Merge pull request #525 from Microsoft/authCookieLaw

Do not store authId in the cookie
microsoft · Sep 28, 2017 · f071969 · f071969
2 parents c5cbccf + 8d0c8a9
commit f071969
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 15 deletions.
diff --git a/API-reference.md b/API-reference.md
@@ -182,9 +182,11 @@ You don't usually have to use this, as it happens automatically on window closin
 <a name="setAuthenticatedUserContext"></a>
 ### setAuthenticatedUserContext
 
-    setAuthenticatedUserContext(authenticatedUserId: string, accountId?: string)
+    setAuthenticatedUserContext(authenticatedUserId: string, accountId?: string, storeInCookie = false)
 
-Set the authenticated user id and the account id in this session. Use this when you have identified a specific signed-in user. Parameters must not contain spaces or ,;=|
+Set the authenticated user id and the account id. Use this when you have identified a specific signed-in user. Parameters must not contain spaces or ,;=|
+
+The method will only set the `authenticatedUserId` and `accountId` for all events in the current page view. To set them for all events within the whole session, you should either call this method on every page view or set `storeInCookie = true`. 
 
  Parameter | Description
 ---|---

diff --git a/JavaScript/JavaScriptSDK.Tests/CheckinTests/Context/User.tests.ts b/JavaScript/JavaScriptSDK.Tests/CheckinTests/Context/User.tests.ts
@@ -166,6 +166,24 @@ class UserContextTests extends TestClass {
             }
         });
 
+        this.testCase({
+            name: "setAuthenticatedUserContext: auth id and account id is set (not in the cookie)",
+            test: () => {
+                // setup
+                var authAndAccountId = ['bla@bla.com', 'contoso'];
+                var user = new Microsoft.ApplicationInsights.Context.User(this.getEmptyConfig());
+                var cookieStub = this.sandbox.stub(Microsoft.ApplicationInsights.Util, "setCookie");
+
+                // act
+                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1]);
+
+                // verify
+                Assert.equal('bla@bla.com', user.authenticatedId, "user auth id was not set");
+                Assert.equal('contoso', user.accountId, "user account id was not set");
+                Assert.equal(cookieStub.notCalled, true, "cookie was not set");
+            }
+        });
+
         this.testCase({
             name: "setAuthenticatedUserContext: auth user set in cookie without account id",
             test: () => {
@@ -175,7 +193,7 @@ class UserContextTests extends TestClass {
                 var user = new Microsoft.ApplicationInsights.Context.User(this.getEmptyConfig());
 
                 // act
-                user.setAuthenticatedUserContext(authAndAccountId[0]);
+                user.setAuthenticatedUserContext(authAndAccountId[0], null, true);
 
                 // verify
                 Assert.equal(authAndAccountId[0], user.authenticatedId, "user auth id was set");
@@ -192,7 +210,7 @@ class UserContextTests extends TestClass {
                 var user = new Microsoft.ApplicationInsights.Context.User(this.getEmptyConfig());
 
                 // act
-                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1]);
+                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1], true);
 
                 // verify
                 Assert.equal(authAndAccountId[0], user.authenticatedId, "user auth id was set");
@@ -209,7 +227,7 @@ class UserContextTests extends TestClass {
                 var user = new Microsoft.ApplicationInsights.Context.User(this.getEmptyConfig());
 
                 // act
-                user.setAuthenticatedUserContext(authAndAccountId[0]);
+                user.setAuthenticatedUserContext(authAndAccountId[0], null, true);
 
                 // verify
                 Assert.equal(authAndAccountId[0], user.authenticatedId, "user auth id was set");
@@ -291,7 +309,7 @@ class UserContextTests extends TestClass {
                 var loggingStub = this.sandbox.stub(Microsoft.ApplicationInsights._InternalLogging, "throwInternal");
 
                 // act
-                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1]);
+                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1], true);
 
                 // verify
                 Assert.equal(undefined, user.authenticatedId, "user auth id was not set");
@@ -332,7 +350,7 @@ class UserContextTests extends TestClass {
                 var loggingStub = this.sandbox.stub(Microsoft.ApplicationInsights._InternalLogging, "throwInternal");
 
                 // act
-                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1]);
+                user.setAuthenticatedUserContext(authAndAccountId[0], authAndAccountId[1], true);
 
