feat: add support for reading Extended User IDs from the ts-eids cookie in auction requests

Author: prk-Jr

crates/trusted-server-core/src/auction/formats.rs

@@ -206,6 +206,7 @@ pub fn convert_tsjs_to_auction_request(
             id: ec_id,
             fresh_id,
             consent: Some(consent),
+            eids: None,
         },
         device,
         site: Some(SiteInfo {

crates/trusted-server-core/src/auction/orchestrator.rs

@@ -1090,6 +1090,7 @@ mod tests {
                 id: "user-123".to_string(),
                 fresh_id: "fresh-456".to_string(),
                 consent: None,
+                eids: None,
             },
             device: None,
             site: None,

crates/trusted-server-core/src/auction/types.rs

@@ -90,6 +90,13 @@ pub struct UserInfo {
     /// cookies/headers, not from stored data.
     #[serde(skip)]
     pub consent: Option<crate::consent::ConsentContext>,
+    /// Extended User IDs parsed from the [`crate::constants::COOKIE_TS_EIDS`] cookie.
+    ///
+    /// Raw (un-gated) values from the browser; consent gating via
+    /// [`crate::consent::gate_eids_by_consent`] is applied in the provider
+    /// layer before any EID reaches a bid request.
+    #[serde(skip)]
+    pub eids: Option<Vec<crate::openrtb::Eid>>,
 }
 
 /// Device information from request.

crates/trusted-server-core/src/consent/mod.rs

@@ -435,10 +435,6 @@ pub fn build_us_privacy_from_gpc(config: &ConsentConfig) -> Option<types::UsPriv
 ///
 /// Returns [`None`] if consent is missing or insufficient, stripping all EIDs
 /// from the outgoing bid request.
-///
-/// **Note:** This function is implemented and tested but not yet wired into
-/// the bid request path. It will be connected when identity provider
-/// integration populates EIDs (see `prebid.rs` where `eids: None`).
 #[must_use]
 pub fn gate_eids_by_consent<T>(
     eids: Option<Vec<T>>,

crates/trusted-server-core/src/constants.rs

@@ -1,6 +1,9 @@
 use http::header::HeaderName;
 
 pub const COOKIE_TS_EC: &str = "ts-ec";
+/// Cookie written by the Trusted Server JS SDK containing a standard-base64-encoded
+/// JSON array of Extended User IDs (`[{ source, uids }]`) from identity providers.
+pub const COOKIE_TS_EIDS: &str = "ts-eids";
 
 pub const HEADER_X_PUB_USER_ID: HeaderName = HeaderName::from_static("x-pub-user-id");
 pub const HEADER_X_TS_EC: HeaderName = HeaderName::from_static("x-ts-ec");

crates/trusted-server-core/src/cookies.rs

@@ -5,6 +5,7 @@
 
 use std::borrow::Cow;
 
+use base64::{engine::general_purpose::STANDARD, Engine as _};
 use cookie::{Cookie, CookieJar};
 use edgezero_core::body::Body as EdgeBody;
 use error_stack::{Report, ResultExt};
@@ -13,7 +14,8 @@ use http::Request;
 use http::Response;
 
 use crate::constants::{
-    COOKIE_EUCONSENT_V2, COOKIE_GPP, COOKIE_GPP_SID, COOKIE_TS_EC, COOKIE_US_PRIVACY,
+    COOKIE_EUCONSENT_V2, COOKIE_GPP, COOKIE_GPP_SID, COOKIE_TS_EC, COOKIE_TS_EIDS,
+    COOKIE_US_PRIVACY,
 };
 use crate::error::TrustedServerError;
 use crate::settings::Settings;
@@ -119,6 +121,35 @@ pub fn handle_request_cookies(
     }
 }
 
