@adobe/alloy 2.25.0 → 2.26.0-beta.1

package/libEs5/components/ActivityCollector/utils/trimQueryFromUrl.js

@@ -12,6 +12,11 @@ the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTA
 OF ANY KIND, either express or implied. See the License for the specific language
 governing permissions and limitations under the License.
 */
+/**
+ * Trims the query from the URL.
+ * @param {string} url
+ * @returns {string}
+ */
 var _default = url => {
   const questionMarkIndex = url.indexOf("?");
   const hashIndex = url.indexOf("#");

package/libEs5/components/Identity/createComponent.js

@@ -25,7 +25,8 @@ var _default = ({
   consent,
   appendIdentityToUrl,
   logger,
-  getIdentityOptionsValidator
+  getIdentityOptionsValidator,
+  decodeKndctrCookie
 }) => {
   let namespaces;
   let edge = {};
@@ -55,7 +56,12 @@ var _default = ({
           // https://jira.corp.adobe.com/browse/EXEG-1234
           setLegacyEcid(newNamespaces[_ecidNamespace.default]);
         }
-        namespaces = newNamespaces;
+        if (newNamespaces && Object.keys(newNamespaces).length > 0) {
+          namespaces = {
+            ...namespaces,
+            ...newNamespaces
+          };
+        }
         // For sendBeacon requests, getEdge() will return {}, so we are using assign here
         // so that sendBeacon requests don't override the edge info from before.
         edge = {
@@ -73,7 +79,18 @@ var _default = ({
             namespaces: requestedNamespaces
           } = options;
           return consent.awaitConsent().then(() => {
-            return namespaces ? undefined : getIdentity(options);
+            if (namespaces) {
+              return undefined;
+            }
+            const ecidFromCookie = decodeKndctrCookie();
+            if (ecidFromCookie) {
+              if (!namespaces) {
+                namespaces = {};
+              }
+              namespaces[_ecidNamespace.default] = ecidFromCookie;
+              return undefined;
+            }
+            return getIdentity(options);
           }).then(() => {
             return {
               identity: requestedNamespaces.reduce((acc, namespace) => {
@@ -89,7 +106,18 @@ var _default = ({
         optionsValidator: _appendIdentityToUrlOptionsValidator.default,
         run: options => {
           return consent.withConsent().then(() => {
-            return namespaces ? undefined : getIdentity(options);
+            if (namespaces) {
+              return undefined;
+            }
+            const ecidFromCookie = decodeKndctrCookie();
+            if (ecidFromCookie) {
+              if (!namespaces) {
+                namespaces = {};
+              }
+              namespaces[_ecidNamespace.default] = ecidFromCookie;
+              return undefined;
+            }
+            return getIdentity(options);
           }).then(() => {
             return {
               url: appendIdentityToUrl(namespaces[_ecidNamespace.default], options.url)