                 // verify
                 Assert.equal(authAndAccountId[0], user.authenticatedId, "user auth id was set");

diff --git a/JavaScript/JavaScriptSDK.Tests/CheckinTests/appInsights.tests.ts b/JavaScript/JavaScriptSDK.Tests/CheckinTests/appInsights.tests.ts
@@ -538,6 +538,21 @@ class AppInsightsTests extends TestClass {
             }
         });
 
+        this.testCase({
+            name: "AppInsightsTests: set authenticatedId does not set the cookie by default",
+            test: () => {
+                let appInsights = new Microsoft.ApplicationInsights.AppInsights(this.getAppInsightsSnippet());
+                let setAuthStub = this.sandbox.stub(appInsights.context.user, "setAuthenticatedUserContext");
+
+                appInsights.setAuthenticatedUserContext("10001");
+
+                Assert.equal(true, setAuthStub.calledOnce);
+                Assert.equal(false, setAuthStub.calledWithExactly("10001", null, false));
+
+                setAuthStub.reset();
+            }
+        });      
+
         this.testCase({
             name: "AppInsightsTests: trackPageView sends user-specified duration when passed",
             test: () => {

diff --git a/JavaScript/JavaScriptSDK/AppInsights.ts b/JavaScript/JavaScriptSDK/AppInsights.ts
@@ -421,15 +421,19 @@ module Microsoft.ApplicationInsights {
         }
 
         /**
-         * Sets the autheticated user id and the account id in this session.
+         * Sets the authenticated user id and the account id.
          * User auth id and account id should be of type string. They should not contain commas, semi-colons, equal signs, spaces, or vertical-bars.
+         * 
+         * By default the method will only set the authUserID and accountId for all events in this page view. To add them to all events within
+         * the whole session, you should either call this method on every page view or set `storeInCookie = true`. 
          *   
          * @param authenticatedUserId {string} - The authenticated user id. A unique and persistent string that represents each authenticated user in the service.
          * @param accountId {string} - An optional string to represent the account associated with the authenticated user.
+         * @param storeInCookie {boolean} - AuthenticateUserID will be stored in a cookie and added to all events within this session. 
          */
-        public setAuthenticatedUserContext(authenticatedUserId: string, accountId?: string) {
+        public setAuthenticatedUserContext(authenticatedUserId: string, accountId?: string, storeInCookie = false) {
             try {
-                this.context.user.setAuthenticatedUserContext(authenticatedUserId, accountId);
+                this.context.user.setAuthenticatedUserContext(authenticatedUserId, accountId, storeInCookie);
             } catch (e) {
                 _InternalLogging.throwInternal(LoggingSeverity.WARNING,
                     _InternalMessageId.SetAuthContextFailed,

diff --git a/JavaScript/JavaScriptSDK/Context/User.ts b/JavaScript/JavaScriptSDK/Context/User.ts
@@ -47,12 +47,12 @@ module Microsoft.ApplicationInsights.Context {
         public storeRegion: string;
 
         /**
-        * Sets the autheticated user id and the account id in this session.
+        * Sets the authenticated user id and the account id in this session.
         *   
         * @param authenticatedUserId {string} - The authenticated user id. A unique and persistent string that represents each authenticated user in the service.
         * @param accountId {string} - An optional string to represent the account associated with the authenticated user.
         */
-        public setAuthenticatedUserContext(authenticatedUserId: string, accountId?: string) {
+        public setAuthenticatedUserContext(authenticatedUserId: string, accountId?: string, storeInCookie = false) {
 
             // Validate inputs to ensure no cookie control characters.
             var isInvalidInput = !this.validateUserInput(authenticatedUserId) || (accountId && !this.validateUserInput(accountId));
@@ -74,9 +74,11 @@ module Microsoft.ApplicationInsights.Context {
                 authCookie = [this.authenticatedId, this.accountId].join(User.cookieSeparator);
             }
 
-            // Set the cookie. No expiration date because this is a session cookie (expires when browser closed).
-            // Encoding the cookie to handle unexpected unicode characters.
-            Util.setCookie(User.authUserCookieName, encodeURI(authCookie), this.config.cookieDomain());
+            if (storeInCookie) {
+                // Set the cookie. No expiration date because this is a session cookie (expires when browser closed).
+                // Encoding the cookie to handle unexpected unicode characters.
+                Util.setCookie(User.authUserCookieName, encodeURI(authCookie), this.config.cookieDomain());
+            }
         }
 
         /**