Holid Bid Adapter: respect auction timeout, ORTB merges, usersync robustness (prebid#14530)

* Holid: respect auction timeout, safer ortb merges, improve usersync

* Holid Bid Adapter: add unit tests

* chore: re-run CI

Author: holidio

modules/holidBidAdapter.js

@@ -11,12 +11,91 @@ import { registerBidder } from '../src/adapters/bidderFactory.js';
 
 const BIDDER_CODE = 'holid';
 const GVLID = 1177;
+
 const ENDPOINT = 'https://helloworld.holid.io/openrtb2/auction';
 const COOKIE_SYNC_ENDPOINT = 'https://null.holid.io/sync.html';
+
 const TIME_TO_LIVE = 300;
-const TMAX = 500;
+
+// Keep win URLs in-memory (per page-load)
 const wurlMap = {};
 
+/**
+ * Resolve tmax for the outgoing ORTB request.
+ * Goal: respect publisher's Prebid timeout (bidderRequest.timeout) and allow an optional per-bid override,
+ * without hard-forcing an arbitrary 500ms.
+ *
+ * Rules:
+ * - If bid.params.tmax is a positive number, use it, but never exceed bidderRequest.timeout when available.
+ * - Else if bidderRequest.timeout is a positive number, use it.
+ * - Else omit tmax entirely (PBS will apply its own default / config).
+ */
+function resolveTmax(bid, bidderRequest) {
+  const auctionTimeout = Number(bidderRequest?.timeout);
+  const paramTmax = Number(bid?.params?.tmax);
+
+  const hasAuctionTimeout = Number.isFinite(auctionTimeout) && auctionTimeout > 0;
+  const hasParamTmax = Number.isFinite(paramTmax) && paramTmax > 0;
+
+  if (hasParamTmax && hasAuctionTimeout) {
+    return Math.min(paramTmax, auctionTimeout);
+  }
+  if (hasParamTmax) {
+    return paramTmax;
+  }
+  if (hasAuctionTimeout) {
+    return auctionTimeout;
+  }
+  return undefined;
+}
+
+/**
+ * Merge stored request ID into request.ext.prebid.storedrequest.id (without clobbering other ext fields).
+ * Keeps behavior consistent with the existing adapter expectation of bid.params.adUnitID.
+ */
+function mergeStoredRequest(ortbRequest, bid) {
+  const storedId = getBidIdParameter('adUnitID', bid.params);
+  if (storedId) {
+    deepSetValue(ortbRequest, 'ext.prebid.storedrequest.id', storedId);
+  }
+}
+
+/**
+ * Merge schain into request.source.ext.schain (without overwriting request.source / request.ext).
+ */
+function mergeSchain(ortbRequest, bid) {
+  const schain = deepAccess(bid, 'ortb2.source.ext.schain');
+  if (schain) {
+    deepSetValue(ortbRequest, 'source.ext.schain', schain);
+  }
+}
+
+/**
+ * Build a sync URL for our sync endpoint.
+ */
+function buildSyncUrl({ bidders, gdprConsent, uspConsent, type }) {
+  const queryParams = [];
+
+  queryParams.push('bidders=' + bidders);
+
+  if (gdprConsent) {
+    queryParams.push('gdpr=' + (gdprConsent.gdprApplies ? 1 : 0));
+    queryParams.push(
+      'gdpr_consent=' + encodeURIComponent(gdprConsent.consentString || '')
+    );
+  } else {
+    queryParams.push('gdpr=0');
+  }
+
+  if (typeof uspConsent !== 'undefined') {
+    queryParams.push('us_privacy=' + encodeURIComponent(uspConsent));
+  }
+
+  queryParams.push('type=' + encodeURIComponent(type));
+
+  return COOKIE_SYNC_ENDPOINT + '?' + queryParams.join('&');
+}
+
 export const spec = {
   code: BIDDER_CODE,
   gvlid: GVLID,
@@ -30,19 +109,23 @@ export const spec = {
   // Build request payload including GDPR, GPP, and US Privacy data if available
   buildRequests: function (validBidRequests, bidderRequest) {
     return validBidRequests.map((bid) => {
+      // Start from ortb2 (publisher modules may have populated site/user/device/ext/etc)
       const requestData = {
         ...bid.ortb2,
-        source: {
-          ext: {
-            schain: bid?.ortb2?.source?.ext?.schain
-          }
-        },
         id: bidderRequest.bidderRequestId,
         imp: [getImp(bid)],
-        tmax: TMAX,
-        ...buildStoredRequest(bid),
       };
 
+      // Merge (don’t overwrite) schain + storedrequest
+      mergeSchain(requestData, bid);
+      mergeStoredRequest(requestData, bid);
+
+      // Resolve and set tmax (don’t hard-force)
+      const tmax = resolveTmax(bid, bidderRequest);
+      if (tmax) {
+        requestData.tmax = tmax;
+      }
+
       // GDPR
       if (bidderRequest && bidderRequest.gdprConsent) {
         deepSetValue(
@@ -67,7 +150,11 @@ export const spec = {
 
       // US Privacy
       if (bidderRequest && bidderRequest.usPrivacy) {
-        deepSetValue(requestData, 'regs.ext.us_privacy', bidderRequest.usPrivacy);
+        deepSetValue(
+          requestData,
+          'regs.ext.us_privacy',
+          bidderRequest.usPrivacy
+        );
       }
 