package/libEs5/components/Identity/createDecodeKndctrCookie.js

@@ -0,0 +1,267 @@
+"use strict";
+
+exports.default = exports.decodeVarint = void 0;
+var _index = require("../../utils/index.js");
+/*
+Copyright 2024 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+/* eslint-disable no-bitwise */
+
+// #region decode protobuf
+
+/** Decoding bytes is not something commonly done in vanilla JavaScript work, and as such
+ * this file will strive to explain each step of decoding a protobuf in detail.
+ * It leans heavily on the protobuf documentation https://protobuf.dev/programming-guides/encoding/,
+ * often quoting directly from it without citation.
+ */
+
+/**
+ * The kndctr cookie protobuf format
+ * From https://git.corp.adobe.com/pages/experience-edge/konductor/#/api/identifying-visitors?id=device-identifiers
+ * and https://git.corp.adobe.com/experience-edge/konductor/blob/master/feature-identity/src/main/kotlin/com/adobe/edge/features/identity/data/StoredIdentity.kt#L16
+
+ * syntax = "proto3";
+ * 
+ * // Device-level identity for Experience Edge
+ * message Identity {
+ *   // The Experience Cloud ID value
+ *   string ecid = 1;
+ * 
+ *   IdentityMetadata metadata = 10;
+ * 
+ *   // Used only in the 3rd party domain context.
+ *   // It stores the UNIX timestamp and some metadata about the last identity sync triggered by Experience Edge.
+ *   int64 last_sync = 20;
+ *   int64 sync_hash = 21;
+ *   int32 id_sync_container_id = 22;
+ * 
+ *   // UNIX timestamp when the Identity was last returned in a `state:store` instruction.
+ *   // The Identity is written at most once every 24h with a large TTL, to ensure it does not expire.
+ *   int64 write_time = 30;
+ * }
+ * 
+ * message IdentityMetadata {
+ *   // UNIX timestamp when this identity was minted.
+ *   int64 created_at = 1;
+ * 
+ *   // Whether or not the identity is random (new) or based on an existing seed.
+ *   bool is_new = 2;
+ * 
+ *   // Type of device for which the identity was generated.
+ *   // 0 = UNKNOWN, 1 = BROWSER, 2 = MOBILE
+ *   int32 device_type = 3;
+ * 
+ *   // The Experience Edge region in which the identity was minted.
+ *   string region = 5;
+ * 
+ *   // More details on the source of the ECID identity.
+ *   // Invariant: when `is_new` = true, the source must be set to `RANDOM`.
+ *   // 0 = RANDOM, 1 = THIRD_PARTY_ID, 2 = FIRST_PARTY_ID, 3 = RECEIVED_IN_REQUEST
+ *   int32 source = 6;
+ * }
+ */
+
+const ECID_FIELD_NUMBER = 1;
+
+/**
+ * Decodes a varint from a buffer starting at the given offset.
+ *
+ * Variable-width integers, or varints, are at the core of the wire format. They
+ * allow encoding unsigned 64-bit integers using anywhere between one and ten
+ * bytes, with small values using fewer bytes.
+ *
+ * Each byte in the varint has a continuation bit that indicates if the byte
+ * that follows it is part of the varint. This is the most significant bit (MSB)
+ * of the byte (sometimes also called the sign bit). The lower 7 bits are a
+ * payload; the resulting integer is built by appending together the 7-bit
+ * payloads of its constituent bytes.
+ *
+ * 10010110 00000001        // Original inputs.
+ *  0010110  0000001        // Drop continuation bits.
+ *  0000001  0010110        // Convert to big-endian.
+ *    00000010010110        // Concatenate.
+ *  128 + 16 + 4 + 2 = 150  // Interpret as an unsigned 64-bit integer.
+ *
+ * @example decodeVarint(new Uint8Array([0b0, 0b1]), 0) // { value: 1, length: 2 }
+ * @example decodeVarint(new Uint8Array([0b10010110, 0b00000001], 0) // { value: 150, length: 2 })
+ * @param {Uint8Array} buffer
+ * @param {number} offset
+ * @returns {{ value: number, length: number }} The value of the varint and the
+ * number of bytes it takes up.
+ */
+const decodeVarint = (buffer, offset) => {
+  let value = 0;
+  let length = 0;
+  let byte;
+  do {
+    if (offset < 0 || offset + length >= buffer.length) {
+      throw new Error("Invalid varint: buffer ended unexpectedly");
+    }
+    byte = buffer[offset + length];
+    // Drop the continuation bit (the most significant bit), convert it from
+    // little endian to big endian, and add it to the accumulator `value`.
+    value |= (byte & 0b01111111) << 7 * length;
+    // Increase the length of the varint by one byte.
+    length += 1;
+    // A varint can be at most 10 bytes long for a 64-bit integer.
+    if (length > 10) {
+      throw new Error("Invalid varint: too long");
+    }
+  } while (byte & 0b10000000);
+  return {
+    value,
+    length
+  };
+};
+
+/**
+ * | ID | Name   | Used for                                                 |
+ * |----|--------|----------------------------------------------------------|
+ * | 0  | varint | int32, int64, uint32, uint64, sint32, sint64, bool, enum |
+ * | 1  | I64    | fixed64, sfixed64, double                                |
+ * | 2  | LEN    | string, bytes                                            |
+ * | 3  | SGROUP | group start (deprecated)                                 |
+ * | 4  | EGROUP | group end (deprecated)                                   |
+ * | 5  | I32    | fixed32, sfixed32, float                                 |
+ */
+exports.decodeVarint = decodeVarint;
+const WIRE_TYPES = Object.freeze({
+  VARINT: 0,
+  I64: 1,
+  LEN: 2,
+  SGROUP: 3,
+  EGROUP: 4,
+  I32: 5
+});
+
+/**
+ * Given a protobuf as a Uint8Array and based on the protobuf definition for the
+ * kndctr cookie provided at https://git.corp.adobe.com/pages/experience-edge/konductor/#/api/identifying-visitors?id=device-identifiers,
+ * this function should return the ECID as a string.
+ * The decoding of the protobuf is hand-crafted in order to save on size
+ * compared to the full protobuf.js library.
+ * @param {Uint8Array} buffer
+ * @returns {string}
+ */
+const decodeKndctrProtobuf = buffer => {
+  let offset = 0;
+  let ecid = null;
+  while (offset < buffer.length && !ecid) {
+    // A protobuf message is a series of records. Each record is a tag, the length,
+    // and the value.
+    // A record always starts with the tag. The “tag” of a record is encoded as
+    // a varint formed from the field number and the wire type via the formula
+    // `(field_number << 3) | wire_type`. In other words, after decoding the
+    // varint representing a field, the low 3 bits tell us the wire type, and the rest of the integer tells us the field number.
+    // So the first step is to decode the varint
+    const {
+      value: tag,
+      length: tagLength
+    } = decodeVarint(buffer, offset);
+    offset += tagLength;
+    // Next, we get the wire type and the field number.
+    // You take the last three bits to get the wire type and then right-shift by
+    // three to get the field number.
+    const wireType = tag & 0b111;
+    const fieldNumber = tag >> 3;
+    // We only care about the ECID field, so we will skip any other fields until
+    // we find it.
+    if (fieldNumber === ECID_FIELD_NUMBER) {
+      // The wire type for the ECID field is 2, which means it is a length-delimited field.
+      if (wireType === WIRE_TYPES.LEN) {
+        // The next varint will tell us the length of the ECID.
+        const fieldValueLength = decodeVarint(buffer, offset);
+        offset += fieldValueLength.length;
+        // The ECID is a UTF-8 encoded string, so we will decode it as such.
+        ecid = new TextDecoder().decode(buffer.slice(offset, offset + fieldValueLength.value));
+        offset += fieldValueLength.value;
+        return ecid;
+      }
+    } else {
+      // If we don't care about the field, we skip it.
+      // The wire type tells us how to skip the field.
+      switch (wireType) {
+        case WIRE_TYPES.VARINT:
+          // Skip the varint
+          offset += decodeVarint(buffer, offset).length;
+          break;
+        case WIRE_TYPES.I64:
+          // Skip the 64-bit integer
+          offset += 8;
+          break;
+        case WIRE_TYPES.LEN:
+          {
+            // Find the value that represents the length of the vield
+            const fieldValueLength = decodeVarint(buffer, offset);
+            offset += fieldValueLength.length + fieldValueLength.value;
+            break;
+          }
+        case WIRE_TYPES.SGROUP:
+          // Skip the start group
+          break;
+        case WIRE_TYPES.EGROUP:
+          // Skip the end group
+          break;
+        case WIRE_TYPES.I32:
+          // Skip the 32-bit integer
+          offset += 4;
+          break;
+        default:
+          throw new Error("Malformed kndctr cookie. Unknown wire type: " + wireType);
+      }
+    }
+  }
+
+  // No ECID was found. Maybe the cookie is malformed, maybe the format was changed.
+  throw new Error("No ECID found in cookie.");
+};
+
+/**
+ * takes a base64 string of bytes and returns a Uint8Array
+ * @param {string} base64
+ * @returns {Uint8Array}
+ */
+const base64ToBytes = base64 => {
+  const binString = atob(base64);
+  return Uint8Array.from(binString, m => m.codePointAt(0));
+};
+// #endregion
+
+// #region decode cookie
+var _default = ({
+  orgId,
+  cookieJar,
+  logger
+}) => {
+  const kndctrCookieName = (0, _index.getNamespacedCookieName)(orgId, "identity");
+  /**
+   * Returns the ECID from the kndctr cookie.
+   * @returns {string|null}
+   */
+  return () => {
+    const cookie = cookieJar.get(kndctrCookieName);
+    if (!cookie) {
+      return null;
+    }
+    try {
+      const decodedCookie = decodeURIComponent(cookie).replace(/_/g, "/").replace(/-/g, "+");
+      // cookie is a base64 encoded byte representation of a Identity protobuf message
+      // and we need to get it to a Uint8Array in order to decode it
+
+      const cookieBytes = base64ToBytes(decodedCookie);
+      return decodeKndctrProtobuf(cookieBytes);
+    } catch (error) {
+      logger.warn("Unable to decode ECID from " + kndctrCookieName + " cookie", error);
+      return null;
+    }
+  };
+}; // #endregion
+exports.default = _default;

