save cross domain identifier cookies from the server as an option (#56)

* remove code to migrate legacy cookies

we've verified that the legacy cookies are not in use anymore, hence we can get rid of this migration logic to simplify the client side code.

here's a link to the same change we made on the server (internal link) https://github.com/segmentio/xid/pull/12.

* save cross domain identifier cookies from the server as an option

Previously xid metadata was stored as client side cookies. This change allows us to set the cookies from a server as httpOnly cookies. We also store the identifier in localStorage To allow the current domain to read it from javascript. This is only set if the request completes succesfully. This behaviour is behind a flag `saveCrossDomainIdInLocalStorage` that is off by default.

This also removes some of the metadata that we don't use (such as the domain of the cookie and timestamp of the cookie)

Author: f2prateek

lib/index.js

@@ -61,6 +61,7 @@ var Segment = exports = module.exports = integration('Segment.io')
   .option('apiHost', 'api.segment.io/v1')
   .option('crossDomainIdServers', [])
   .option('deleteCrossDomainId', false)
+  .option('saveCrossDomainIdInLocalStorage', false)
   .option('retryQueue', true)
   .option('addBundledMetadata', false)
   .option('unbundledIntegrations', []);
@@ -169,16 +170,6 @@ Segment.prototype.initialize = function() {
     self.ready();
   });
 
-  // Migrate from old cross domain id cookie names
-  if (this.cookie('segment_cross_domain_id')) {
-    this.cookie('seg_xid', this.cookie('segment_cross_domain_id'));
-    this.cookie('seg_xid_fd', this.cookie('segment_cross_domain_id_from_domain'));
-    this.cookie('seg_xid_ts', this.cookie('segment_cross_domain_id_timestamp'));
-    this.cookie('segment_cross_domain_id', null);
-    this.cookie('segment_cross_domain_id_from_domain', null);
-    this.cookie('segment_cross_domain_id_timestamp', null);
-  }
-
   // Delete cross domain identifiers.
   this.deleteCrossDomainIdIfNeeded();
 
@@ -284,7 +275,7 @@ Segment.prototype.normalize = function(msg) {
   msg.writeKey = this.options.apiKey;
   ctx.userAgent = navigator.userAgent;
   if (!ctx.library) ctx.library = { name: 'analytics.js', version: this.analytics.VERSION };
-  var crossDomainId = this.cookie('seg_xid');
+  var crossDomainId = this.getCachedCrossDomainId();
   if (crossDomainId && this.isCrossDomainAnalyticsEnabled()) {
     if (!ctx.traits) {
       ctx.traits = { crossDomainId: crossDomainId };
@@ -440,69 +431,132 @@ Segment.prototype.isCrossDomainAnalyticsEnabled = function() {
  */
 Segment.prototype.retrieveCrossDomainId = function(callback) {
   if (!this.isCrossDomainAnalyticsEnabled()) {
+    // Callback is only provided in tests.
     if (callback) {
       callback('crossDomainId not enabled', null);
     }
     return;
   }
-  if (!this.cookie('seg_xid')) {
-    var self = this;
-    var writeKey = this.options.apiKey;
-
-    // Exclude the current domain from the list of servers we're querying
-    var currentTld = getTld(window.location.hostname);
-    var domains = [];
-    for (var i=0; i<this.options.crossDomainIdServers.length; i++) {
-      var domain = this.options.crossDomainIdServers[i];
-      if (getTld(domain) !== currentTld) {
-        domains.push(domain);
-      }
-    }
 
