatives, enabling end-to-end demo of the trusted-server EC identity pipeline. Security hardening from review: - Constant-time token comparison via subtle::ConstantTimeEq (SHA-256 digest) - Hostname validation on ts_domain (rejects path/auth/port injection) - Domain allowlist via MOCKTIONEER_TS_DOMAINS env var - Hex-only ec_hash validation - Log sanitization for user-supplied values - Deterministic mtkid generation (SHA-256 of host, no randomness)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| /// **WASM note:** `std::env::var` returns `Err` on Cloudflare Workers, | ||
| /// which means auth is silently disabled on that platform. See | ||
| /// `TS_ALLOWED_DOMAINS_ENV` for the same limitation. | ||
| #[action] |
Check failure
Code scanning / CodeQL
Cleartext logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to avoid writing sensitive or user-derived identifiers to logs in cleartext. Either omit them, or replace them with a sanitized/shortened/non-reversible form that’s sufficient for debugging but reduces privacy/abuse risk.
Here, the simplest, least disruptive fix is to stop logging the full uid value. The log already includes ec_hash (truncated) and ip, which should be enough for tracing. We can remove uid from the log line entirely while leaving all behavior unchanged for the HTTP response and UID computation.
Concretely, in crates/mocktioneer-core/src/routes.rs within handle_resolve, update the log::info! call around lines 796–801. Change the format string from "Pull sync resolve: ec_hash={}..., ip={}, uid={}" to "Pull sync resolve: ec_hash={}..., ip={}" and drop uid from the argument list. No new imports or helper functions are needed, and all other code (including returning uid in the JSON body) remains untouched.
| @@ -794,10 +794,9 @@ | ||
| let uid = format!("mtk-{}", &hex[..12]); | ||
|
|
||
| log::info!( | ||
| "Pull sync resolve: ec_hash={}..., ip={}, uid={}", | ||
| "Pull sync resolve: ec_hash={}..., ip={}", | ||
| ¶ms.ec_hash[..8], | ||
| params.ip, | ||
| uid | ||
| ); | ||
|
|
||
| let body = Body::json(&ResolveResponse { uid: Some(uid) }).map_err(|e| { |
1 participant
Summary
/sync/start,/sync/done,/resolve) that enable mocktioneer to act as a full EC sync partner with trusted-server — supporting pixel sync redirect chains, callback handling, and S2S pull sync resolutionuser.eidssupport and embed EC identity metadata (EdgeCookieInfo) in creative HTML comments, enabling end-to-end demo of the trusted-server EC identity pipelineexamples/register_partner.shfor one-step partner registration with trusted-serverNew Endpoints
/sync/start?ts_domain=...mtkidcookie, redirects browser to TS/sync/sync/done?ts_synced=.../resolve?ec_hash=...&ip=...mtk-{sha256(ec_hash|ip)[0:12]}Security
subtle::ConstantTimeEqon SHA-256 digests (no length leak)ts_domainvalidated as clean hostname (no/,@,:,?,#) + optional allowlist viaMOCKTIONEER_TS_DOMAINSenv varec_hashrequires exactly 64 hex characters; log output sanitized against control charsmtkidderived fromSHA-256("mtkid:" || host)— no randomness per CLAUDE.mdTesting
--ignored)cargo fmt,cargo clippycleanWASM Note
MOCKTIONEER_PULL_TOKENandMOCKTIONEER_TS_DOMAINSusestd::env::varwhich returnsErron Cloudflare Workers. Auth and domain allowlist are silently disabled on that platform. Documented in code comments.