package/libEs5/components/Identity/index.js

@@ -22,6 +22,7 @@ var _createIdentityRequest = require("./getIdentity/createIdentityRequest.js");
 var _createIdentityRequestPayload = require("./getIdentity/createIdentityRequestPayload.js");
 var _injectAppendIdentityToUrl = require("./appendIdentityToUrl/injectAppendIdentityToUrl.js");
 var _createGetIdentityOptionsValidator = require("./getIdentity/createGetIdentityOptionsValidator.js");
+var _createDecodeKndctrCookie = require("./createDecodeKndctrCookie.js");
 /*
 Copyright 2019 Adobe. All rights reserved.
 This file is licensed to you under the Apache License, Version 2.0 (the "License");
@@ -121,6 +122,11 @@ const createIdentity = ({
     thirdPartyCookiesEnabled,
     areThirdPartyCookiesSupportedByDefault
   });
+  const decodeKndctrCookie = (0, _createDecodeKndctrCookie.default)({
+    orgId,
+    cookieJar: loggingCookieJar,
+    logger
+  });
   return (0, _createComponent.default)({
     addEcidQueryToPayload,
     addQueryStringIdentityToPayload,
@@ -133,7 +139,8 @@ const createIdentity = ({
     appendIdentityToUrl,
     logger,
     config,
-    getIdentityOptionsValidator
+    getIdentityOptionsValidator,
+    decodeKndctrCookie
   });
 };
 createIdentity.namespace = "Identity";

package/libEs5/components/Identity/injectAddQueryStringIdentityToPayload.js

@@ -41,7 +41,8 @@ var _default = ({
   }
   const properties = queryStringValue.split("|").reduce((memo, keyValue) => {
     const [key, value] = keyValue.split("=");
-    memo[key] = value;
+    memo[key] = (0, _decodeUriComponentSafely.default)(value);
+    memo[key] = memo[key].replace(/[^a-zA-Z0-9@_-]/g, ""); // sanitization
     return memo;
   }, {});
   // We are using MCMID and MCORGID to be compatible with Visitor.

package/libEs5/components/Personalization/handlers/createProcessRedirect.js

@@ -1,6 +1,7 @@
 "use strict";
 
 exports.default = void 0;
+var _index = require("../flicker/index.js");
 /*
 Copyright 2023 Adobe. All rights reserved.
 This file is licensed to you under the Apache License, Version 2.0 (the "License");
@@ -12,6 +13,8 @@ the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTA
 OF ANY KIND, either express or implied. See the License for the specific language
 governing permissions and limitations under the License.
 */
+
+const REDIRECT_HIDING_ELEMENT = "BODY";
 var _default = ({
   logger,
   executeRedirect,
@@ -25,6 +28,7 @@ var _default = ({
     return {};
   }
   const render = () => {
+    (0, _index.hideElements)(REDIRECT_HIDING_ELEMENT);
     return collect({
       decisionsMeta: [item.getProposition().getNotification()],
       documentMayUnload: true
@@ -43,6 +47,9 @@ var _default = ({
       // for display notifications from this request, they will never run because this promise will
       // not resolve. This is intentional because we don't want to run bottom of page events if
       // there is a redirect.
+    }).catch(error => {
+      (0, _index.showElements)(REDIRECT_HIDING_ELEMENT);
+      throw error;
     });
   };
   return {

package/libEs5/constants/libraryVersion.js

@@ -14,4 +14,4 @@ governing permissions and limitations under the License.
 */
 // The __VERSION__ keyword will be replace at alloy build time with the package.json version.
 // see babel-plugin-version
-var _default = exports.default = "2.25.0";
+var _default = exports.default = "2.26.0-beta.1";

package/libEs5/utils/parseUrl.js

@@ -1,7 +1,6 @@
 "use strict";
 