       // User IDs
@@ -87,6 +174,7 @@ export const spec = {
   // Interpret response: group bids by unique impid and select the highest CPM bid per imp
   interpretResponse: function (serverResponse, bidRequest) {
     const bidResponsesMap = {}; // Maps impid -> highest bid object
+
     if (!serverResponse.body || !serverResponse.body.seatbid) {
       return [];
     }
@@ -98,20 +186,30 @@ export const spec = {
         // --- MINIMAL CHANGE START ---
         // Build meta object and propagate advertiser domains for hb_adomain
         const meta = deepAccess(bid, 'ext.prebid.meta', {}) || {};
+
         // Read ORTB adomain; normalize to array of clean strings
         let advertiserDomains = deepAccess(bid, 'adomain', []);
         advertiserDomains = Array.isArray(advertiserDomains)
           ? advertiserDomains
             .filter(Boolean)
-            .map(d => String(d).toLowerCase().replace(/^https?:\/\//, '').replace(/^www\./, '').trim())
+            .map((d) =>
+              String(d)
+                .toLowerCase()
+                .replace(/^https?:\/\//, '')
+                .replace(/^www\./, '')
+                .trim()
+            )
           : [];
+
         if (advertiserDomains.length > 0) {
           meta.advertiserDomains = advertiserDomains; // <-- Prebid uses this to set hb_adomain
         }
+
         const networkId = deepAccess(bid, 'ext.prebid.meta.networkId');
         if (networkId) {
           meta.networkId = networkId;
         }
+
         // Keep writing back for completeness (preserves existing behavior)
         deepSetValue(bid, 'ext.prebid.meta', meta);
         // --- MINIMAL CHANGE END ---
@@ -157,39 +255,41 @@ export const spec = {
       },
     ];
 
-    if (!serverResponse || (Array.isArray(serverResponse) && serverResponse.length === 0)) {
+    if (
+      !serverResponse ||
+      (Array.isArray(serverResponse) && serverResponse.length === 0)
+    ) {
       return syncs;
     }
 
-    const responses = Array.isArray(serverResponse)
-      ? serverResponse
-      : [serverResponse];
+    const responses = Array.isArray(serverResponse) ? serverResponse : [serverResponse];
     const bidders = getBidders(responses);
 
+    // Prefer iframe when allowed
     if (optionsType.iframeEnabled && bidders) {
-      const queryParams = [];
-      queryParams.push('bidders=' + bidders);
-
-      if (gdprConsent) {
-        queryParams.push('gdpr=' + (gdprConsent.gdprApplies ? 1 : 0));
-        queryParams.push(
-          'gdpr_consent=' +
-          encodeURIComponent(gdprConsent.consentString || '')
-        );
-      } else {
-        queryParams.push('gdpr=0');
-      }
-
-      if (typeof uspConsent !== 'undefined') {
-        queryParams.push('us_privacy=' + encodeURIComponent(uspConsent));
-      }
-
-      queryParams.push('type=iframe');
-      const strQueryParams = '?' + queryParams.join('&');
-
       syncs.push({
         type: 'iframe',
-        url: COOKIE_SYNC_ENDPOINT + strQueryParams,
+        url: buildSyncUrl({
+          bidders,
+          gdprConsent,
+          uspConsent,
+          type: 'iframe',
+        }),
+      });
+      return syncs;
+    }
+
+    // Fallback: if iframe is disabled but pixels are enabled, attempt a pixel-based sync call
+    // (Your sync endpoint must support this mode for it to be effective.)
+    if (optionsType.pixelEnabled && bidders) {
+      syncs.push({
+        type: 'image',
+        url: buildSyncUrl({
+          bidders,
+          gdprConsent,
+          uspConsent,
+          type: 'image',
+        }),
       });
     }
 
@@ -211,8 +311,8 @@ export const spec = {
 function getImp(bid) {
   const imp = buildStoredRequest(bid);
   imp.id = bid.bidId; // Ensure imp.id is unique to match the bid response correctly
-  const sizes =
-    bid.sizes && !Array.isArray(bid.sizes[0]) ? [bid.sizes] : bid.sizes;
+
+  const sizes = bid.sizes && !Array.isArray(bid.sizes[0]) ? [bid.sizes] : bid.sizes;
 
   if (deepAccess(bid, 'mediaTypes.banner')) {
     imp.banner = {
@@ -244,13 +344,26 @@ function buildStoredRequest(bid) {
 }
 
 // Helper: Extract unique bidders from responses for user syncs
+// Primary source: ext.responsetimemillis (PBS), fallback: seatbid[].seat
 function getBidders(responses) {
-  const bidders = responses
-    .map((res) => Object.keys(res.body.ext?.responsetimemillis || {}))
-    .flat();
+  const bidderSet = new Set();
+
+  responses.forEach((res) => {
+    const rtm = deepAccess(res, 'body.ext.responsetimemillis');
+    if (rtm && typeof rtm === 'object') {
+      Object.keys(rtm).forEach((k) => bidderSet.add(k));
+    }
+
+    const seatbid = deepAccess(res, 'body.seatbid', []);
+    if (Array.isArray(seatbid)) {
+      seatbid.forEach((sb) => {
+        if (sb && sb.seat) bidderSet.add(sb.seat);
+      });
+    }
+  });
 
-  if (bidders.length) {
-    return encodeURIComponent(JSON.stringify([...new Set(bidders)]));
+  if (bidderSet.size) {
+    return encodeURIComponent(JSON.stringify([...bidderSet]));
   }
 }