wip - permutive

Author: ChristianPavilonis

crates/common/src/permutive_proxy.rs

@@ -12,6 +12,7 @@ use crate::error::TrustedServerError;
 use crate::settings::Settings;
 
 const PERMUTIVE_API_BASE: &str = "https://api.permutive.com";
+const PERMUTIVE_SECURE_SIGNALS_BASE: &str = "https://secure-signals.permutive.app";
 
 /// Handles transparent proxying of Permutive API requests.
 ///
@@ -93,6 +94,86 @@ pub async fn handle_permutive_api_proxy(
     Ok(permutive_response)
 }
 
+/// Handles transparent proxying of Permutive Secure Signals requests.
+///
+/// This function:
+/// 1. Extracts the path after `/permutive/secure-signal/`
+/// 2. Preserves query parameters
+/// 3. Copies request headers and body
+/// 4. Forwards to `secure-signals.permutive.app`
+/// 5. Returns response transparently
+///
+/// # Example Request Flow
+///
+/// ```text
+/// Browser: GET /permutive/secure-signal/data/v1/cohorts
+///     ↓
+/// Trusted Server processes and forwards:
+///     ↓
+/// Permutive: GET https://secure-signals.permutive.app/data/v1/cohorts
+/// ```
+///
+/// # Errors
+///
+/// Returns a [`TrustedServerError`] if:
+/// - Path extraction fails
+/// - Backend communication fails
+/// - Request forwarding fails
+pub async fn handle_permutive_secure_signals_proxy(
+    _settings: &Settings,
+    mut req: Request,
+) -> Result<Response, Report<TrustedServerError>> {
+    let original_path = req.get_path();
+    let method = req.get_method();
+
+    log::info!(
+        "Proxying Permutive Secure Signals request: {} {}",
+        method,
+        original_path
+    );
+
+    // Extract the path after /permutive/secure-signal
+    let signals_path = original_path
+        .strip_prefix("/permutive/secure-signal")
+        .ok_or_else(|| TrustedServerError::PermutiveApi {
+            message: format!("Invalid Permutive Secure Signals path: {}", original_path),
+        })?;
+
+    // Build the full Permutive Secure Signals URL with query parameters
+    let permutive_url = build_secure_signals_url(signals_path, &req)?;
+
+    log::info!("Forwarding to Permutive Secure Signals: {}", permutive_url);
+
+    // Create new request to Permutive
+    let mut permutive_req = Request::new(method.clone(), &permutive_url);
+
+    // Copy relevant headers
+    copy_request_headers(&req, &mut permutive_req);
+
+    // Copy body for POST requests
+    if has_body(method) {
+        let body = req.take_body();
+        permutive_req.set_body(body);
+    }
+
+    // Get backend and forward request
+    let backend_name = ensure_backend_from_url(PERMUTIVE_SECURE_SIGNALS_BASE)?;
+
+    let permutive_response = permutive_req
+        .send(backend_name)
+        .change_context(TrustedServerError::PermutiveApi {
+            message: format!("Failed to forward request to {}", permutive_url),
+        })?;
+
+    log::info!(
+        "Permutive Secure Signals responded with status: {}",
+        permutive_response.get_status()
+    );
+
+    // Return response transparently
+    Ok(permutive_response)
+}
+
 /// Builds the full Permutive API URL including query parameters.
 fn build_permutive_url(
     api_path: &str,
@@ -111,6 +192,24 @@ fn build_permutive_url(
     Ok(url)
 }
 