 exports.default = void 0;
-var _parseUri = require("parse-uri");
 var _isString = require("./isString.js");
 /*
 Copyright 2023 Adobe. All rights reserved.
@@ -44,11 +43,39 @@ const parseDomainBasic = host => {
   }
   return result;
 };
+
+/**
+ * @typedef {Object} ParseUriResult
+ * @property {string} host
+ * @property {string} path
+ * @property {string} query
+ * @property {string} anchor
+ *
+ * @param {string} url
+ * @returns {ParseUriResult}
+ */
+const parseUri = url => {
+  try {
+    const parsed = new URL(url);
+    let path = parsed.pathname;
+    if (!url.endsWith("/") && path === "/") {
+      path = "";
+    }
+    return {
+      host: parsed.hostname,
+      path,
+      query: parsed.search.replace(/^\?/, ""),
+      anchor: parsed.hash.replace(/^#/, "")
+    };
+  } catch {
+    return {};
+  }
+};
 const parseUrl = (url, parseDomain = parseDomainBasic) => {
   if (!(0, _isString.default)(url)) {
     url = "";
   }
-  const parsed = (0, _parseUri.default)(url) || {};
+  const parsed = parseUri(url) || {};
   const {
     host = "",
     path = "",

package/libEs6/components/ActivityCollector/utils/trimQueryFromUrl.js

@@ -10,6 +10,11 @@ OF ANY KIND, either express or implied. See the License for the specific languag
 governing permissions and limitations under the License.
 */
 
+/**
+ * Trims the query from the URL.
+ * @param {string} url
+ * @returns {string}
+ */
 export default url => {
   const questionMarkIndex = url.indexOf("?");
   const hashIndex = url.indexOf("#");

package/libEs6/components/Identity/createComponent.js

@@ -22,7 +22,8 @@ export default ({
   consent,
   appendIdentityToUrl,
   logger,
-  getIdentityOptionsValidator
+  getIdentityOptionsValidator,
+  decodeKndctrCookie
 }) => {
   let namespaces;
   let edge = {};
@@ -52,7 +53,12 @@ export default ({
           // https://jira.corp.adobe.com/browse/EXEG-1234
           setLegacyEcid(newNamespaces[ecidNamespace]);
         }
-        namespaces = newNamespaces;
+        if (newNamespaces && Object.keys(newNamespaces).length > 0) {
+          namespaces = {
+            ...namespaces,
+            ...newNamespaces
+          };
+        }
         // For sendBeacon requests, getEdge() will return {}, so we are using assign here
         // so that sendBeacon requests don't override the edge info from before.
         edge = {
@@ -70,7 +76,18 @@ export default ({
             namespaces: requestedNamespaces
           } = options;
           return consent.awaitConsent().then(() => {
-            return namespaces ? undefined : getIdentity(options);
+            if (namespaces) {
+              return undefined;
+            }
+            const ecidFromCookie = decodeKndctrCookie();
+            if (ecidFromCookie) {
+              if (!namespaces) {
+                namespaces = {};
+              }
+              namespaces[ecidNamespace] = ecidFromCookie;
+              return undefined;
+            }
+            return getIdentity(options);
           }).then(() => {
             return {
               identity: requestedNamespaces.reduce((acc, namespace) => {
@@ -86,7 +103,18 @@ export default ({
         optionsValidator: appendIdentityToUrlOptionsValidator,
         run: options => {
           return consent.withConsent().then(() => {
-            return namespaces ? undefined : getIdentity(options);
+            if (namespaces) {
+              return undefined;
+            }
+            const ecidFromCookie = decodeKndctrCookie();
+            if (ecidFromCookie) {
+              if (!namespaces) {
+                namespaces = {};
+              }
+              namespaces[ecidNamespace] = ecidFromCookie;
+              return undefined;
+            }
+            return getIdentity(options);
           }).then(() => {
             return {
               url: appendIdentityToUrl(namespaces[ecidNamespace], options.url)

