Enforcing Valid Accounts

[bretg]

We need to have better control over who's hitting our Prebid Server cluster, so want to have a flag which tells PBS to reject (HTTP 401) any unrecognized account.

Account ID comes from site.publisher.id or app.publisher.id in the request, which is compared to values in the accounts table

The proposed config is a new flag in the settings section:

settings:
    enforce-valid-account: true   // defaults to false

The original 'legacy' protocol used to reject unknown accounts based on the 'accounts' table lookup, but the OpenRTB interface doesn't enforce accounts. So this is really re-implementing a feature we used to have.

[hhhjort]

Adding a blacklist option may make for a smoother transition. Be able to remove bad actors while giving time for good actors to establish a formal relationship.

[bretg]

@hhhjort - my understanding is that there's already a 'blacklist' option -- #1014

Based on the committee discussion last week, 'valid' and 'invalid' account features are both useful options. The 'invalid' account list is a way for a PBS host company to reject only requests from particular accounts, but they may not otherwise mind unknown accounts. The 'valid' list is a more proactive way to control traffic impact, but not every request contains the account, e.g. AMP.

Will open a separate discussion on alternate ways to obtain the account ID.

In the meantime, we plan to implement this for PBS-Java in the next sprint or two.

[bretg]

This is done in PBS-Java. Assigning to @hhhjort for PBS-Go implementation.

[laurb9]

#1426 (discussed in #1395 ) adds support for per-account configuration settings, which includes the ability to disable or enable accounts individually.

[bsardo]

As @laurb9 mentioned, we recently added additional account configuration options to PBS-Go.

Hosts can now specify account-specific configuration via account-specific json config files.

Also, we have the following global account configuration options:

• account_required (whether a request must contain a valid account id)
• account_defaults.disabled (whether requests missing a valid account should be allowed or blocked)
• blacklisted_accts (a list of blocked accounts - deprecated)

Between the global and account-specific options, the host now has more control.

If the host wants to require requests contain a valid account id, they need to set global option account_required = true.

If the host wants to default to allowing all accounts but block specific accounts, they need to:

• Set global option account_defaults.disabled = false
• Create an account-specific JSON config file with disabled: true for each blocked account
  *Note that the deprecated method of specifying blacklisted accounts via global option blacklisted_accts is still supported for the time being.

If the host wants to default to disabling all accounts and only allow particular accounts, they need to:

• Set global option account_defaults.disabled = true
• Create an account-specific JSON config file with disabled: false for each allowed account