+/// Parse Extended User IDs from the [`COOKIE_TS_EIDS`] cookie.
+///
+/// The cookie value is a standard-base64-encoded JSON array of
+/// [`crate::openrtb::Eid`] objects written by the Trusted Server JS SDK via
+/// `btoa(JSON.stringify(eids))`.
+///
+/// Returns `None` if the cookie is absent, base64-malformed, JSON-malformed,
+/// or the decoded array is empty. Parse failures are logged at `debug` level
+/// so operators can diagnose JS SDK / server mismatches.
+#[must_use]
+pub(crate) fn parse_ts_eids_cookie(jar: Option<&CookieJar>) -> Option<Vec<crate::openrtb::Eid>> {
+    let value = jar?.get(COOKIE_TS_EIDS)?.value().to_owned();
+    let decoded = match STANDARD.decode(&value) {
+        Ok(b) => b,
+        Err(e) => {
+            log::debug!("ts-eids cookie: base64 decode failed: {e}");
+            return None;
+        }
+    };
+    match serde_json::from_slice::<Vec<crate::openrtb::Eid>>(&decoded) {
+        Ok(eids) if !eids.is_empty() => Some(eids),
+        Ok(_) => None,
+        Err(e) => {
+            log::debug!("ts-eids cookie: JSON parse failed: {e}");
+            None
+        }
+    }
+}
+
 /// Strips named cookies from a `Cookie` header value string.
 ///
 /// Parses the semicolon-separated cookie pairs, filters out any whose name
@@ -759,4 +790,73 @@ mod tests {
         let stripped = strip_cookies(header, CONSENT_COOKIE_NAMES);
         assert_eq!(stripped, "session=abc=123=def");
     }
+
+    fn make_jar_with(name: &str, value: &str) -> CookieJar {
+        parse_cookies_to_jar(&format!("{name}={value}"))
+    }
+
+    fn encode_eids(eids: &[serde_json::Value]) -> String {
+        use base64::{engine::general_purpose::STANDARD, Engine as _};
+        STANDARD.encode(serde_json::to_string(eids).expect("should serialize eids"))
+    }
+
+    #[test]
+    fn parse_ts_eids_cookie_returns_eids_for_valid_input() {
+        let encoded = encode_eids(&[serde_json::json!({
+            "source": "id5-sync.com",
+            "uids": [{"id": "abc123", "atype": 1}]
+        })]);
+        let jar = make_jar_with(COOKIE_TS_EIDS, &encoded);
+        let eids = parse_ts_eids_cookie(Some(&jar)).expect("should parse valid ts-eids cookie");
+        assert_eq!(eids.len(), 1, "should return one EID");
+        assert_eq!(eids[0].source, "id5-sync.com", "should preserve source");
+        assert_eq!(eids[0].uids[0].id, "abc123", "should preserve uid");
+    }
+
+    #[test]
+    fn parse_ts_eids_cookie_returns_none_when_cookie_absent() {
+        let jar = CookieJar::new();
+        assert!(
+            parse_ts_eids_cookie(Some(&jar)).is_none(),
+            "should return None when cookie absent"
+        );
+    }
+
+    #[test]
+    fn parse_ts_eids_cookie_returns_none_for_empty_array() {
+        let encoded = encode_eids(&[]);
+        let jar = make_jar_with(COOKIE_TS_EIDS, &encoded);
+        assert!(
+            parse_ts_eids_cookie(Some(&jar)).is_none(),
+            "should return None for empty EID array"
+        );
+    }
+
+    #[test]
+    fn parse_ts_eids_cookie_returns_none_for_corrupt_base64() {
+        let jar = make_jar_with(COOKIE_TS_EIDS, "not!!valid!!base64");
+        assert!(
+            parse_ts_eids_cookie(Some(&jar)).is_none(),
+            "should return None for corrupt base64"
+        );
+    }
+
+    #[test]
+    fn parse_ts_eids_cookie_returns_none_for_invalid_json() {
+        use base64::{engine::general_purpose::STANDARD, Engine as _};
+        let encoded = STANDARD.encode(b"this is not json");
+        let jar = make_jar_with(COOKIE_TS_EIDS, &encoded);
+        assert!(
+            parse_ts_eids_cookie(Some(&jar)).is_none(),
+            "should return None for invalid JSON"
+        );
+    }
+
+    #[test]
+    fn parse_ts_eids_cookie_returns_none_for_none_jar() {
+        assert!(
+            parse_ts_eids_cookie(None).is_none(),
+            "should return None when jar is None"
+        );
+    }
 }