package/libEs6/components/Identity/createDecodeKndctrCookie.js

@@ -0,0 +1,263 @@
+/*
+Copyright 2024 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+/* eslint-disable no-bitwise */
+import { getNamespacedCookieName } from "../../utils/index.js";
+
+// #region decode protobuf
+
+/** Decoding bytes is not something commonly done in vanilla JavaScript work, and as such
+ * this file will strive to explain each step of decoding a protobuf in detail.
+ * It leans heavily on the protobuf documentation https://protobuf.dev/programming-guides/encoding/,
+ * often quoting directly from it without citation.
+ */
+
+/**
+ * The kndctr cookie protobuf format
+ * From https://git.corp.adobe.com/pages/experience-edge/konductor/#/api/identifying-visitors?id=device-identifiers
+ * and https://git.corp.adobe.com/experience-edge/konductor/blob/master/feature-identity/src/main/kotlin/com/adobe/edge/features/identity/data/StoredIdentity.kt#L16
+
+ * syntax = "proto3";
+ * 
+ * // Device-level identity for Experience Edge
+ * message Identity {
+ *   // The Experience Cloud ID value
+ *   string ecid = 1;
+ * 
+ *   IdentityMetadata metadata = 10;
+ * 
+ *   // Used only in the 3rd party domain context.
+ *   // It stores the UNIX timestamp and some metadata about the last identity sync triggered by Experience Edge.
+ *   int64 last_sync = 20;
+ *   int64 sync_hash = 21;
+ *   int32 id_sync_container_id = 22;
+ * 
+ *   // UNIX timestamp when the Identity was last returned in a `state:store` instruction.
+ *   // The Identity is written at most once every 24h with a large TTL, to ensure it does not expire.
+ *   int64 write_time = 30;
+ * }
+ * 
+ * message IdentityMetadata {
+ *   // UNIX timestamp when this identity was minted.
+ *   int64 created_at = 1;
+ * 
+ *   // Whether or not the identity is random (new) or based on an existing seed.
+ *   bool is_new = 2;
+ * 
+ *   // Type of device for which the identity was generated.
+ *   // 0 = UNKNOWN, 1 = BROWSER, 2 = MOBILE
+ *   int32 device_type = 3;
+ * 
+ *   // The Experience Edge region in which the identity was minted.
+ *   string region = 5;
+ * 
+ *   // More details on the source of the ECID identity.
+ *   // Invariant: when `is_new` = true, the source must be set to `RANDOM`.
+ *   // 0 = RANDOM, 1 = THIRD_PARTY_ID, 2 = FIRST_PARTY_ID, 3 = RECEIVED_IN_REQUEST
+ *   int32 source = 6;
+ * }
+ */
+
+const ECID_FIELD_NUMBER = 1;
+
+/**
+ * Decodes a varint from a buffer starting at the given offset.
+ *
+ * Variable-width integers, or varints, are at the core of the wire format. They
+ * allow encoding unsigned 64-bit integers using anywhere between one and ten
+ * bytes, with small values using fewer bytes.
+ *
+ * Each byte in the varint has a continuation bit that indicates if the byte
+ * that follows it is part of the varint. This is the most significant bit (MSB)
+ * of the byte (sometimes also called the sign bit). The lower 7 bits are a
+ * payload; the resulting integer is built by appending together the 7-bit
+ * payloads of its constituent bytes.
+ *
+ * 10010110 00000001        // Original inputs.
+ *  0010110  0000001        // Drop continuation bits.
+ *  0000001  0010110        // Convert to big-endian.
+ *    00000010010110        // Concatenate.
+ *  128 + 16 + 4 + 2 = 150  // Interpret as an unsigned 64-bit integer.
+ *
+ * @example decodeVarint(new Uint8Array([0b0, 0b1]), 0) // { value: 1, length: 2 }
+ * @example decodeVarint(new Uint8Array([0b10010110, 0b00000001], 0) // { value: 150, length: 2 })
+ * @param {Uint8Array} buffer
+ * @param {number} offset
+ * @returns {{ value: number, length: number }} The value of the varint and the
+ * number of bytes it takes up.
+ */
+export const decodeVarint = (buffer, offset) => {
+  let value = 0;
+  let length = 0;
+  let byte;
+  do {
+    if (offset < 0 || offset + length >= buffer.length) {
+      throw new Error("Invalid varint: buffer ended unexpectedly");
+    }
+    byte = buffer[offset + length];
+    // Drop the continuation bit (the most significant bit), convert it from
+    // little endian to big endian, and add it to the accumulator `value`.
+    value |= (byte & 0b01111111) << 7 * length;
+    // Increase the length of the varint by one byte.
+    length += 1;
+    // A varint can be at most 10 bytes long for a 64-bit integer.
+    if (length > 10) {
+      throw new Error("Invalid varint: too long");
+    }
+  } while (byte & 0b10000000);
+  return {
+    value,
+    length
+  };
+};
+
+/**
+ * | ID | Name   | Used for                                                 |
+ * |----|--------|----------------------------------------------------------|
+ * | 0  | varint | int32, int64, uint32, uint64, sint32, sint64, bool, enum |
+ * | 1  | I64    | fixed64, sfixed64, double                                |
+ * | 2  | LEN    | string, bytes                                            |
+ * | 3  | SGROUP | group start (deprecated)                                 |
+ * | 4  | EGROUP | group end (deprecated)                                   |
+ * | 5  | I32    | fixed32, sfixed32, float                                 |
+ */
+const WIRE_TYPES = Object.freeze({
+  VARINT: 0,
+  I64: 1,
+  LEN: 2,
+  SGROUP: 3,
+  EGROUP: 4,
+  I32: 5
+});
+
+/**
+ * Given a protobuf as a Uint8Array and based on the protobuf definition for the
+ * kndctr cookie provided at https://git.corp.adobe.com/pages/experience-edge/konductor/#/api/identifying-visitors?id=device-identifiers,
+ * this function should return the ECID as a string.
+ * The decoding of the protobuf is hand-crafted in order to save on size
+ * compared to the full protobuf.js library.
+ * @param {Uint8Array} buffer
+ * @returns {string}
+ */
+const decodeKndctrProtobuf = buffer => {
+  let offset = 0;
+  let ecid = null;
+  while (offset < buffer.length && !ecid) {
+    // A protobuf message is a series of records. Each record is a tag, the length,
+    // and the value.
+    // A record always starts with the tag. The “tag” of a record is encoded as
+    // a varint formed from the field number and the wire type via the formula
+    // `(field_number << 3) | wire_type`. In other words, after decoding the
+    // varint representing a field, the low 3 bits tell us the wire type, and the rest of the integer tells us the field number.
+    // So the first step is to decode the varint
+    const {
+      value: tag,
+      length: tagLength
+    } = decodeVarint(buffer, offset);
+    offset += tagLength;
+    // Next, we get the wire type and the field number.
+    // You take the last three bits to get the wire type and then right-shift by
+    // three to get the field number.
+    const wireType = tag & 0b111;
+    const fieldNumber = tag >> 3;
+    // We only care about the ECID field, so we will skip any other fields until
+    // we find it.
+    if (fieldNumber === ECID_FIELD_NUMBER) {
+      // The wire type for the ECID field is 2, which means it is a length-delimited field.
+      if (wireType === WIRE_TYPES.LEN) {
+        // The next varint will tell us the length of the ECID.
+        const fieldValueLength = decodeVarint(buffer, offset);
+        offset += fieldValueLength.length;
+        // The ECID is a UTF-8 encoded string, so we will decode it as such.
+        ecid = new TextDecoder().decode(buffer.slice(offset, offset + fieldValueLength.value));
+        offset += fieldValueLength.value;
+        return ecid;
+      }
+    } else {
+      // If we don't care about the field, we skip it.
+      // The wire type tells us how to skip the field.
+      switch (wireType) {
+        case WIRE_TYPES.VARINT:
+          // Skip the varint
+          offset += decodeVarint(buffer, offset).length;
+          break;
+        case WIRE_TYPES.I64:
+          // Skip the 64-bit integer
+          offset += 8;
+          break;
+        case WIRE_TYPES.LEN:
+          {
+            // Find the value that represents the length of the vield
+            const fieldValueLength = decodeVarint(buffer, offset);
+            offset += fieldValueLength.length + fieldValueLength.value;
+            break;
+          }
+        case WIRE_TYPES.SGROUP:
+          // Skip the start group
+          break;
+        case WIRE_TYPES.EGROUP:
+          // Skip the end group
+          break;
+        case WIRE_TYPES.I32:
+          // Skip the 32-bit integer
+          offset += 4;
+          break;
+        default:
+          throw new Error(`Malformed kndctr cookie. Unknown wire type: ${wireType}`);
+      }
+    }
+  }
+
+  // No ECID was found. Maybe the cookie is malformed, maybe the format was changed.
+  throw new Error("No ECID found in cookie.");
+};
+
+/**
+ * takes a base64 string of bytes and returns a Uint8Array
+ * @param {string} base64
+ * @returns {Uint8Array}
+ */
+const base64ToBytes = base64 => {
+  const binString = atob(base64);
+  return Uint8Array.from(binString, m => m.codePointAt(0));
+};
+// #endregion
+
+// #region decode cookie
+export default ({
+  orgId,
+  cookieJar,
+  logger
+}) => {
+  const kndctrCookieName = getNamespacedCookieName(orgId, "identity");
+  /**
+   * Returns the ECID from the kndctr cookie.
+   * @returns {string|null}
+   */
+  return () => {
+    const cookie = cookieJar.get(kndctrCookieName);
+    if (!cookie) {
+      return null;
+    }
+    try {
+      const decodedCookie = decodeURIComponent(cookie).replace(/_/g, "/").replace(/-/g, "+");
+      // cookie is a base64 encoded byte representation of a Identity protobuf message
+      // and we need to get it to a Uint8Array in order to decode it
+
+      const cookieBytes = base64ToBytes(decodedCookie);
+      return decodeKndctrProtobuf(cookieBytes);
+    } catch (error) {
+      logger.warn(`Unable to decode ECID from ${kndctrCookieName} cookie`, error);
+      return null;
+    }
+  };
+};
+// #endregion