-    getCrossDomainIdFromServerList(domains, writeKey, function(err, res) {
-      if (err) {
-        // We optimize for no conflicting xid as much as possible. So bail out if there is an
-        // error and we cannot be sure that xid does not exist on any other domains
-        if (callback) {
-          callback(err, null);
-        }
-        return;
-      }
-      var crossDomainId = null;
-      var fromDomain = null;
-      if (res) {
-        crossDomainId = res.id;
-        fromDomain = res.domain;
-      } else {
-        crossDomainId = uuid();
-        fromDomain = window.location.hostname;
-      }
-      var currentTimeMillis = (new Date()).getTime();
-      self.cookie('seg_xid', crossDomainId);
-      // Not actively used. Saving for future conflict resolution purposes
-      self.cookie('seg_xid_fd', fromDomain);
-      self.cookie('seg_xid_ts', currentTimeMillis);
-      self.analytics.identify({
-        crossDomainId: crossDomainId
+  var cachedCrossDomainId = this.getCachedCrossDomainId();
+  if (cachedCrossDomainId) {
+    // Callback is only provided in tests.
+    if (callback) {
+      callback(null, {
+        crossDomainId: cachedCrossDomainId
       });
+    }
+    return;
+  }
+
+  var self = this;
+  var writeKey = this.options.apiKey;
+
+  // Exclude the current domain from the list of servers we're querying
+  var currentTld = getTld(window.location.hostname);
+  var domains = [];
+  for (var i = 0; i < this.options.crossDomainIdServers.length; i++) {
+    var domain = this.options.crossDomainIdServers[i];
+    if (getTld(domain) !== currentTld) {
+      domains.push(domain);
+    }
+  }
+
+  getCrossDomainIdFromServerList(domains, writeKey, function(err, res) {
+    if (err) {
+      // Callback is only provided in tests.
       if (callback) {
-        callback(null, {
-          crossDomainId: crossDomainId,
-          fromDomain: fromDomain,
-          timestamp: currentTimeMillis
-        });
+        callback(err, null);
       }
+      // We optimize for no conflicting xid as much as possible. So bail out if there is an
+      // error and we cannot be sure that xid does not exist on any other domains.
+      return;
+    }
+
+    var crossDomainId = null;
+    var fromDomain = null;
+    if (res) {
+      crossDomainId = res.id;
+      fromDomain = res.domain;
+    } else {
+      crossDomainId = uuid();
+      fromDomain = window.location.hostname;
+    }
+
+    self.saveCrossDomainId(crossDomainId);
+    self.analytics.identify({
+      crossDomainId: crossDomainId
     });
+
+    // Callback is only provided in tests.
+    if (callback) {
+      callback(null, {
+        crossDomainId: crossDomainId,
+        fromDomain: fromDomain
+      });
+    }
+  });
+};
+
+/**
+ * getCachedCrossDomainId returns the cross domain identifier stored on the client based on the `saveCrossDomainIdInLocalStorage` flag.
+ * If `saveCrossDomainIdInLocalStorage` is false, it reads it from the `seg_xid` cookie.
+ * If `saveCrossDomainIdInLocalStorage` is true, it reads it from the `seg_xid` key in localStorage.
+ * 
+ * @return {string} crossDomainId
+ */
+Segment.prototype.getCachedCrossDomainId = function() {
+  if (this.options.saveCrossDomainIdInLocalStorage) {
+    return localstorage('seg_xid');
+  }
+  return this.cookie('seg_xid');
+};
+
+/**
+ * saveCrossDomainId saves the cross domain identifier. The implementation differs based on the `saveCrossDomainIdInLocalStorage` flag.
+ * If `saveCrossDomainIdInLocalStorage` is false, it saves it as the `seg_xid` cookie.
+ * If `saveCrossDomainIdInLocalStorage` is true, it saves it to localStorage (so that it can be accessed on the current domain)
+ * and as a httpOnly cookie (so that can it can be provided to other domains).
+ *
+ * @api private
+ */
+Segment.prototype.saveCrossDomainId = function(crossDomainId) {
+  if (!this.options.saveCrossDomainIdInLocalStorage) {
+    this.cookie('seg_xid', crossDomainId);
+    return;
+  }
+
+  var self = this;
+
+  // Save the cookie by making a request to the xid server for the current domain.
+  var currentTld = getTld(window.location.hostname);
+  for (var i = 0; i < this.options.crossDomainIdServers.length; i++) {
+    var domain = this.options.crossDomainIdServers[i];
+    if (getTld(domain) === currentTld) {
+      var writeKey = this.options.apiKey;
+      var url = 'https://' + domain + '/v1/saveId?writeKey=' + writeKey + '&xid=' + crossDomainId;
+
+      httpGet(url, function(err, res) {
+        if (err) {
+          self.debug('could not save id on %O, received %O', url, [err, res]);
+          return;
+        }
+
+        localstorage('seg_xid', crossDomainId);
+      });
+      return;
+    }
   }
 };
 
 /**
  * Deletes any state persisted by cross domain analytics.
  * * seg_xid (and metadata) from cookies
+ * * seg_xid from localStorage
  * * crossDomainId from traits in localStorage
  *
- * The deletion logic is run only if deletion is enabled for this project, and
- * when either the seg_xid cookie or crossDomainId localStorage trait exists.
+ * The deletion logic is run only if deletion is enabled for this project, and only
+ * deletes the data that actually exists.
  *
  * @api private
  */
@@ -519,6 +573,11 @@ Segment.prototype.deleteCrossDomainIdIfNeeded = function() {
     this.cookie('seg_xid_ts', null);
   }
 
+  // Delete the xid from localStorage if it exists.
+  if (localstorage('seg_xid')) {
+    localstorage('seg_xid', null);
+  }
+
   // Delete the crossDomainId trait in localStorage if it exists.
   if (this.analytics.user().traits().crossDomainId) {
     // This intentionally uses an internal API, so that
@@ -609,6 +668,27 @@ function getJson(url, callback) {
   xhr.send();
 }
 
+/**
+ * get makes a get request to the given URL.
+ * @param {string} url
+ * @param {function} callback => err, response
+ */
+function httpGet(url, callback) {
+  var xhr = new XMLHttpRequest();
+  xhr.open('GET', url, true);
+  xhr.withCredentials = true;
+  xhr.onreadystatechange = function() {
+    if (xhr.readyState === XMLHttpRequest.DONE) {
+      if (xhr.status >= 200 && xhr.status < 300) {
+        callback(null, xhr.responseText);
+      } else {
+        callback(xhr.statusText || xhr.responseText || 'Unknown Error', null);
+      }
+    }
+  };
+  xhr.send();
+}
+
 /**
  * getTld
  * Get domain.com from subdomain.domain.com, etc.