crates/trusted-server-core/src/integrations/adserver_mock.rs

@@ -508,6 +508,7 @@ mod tests {
                 id: "user-123".to_string(),
                 fresh_id: "fresh-456".to_string(),
                 consent: None,
+                eids: None,
             },
             device: Some(DeviceInfo {
                 user_agent: Some("Mozilla/5.0".to_string()),
@@ -686,6 +687,7 @@ mod tests {
                 id: "user-1".to_string(),
                 fresh_id: "fresh-1".to_string(),
                 consent: None,
+                eids: None,
             },
             device: None,
             site: None,

crates/trusted-server-core/src/integrations/aps.rs

@@ -719,6 +719,7 @@ mod tests {
                 id: "user-123".to_string(),
                 fresh_id: "fresh-456".to_string(),
                 consent: None,
+                eids: None,
             },
             device: Some(DeviceInfo {
                 user_agent: Some("Mozilla/5.0".to_string()),
@@ -805,6 +806,7 @@ mod tests {
                 id: "user-1".to_string(),
                 fresh_id: "fresh-1".to_string(),
                 consent: None,
+                eids: None,
             },
             device: None,
             site: None,

crates/trusted-server-core/src/integrations/prebid.rs

@@ -16,6 +16,7 @@ use crate::auction::types::{
 };
 use crate::backend::BackendConfig;
 use crate::compat;
+use crate::consent::gate_eids_by_consent;
 use crate::consent_config::ConsentForwardingMode;
 use crate::error::TrustedServerError;
 use crate::http_util::RequestInfo;
@@ -1010,9 +1011,13 @@ impl PrebidAuctionProvider {
                     .map(|ac| ConsentedProvidersSettings {
                         consented_providers: Some(ac.clone()),
                     }),
-                // EIDs will be populated by identity providers; consent gating
-                // is applied via `gate_eids_by_consent` before they are set here.
-                eids: None,
+                // Use the full consent context regardless of `consent_forwarding` mode.
+                // EID transmission rights (TCF Purpose 1 + 4) are independent of
+                // whether consent strings travel in the OpenRTB body or cookies.
+                eids: gate_eids_by_consent(
+                    request.user.eids.clone(),
+                    request.user.consent.as_ref(),
+                ),
                 ec_fresh: Some(request.user.fresh_id.clone()),
             }
             .to_ext(),
@@ -1688,6 +1693,7 @@ mod tests {
                 id: "user-123".to_string(),
                 fresh_id: "fresh-456".to_string(),
                 consent: None,
+                eids: None,
             },
             device: None,
             site: None,
@@ -3178,6 +3184,7 @@ server_url = "https://prebid.example"
                 id: "synth-123".to_string(),
                 fresh_id: "fresh-456".to_string(),
                 consent: None,
+                eids: None,
             },
             device: Some(DeviceInfo {
                 user_agent: Some("test-agent".to_string()),

crates/trusted-server-core/src/openrtb.rs

@@ -1,4 +1,4 @@
-use serde::Serialize;
+use serde::{Deserialize, Serialize};
 use serde_json::Value;
 
 use crate::auction::types::OrchestratorExt;
@@ -75,7 +75,7 @@ pub struct ConsentedProvidersSettings {
 }
 
 /// An Extended User ID entry from an identity provider.
-#[derive(Debug, Serialize)]
+#[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Eid {
     /// Identity provider domain (e.g. `"id5-sync.com"`).
     pub source: String,
@@ -84,7 +84,7 @@ pub struct Eid {
 }
 
 /// A single user identifier within an [`Eid`] entry.
-#[derive(Debug, Serialize)]
+#[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Uid {
     /// The identifier value.
     pub id: String,