package/libEs6/components/Identity/index.js

@@ -31,6 +31,7 @@ import createIdentityRequest from "./getIdentity/createIdentityRequest.js";
 import createIdentityRequestPayload from "./getIdentity/createIdentityRequestPayload.js";
 import injectAppendIdentityToUrl from "./appendIdentityToUrl/injectAppendIdentityToUrl.js";
 import createGetIdentityOptionsValidator from "./getIdentity/createGetIdentityOptionsValidator.js";
+import createGetEcidFromCookie from "./createDecodeKndctrCookie.js";
 const createIdentity = ({
   config,
   logger,
@@ -118,6 +119,11 @@ const createIdentity = ({
     thirdPartyCookiesEnabled,
     areThirdPartyCookiesSupportedByDefault
   });
+  const decodeKndctrCookie = createGetEcidFromCookie({
+    orgId,
+    cookieJar: loggingCookieJar,
+    logger
+  });
   return createComponent({
     addEcidQueryToPayload,
     addQueryStringIdentityToPayload,
@@ -130,7 +136,8 @@ const createIdentity = ({
     appendIdentityToUrl,
     logger,
     config,
-    getIdentityOptionsValidator
+    getIdentityOptionsValidator,
+    decodeKndctrCookie
   });
 };
 createIdentity.namespace = "Identity";

package/libEs6/components/Identity/injectAddQueryStringIdentityToPayload.js

@@ -39,7 +39,8 @@ export default ({
   }
   const properties = queryStringValue.split("|").reduce((memo, keyValue) => {
     const [key, value] = keyValue.split("=");
-    memo[key] = value;
+    memo[key] = decodeUriComponentSafely(value);
+    memo[key] = memo[key].replace(/[^a-zA-Z0-9@_-]/g, ""); // sanitization
     return memo;
   }, {});
   // We are using MCMID and MCORGID to be compatible with Visitor.

package/libEs6/components/Personalization/handlers/createProcessRedirect.js

@@ -9,6 +9,8 @@ the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTA
 OF ANY KIND, either express or implied. See the License for the specific language
 governing permissions and limitations under the License.
 */
+import { hideElements, showElements } from "../flicker/index.js";
+const REDIRECT_HIDING_ELEMENT = "BODY";
 export default ({
   logger,
   executeRedirect,
@@ -22,6 +24,7 @@ export default ({
     return {};
   }
   const render = () => {
+    hideElements(REDIRECT_HIDING_ELEMENT);
     return collect({
       decisionsMeta: [item.getProposition().getNotification()],
       documentMayUnload: true
@@ -40,6 +43,9 @@ export default ({
       // for display notifications from this request, they will never run because this promise will
       // not resolve. This is intentional because we don't want to run bottom of page events if
       // there is a redirect.
+    }).catch(error => {
+      showElements(REDIRECT_HIDING_ELEMENT);
+      throw error;
     });
   };
   return {

package/libEs6/constants/libraryVersion.js

@@ -13,4 +13,4 @@ governing permissions and limitations under the License.
 // The __VERSION__ keyword will be replace at alloy build time with the package.json version.
 // see babel-plugin-version
 