+/// Builds the full Permutive Secure Signals URL including query parameters.
+fn build_secure_signals_url(
+    signals_path: &str,
+    req: &Request,
+) -> Result<String, Report<TrustedServerError>> {
+    // Get query string if present
+    let query = req
+        .get_url()
+        .query()
+        .map(|q| format!("?{}", q))
+        .unwrap_or_default();
+
+    // Build full URL
+    let url = format!("{}{}{}", PERMUTIVE_SECURE_SIGNALS_BASE, signals_path, query);
+
+    Ok(url)
+}
+
 /// Copies relevant headers from the original request to the Permutive request.
 fn copy_request_headers(from: &Request, to: &mut Request) {
     // Headers that should be forwarded to Permutive
@@ -193,4 +292,38 @@ mod tests {
         assert!(!has_body(&Method::HEAD));
         assert!(!has_body(&Method::OPTIONS));
     }
+
+    #[test]
+    fn test_secure_signals_path_extraction() {
+        let test_cases = vec![
+            ("/permutive/secure-signal/data/v1/cohorts", "/data/v1/cohorts"),
+            ("/permutive/secure-signal/v1/track", "/v1/track"),
+            ("/permutive/secure-signal/", "/"),
+            ("/permutive/secure-signal", ""),
+        ];
+
+        for (input, expected) in test_cases {
+            let result = input.strip_prefix("/permutive/secure-signal").unwrap_or("");
+            assert_eq!(result, expected, "Failed for input: {}", input);
+        }
+    }
+
+    #[test]
+    fn test_secure_signals_url_building() {
+        let signals_path = "/data/v1/cohorts";
+        let expected = "https://secure-signals.permutive.app/data/v1/cohorts";
+
+        let url = format!("{}{}", PERMUTIVE_SECURE_SIGNALS_BASE, signals_path);
+        assert_eq!(url, expected);
+    }
+
+    #[test]
+    fn test_secure_signals_url_building_with_query() {
+        let signals_path = "/data/v1/cohorts";
+        let query = "?key=123";
+        let expected = "https://secure-signals.permutive.app/data/v1/cohorts?key=123";
+
+        let url = format!("{}{}{}", PERMUTIVE_SECURE_SIGNALS_BASE, signals_path, query);
+        assert_eq!(url, expected);
+    }
 }

crates/fastly/src/main.rs

@@ -4,7 +4,9 @@ use log_fastly::Logger;
 
 use trusted_server_common::ad::{handle_server_ad, handle_server_ad_get};
 use trusted_server_common::auth::enforce_basic_auth;
-use trusted_server_common::permutive_proxy::handle_permutive_api_proxy;
+use trusted_server_common::permutive_proxy::{
+    handle_permutive_api_proxy, handle_permutive_secure_signals_proxy,
+};
 use trusted_server_common::permutive_sdk::handle_permutive_sdk;
 use trusted_server_common::proxy::{
     handle_first_party_click, handle_first_party_proxy, handle_first_party_proxy_rebuild,
@@ -54,6 +56,11 @@ async fn route_request(settings: Settings, req: Request) -> Result<Response, Err
             handle_permutive_api_proxy(&settings, req).await
         }
 
+        // Permutive Secure Signals proxy - /permutive/secure-signal/* → secure-signals.permutive.app/*
+        (&Method::GET | &Method::POST, path) if path.starts_with("/permutive/secure-signal/") => {
+            handle_permutive_secure_signals_proxy(&settings, req).await
+        }
+
         // Serve the Permutive SDK (proxied from Permutive CDN)
         (&Method::GET, path) if path.starts_with("/static/tsjs=tsjs-permutive") => {
             handle_permutive_sdk(&settings, req).await

crates/js/lib/src/ext/permutive.ts

@@ -1,8 +1,54 @@
 import { log } from '../core/log';
 
+declare const permutive: {
+  config: {
+    advertiserApiVersion: string;
+    apiHost: string;
+    apiKey: string;
+    apiProtocol: string;
+    apiVersion: string;
+    cdnBaseUrl: string;
+    cdnProtocol: string;
+    classificationModelsApiVersion: string;
+    consentRequired: boolean;
+    cookieDomain: string;
+    cookieExpiry: string;
+    cookieName: string;
+    environment: string;
+    eventsCacheLimitBytes: number;
+    eventsTTLInDays: number | null;
+    localStorageDebouncedKeys: string[];
+    localStorageWriteDelay: number;
+    localStorageWriteMaxDelay: number;
+    loggingEnabled: boolean;
+    metricsSamplingPercentage: number;
+    permutiveDataMiscKey: string;
+    permutiveDataQueriesKey: string;
+    prebidAuctionsRandomDownsamplingThreshold: number;
+    pxidHost: string;
+    requestTimeout: number;
+    sdkErrorsApiVersion: string;
+    sdkType: string;
+    secureSignalsApiHost: string;
+    segmentSyncApiHost: string;
+    sendClientErrors: boolean;
+    stateNamespace: string;
+    tracingEnabled: boolean;
+    viewId: string;
+    watson: {
+      enabled: boolean;
+    };
+    windowKey: string;
+    workspaceId: string;
+  };
+};
 
 export function installPermutiveShim() {
-  //@ts-ignore
-  permutive.config.apiHost = window.location.host + "/permutive/api";
-}
 
+
+
+  permutive.config.apiHost = window.location.host + '/permutive/api';
+  permutive.config.apiProtocol = window.location.protocol === "https:" ? "https" : "http";
+
+  permutive.config.secureSignalsApiHost = window.location.host + '/permutive/secure-signal';
+}