-export default "2.25.0";
+export default "2.26.0-beta.1";

package/libEs6/utils/parseUrl.js

@@ -9,7 +9,6 @@ the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTA
 OF ANY KIND, either express or implied. See the License for the specific language
 governing permissions and limitations under the License.
 */
-import parseUri from "parse-uri";
 import isString from "./isString.js";
 const parseDomainBasic = host => {
   const result = {};
@@ -40,6 +39,34 @@ const parseDomainBasic = host => {
   }
   return result;
 };
+
+/**
+ * @typedef {Object} ParseUriResult
+ * @property {string} host
+ * @property {string} path
+ * @property {string} query
+ * @property {string} anchor
+ *
+ * @param {string} url
+ * @returns {ParseUriResult}
+ */
+const parseUri = url => {
+  try {
+    const parsed = new URL(url);
+    let path = parsed.pathname;
+    if (!url.endsWith("/") && path === "/") {
+      path = "";
+    }
+    return {
+      host: parsed.hostname,
+      path,
+      query: parsed.search.replace(/^\?/, ""),
+      anchor: parsed.hash.replace(/^#/, "")
+    };
+  } catch {
+    return {};
+  }
+};
 const parseUrl = (url, parseDomain = parseDomainBasic) => {
   if (!isString(url)) {
     url = "";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/alloy",
-  "version": "2.25.0",
+  "version": "2.26.0-beta.1",
   "description": "Adobe Experience Platform Web SDK",
   "type": "module",
   "main": "libEs5/index.js",
@@ -22,10 +22,10 @@
     "lint": "eslint --cache --fix \"*.{js,cjs,mjs,jsx}\" \"{src,test,scripts}/**/*.{js,cjs,mjs,jsx}\"",
     "format": "prettier --write \"*.{html,js,cjs,mjs,jsx}\" \"{sandbox,src,test,scripts}/**/*.{html,js,cjs,mjs,jsx}\"",
     "test": "npm run test:unit && npm run test:scripts",
-    "test:unit": "vitest run",
-    "test:unit:debug": "vitest --no-file-parallelism --browser.headless=false",
-    "test:unit:watch": "vitest",
-    "test:unit:coverage": "vitest run --coverage",
+    "test:unit": "npx playwright install chromium && vitest run",
+    "test:unit:debug": "npx playwright install chromium && vitest --no-file-parallelism --browser.headless=false",
+    "test:unit:watch": "npx playwright install chromium && vitest",
+    "test:unit:coverage": "npx playwright install chromium && vitest run --coverage",
     "test:functional": "EDGE_BASE_PATH=\"ee-pre-prd\" ALLOY_ENV=\"int\" testcafe chrome",
     "test:functional:custom": "node scripts/helpers/runFunctionalTests.js",
     "test:functional:watch": "EDGE_BASE_PATH=\"ee-pre-prd\" ALLOY_ENV=\"int\" ./scripts/watchFunctionalTests.js --browsers chrome",
@@ -41,8 +41,7 @@
     "prepare": "husky && cd sandbox && npm install",
     "prepack": "rimraf libEs5 libEs6 && babel src -d libEs5 --env-name npmEs5 && babel src -d libEs6 --env-name npmEs6",
     "checkthattestfilesexist": "./scripts/checkThatTestFilesExist.js",
-    "add-license": "./scripts/add-license.js",
-    "postinstall": "npx playwright install chromium"
+    "add-license": "./scripts/add-license.js"
   },
   "lint-staged": {
     "./*.{cjs,mjs,js,jsx}": [
@@ -65,16 +64,16 @@
   "author": "Adobe Inc.",
   "license": "Apache-2.0",
   "dependencies": {
-    "@adobe/aep-rules-engine": "^2.0.3",
+    "@adobe/aep-rules-engine": "^2.1.0",
     "@adobe/reactor-cookie": "^1.1.0",
     "@adobe/reactor-load-script": "^1.1.1",
     "@adobe/reactor-object-assign": "^2.0.0",
     "@adobe/reactor-query-string": "^2.0.0",
-    "@babel/core": "^7.26.0",
-    "@babel/eslint-parser": "^7.26.5",
-    "@babel/plugin-transform-template-literals": "^7.25.9",
-    "@babel/preset-env": "^7.26.0",
-    "@inquirer/prompts": "^7.2.3",
+    "@babel/core": "^7.26.9",
+    "@babel/eslint-parser": "^7.26.8",
+    "@babel/plugin-transform-template-literals": "^7.26.8",
+    "@babel/preset-env": "^7.26.9",
+    "@inquirer/prompts": "^7.3.2",
     "@rollup/plugin-babel": "^6.0.4",
     "@rollup/plugin-commonjs": "^28.0.2",
     "@rollup/plugin-node-resolve": "^16.0.0",
@@ -82,24 +81,23 @@
     "commander": "^13.1.0",
     "css.escape": "^1.5.1",
     "js-cookie": "3.0.5",
-    "parse-uri": "^1.0.9",
-    "rollup": "^4.31.0",
-    "rollup-plugin-license": "^3.5.3",
-    "uuid": "^11.0.5"
+    "rollup": "^4.34.8",
+    "rollup-plugin-license": "^3.6.0",
+    "uuid": "^11.1.0"
   },
   "devDependencies": {
-    "@adobe/alloy": "^2.25.0-beta.1",
+    "@adobe/alloy": "^2.26.0-beta.0",
     "@babel/cli": "^7.26.4",
-    "@babel/plugin-transform-runtime": "^7.25.9",
-    "@eslint/js": "^9.18.0",
-    "@octokit/rest": "^21.1.0",
-    "@vitest/browser": "^3.0.3",
-    "@vitest/coverage-v8": "^3.0.3",
+    "@babel/plugin-transform-runtime": "^7.26.9",
+    "@eslint/js": "^9.20.0",
+    "@octokit/rest": "^21.1.1",
+    "@vitest/browser": "^3.0.6",
+    "@vitest/coverage-v8": "^3.0.6",
     "chalk": "^5.4.1",
     "concurrently": "^9.1.2",
     "date-fns": "^4.1.0",
     "dotenv": "^16.4.7",
-    "eslint": "^9.18.0",
+    "eslint": "^9.20.1",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-prettier": "^10.0.1",
     "eslint-plugin-ban": "^2.0.0",
@@ -107,32 +105,33 @@
     "eslint-plugin-prettier": "^5.2.3",
     "eslint-plugin-testcafe": "^0.2.1",
     "glob": "^11.0.1",
-    "globals": "^15.14.0",
+    "globals": "^15.15.0",
     "handlebars": "^4.7.8",
-    "happy-dom": "^16.7.2",
+    "happy-dom": "^17.1.1",
     "husky": "^9.1.7",
-    "lint-staged": "^15.4.1",
-    "playwright": "^1.49.1",
-    "prettier": "^3.4.2",
+    "lint-staged": "^15.4.3",
+    "playwright": "^1.50.1",
+    "prettier": "^3.5.1",
     "read-cache": "^1.0.0",
     "recursive-readdir": "^2.2.3",
-    "request": "^2.88.2",
     "rimraf": "^6.0.1",
     "rollup-plugin-glob-import": "^0.5.0",
     "rollup-plugin-istanbul": "^5.0.0",
-    "semver": "^7.6.3",
+    "semver": "^7.7.1",
     "staged-git-files": "^1.3.0",
     "start-server-and-test": "^2.0.10",
-    "testcafe": "^3.7.1",
+    "testcafe": "^3.7.2",
+    "testcafe-browser-provider-saucelabs": "^3.0.0",
     "testcafe-reporter-junit": "^3.0.2",
+    "testcafe-reporter-saucelabs": "^3.6.0",
     "url-exists-nodejs": "^0.2.4",
     "url-parse": "^1.5.10",
-    "vitest": "^3.0.3"
+    "vitest": "^3.0.6"
   },
   "optionalDependencies": {
-    "@rollup/rollup-linux-x64-gnu": "^4.31.0"
+    "@rollup/rollup-linux-x64-gnu": "^4.34.8"
   },
   "overrides": {
-    "eslint": "^9.18.0"
+    "eslint": "^9.20.1"
   }
 }

package/scripts/alloyBuilder.js

@@ -11,27 +11,25 @@ OF ANY KIND, either express or implied. See the License for the specific languag
 governing permissions and limitations under the License.
 */
 
+import babel from "@babel/core";
+import { checkbox, input, select } from "@inquirer/prompts";
+import { Command, InvalidOptionArgumentError, Option } from "commander";
 import fs from "fs";
 import path from "path";
 import { rollup } from "rollup";
-import { Command, Option, InvalidOptionArgumentError } from "commander";
-import { input, checkbox, select } from "@inquirer/prompts";
-import { fileURLToPath } from "url";
-import babel from "@babel/core";
 import { buildConfig } from "../rollup.config.js";
 import entryPointGeneratorBabelPlugin from "./helpers/entryPointGeneratorBabelPlugin.js";
-
-const dirname = path.dirname(fileURLToPath(import.meta.url));
+import { getProjectRoot, safePathJoin } from "./helpers/path.js";
 
 const packageJsonContent = fs.readFileSync(
-  `${dirname}/../package.json`,
+  safePathJoin(getProjectRoot(), "package.json"),
   "utf8",
 );
 const { version } = JSON.parse(packageJsonContent);
 
-let sourceRootPath = `${dirname}/../src`;
+let sourceRootPath = safePathJoin(getProjectRoot(), "src");
 if (!fs.existsSync(sourceRootPath)) {
-  sourceRootPath = `${dirname}/../libEs6`;
+  sourceRootPath = safePathJoin(getProjectRoot(), "libEs6");
 }
 
 const arrayDifference = (arr1, arr2) => arr1.filter((x) => !arr2.includes(x));
@@ -44,11 +42,14 @@ const getComponents = (() => {
   const components = {};
   [
     {
-      filePath: `${sourceRootPath}/core/componentCreators.js`,
+      filePath: safePathJoin(sourceRootPath, "core/componentCreators.js"),
       key: "optional",
     },
     {
-      filePath: `${sourceRootPath}/core/requiredComponentCreators.js`,
+      filePath: safePathJoin(
+        sourceRootPath,
+        "core/requiredComponentCreators.js",
+      ),
       key: "required",
     },
   ].forEach(({ filePath, key }) => {
@@ -69,12 +70,12 @@ const getComponents = (() => {
   return () => components;
 })();
 
-const getDefaultPath = () => {
-  return process.cwd();
-};
-
 const getOutputFilePath = (argv) => {
-  return `${[argv.outputDir, `alloy${argv.minify ? ".min" : ""}.js`].join(path.sep)}`;
+  const outputPath = safePathJoin(
+    argv.outputDir,
+    `alloy${argv.minify ? ".min" : ""}.js`,
+  );
+  return outputPath;
 };
 
 const getFileSizeInKB = (filePath) => {
@@ -93,7 +94,7 @@ const generateInputEntryFile = ({
   }).code;
 
   const destinationDirectory = path.dirname(inputPath);
-  const outputPath = path.join(destinationDirectory, outputFile);
+  const outputPath = safePathJoin(destinationDirectory, outputFile);
 
   fs.writeFileSync(outputPath, output);
 
@@ -157,10 +158,10 @@ const getMakeBuildCommand = () => {
         "-o, --outputDir <dir>",
         "the output directory for the generated build",
       )
-        .default(getDefaultPath())
+        .default(getProjectRoot())
         .argParser((value) => {
           if (!path.isAbsolute(value)) {
-            value = `${getDefaultPath()}${path.sep}${value}`;
+            value = safePathJoin(getProjectRoot(), value);
           }
 
           try {