Class: GlobalsController

Inherits:

ApplicationController

• Object
• ActionController::Base
• ApplicationController
• GlobalsController

Defined in:

app/controllers/globals_controller.rb

Overview

Handles global bootstrap endpoint (/globals/set) and consent/visit_event endpoints.
rubocop:disable Metrics/ClassLength

Constant Summary

AVAILABLE_LOCALE_STRINGS =

rubocop:enable Metrics/AbcSize

I18n.available_locales.map(&:to_s).freeze

Constants included from Controllers::AnalyticsEvents

Controllers::AnalyticsEvents::MAX_QUEUED_EVENTS, Controllers::AnalyticsEvents::SESSION_KEY

Constants included from Controllers::ErrorRendering

Controllers::ErrorRendering::NON_CONTENT_PATH_PREFIXES

Constants included from Www::SeoHelper

Www::SeoHelper::AWARDS, Www::SeoHelper::CA_ADDRESS, Www::SeoHelper::CA_BUSINESS_HOURS, Www::SeoHelper::CA_CONTACT_POINT, Www::SeoHelper::CA_CURRENCIES, Www::SeoHelper::CA_DESCRIPTION, Www::SeoHelper::CA_FOUNDING_DATE, Www::SeoHelper::CA_GLOBAL_LOCATION_NUMBER, Www::SeoHelper::CA_LEGAL_NAME, Www::SeoHelper::CA_LOCAL_BUSINESS, Www::SeoHelper::CA_ONLINE_STORE, Www::SeoHelper::CA_RETURN_POLICY, Www::SeoHelper::CA_SALES_DEPARTMENT, Www::SeoHelper::CA_SERVICE_AREA, Www::SeoHelper::CA_URL, Www::SeoHelper::CA_VAT_ID, Www::SeoHelper::CA_WAREHOUSE_DEPARTMENT, Www::SeoHelper::CA_WAREHOUSE_HOURS, Www::SeoHelper::COMPANY_EMAIL, Www::SeoHelper::COMPANY_LOGO, Www::SeoHelper::COMPANY_NAME, Www::SeoHelper::COMPANY_SLOGAN, Www::SeoHelper::EXPERTISE, Www::SeoHelper::FAX_NUMBER, Www::SeoHelper::GS1_COMPANY_PREFIX, Www::SeoHelper::ISO6523_CODE, Www::SeoHelper::PAYMENT_METHODS, Www::SeoHelper::PHONE_NUMBER, Www::SeoHelper::PRIMARY_NAICS, Www::SeoHelper::REFUND_TYPE, Www::SeoHelper::RETURN_FEES, Www::SeoHelper::RETURN_METHOD, Www::SeoHelper::RETURN_POLICY_CATEGORY, Www::SeoHelper::SECONDARY_NAICS, Www::SeoHelper::SOCIAL_PROFILES, Www::SeoHelper::US_ADDRESS, Www::SeoHelper::US_BUSINESS_HOURS, Www::SeoHelper::US_CONTACT_POINT, Www::SeoHelper::US_CURRENCIES, Www::SeoHelper::US_DESCRIPTION, Www::SeoHelper::US_FOUNDING_DATE, Www::SeoHelper::US_GLOBAL_LOCATION_NUMBER, Www::SeoHelper::US_IMAGE, Www::SeoHelper::US_LEGAL_NAME, Www::SeoHelper::US_LOCAL_BUSINESS, Www::SeoHelper::US_ONLINE_STORE, Www::SeoHelper::US_RETURN_POLICY, Www::SeoHelper::US_SALES_DEPARTMENT, Www::SeoHelper::US_SERVICE_AREA, Www::SeoHelper::US_TAX_ID, Www::SeoHelper::US_URL, Www::SeoHelper::US_WAREHOUSE_DEPARTMENT, Www::SeoHelper::US_WAREHOUSE_HOURS

Constants included from IconHelper

IconHelper::CUSTOM_ICON_MAP, IconHelper::CUSTOM_SVG_DIR, IconHelper::DEFAULT_FAMILY

Instance Method Summary

• #set ⇒ Object

  rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity.

• #update_consent ⇒ Object

  POST /globals/consent Called when user CHANGES consent preferences (via cookie banner) Updates Party's consent_preferences and records a VisitEvent for audit rubocop:disable Metrics/AbcSize, Metrics/MethodLength.

• #visit_event ⇒ Object

  POST /globals/visit_event Records a visit event from client-side (e.g., modal open, form interactions) Used for tracking user engagement without requiring form submission rubocop:disable Metrics/AbcSize.

Methods inherited from ApplicationController

#account_impersonated?, #add_to_flash, #append_token, #bypass_forgery_protection?, #chat_enabled?, #cloudflare_cleared?, #default_catalog, #default_url_options, #enable_turbo_frames, #find_publication, #fix_invalid_accept_header, #init_js_utils, #is_globals_call?, #layout_by_resource, #locale_store, #redirect_to, #require_employee_for_crm, #set_base_host, #set_real_ip, #set_report_errors_for, #should_render_layout?, #stamp_impersonation_context, #warmlyyours_canada_ip?, #warmlyyours_ip?, #y

Methods included from Controllers::ReturnPathHandling

#check_for_return_path, #redirect_to_return_path_or_default

Methods included from Controllers::AnalyticsEvents

#consume_queued_analytics_events, #track_event

Methods included from Controllers::DeviceDetection

#device_detector, #is_ie?

Methods included from Controllers::SubdomainDetection

#is_crm_request?, #is_www_request?, #json_request?

Methods included from Controllers::TrackingDetection

#bot_request?, #gdpr_country?, #gdpr_country_data, #prevent_bots, #set_tracking_cookie, #track_visitor?

Methods included from Controllers::AcceleratedFileSending

#send_file_accelerated, #send_upload_accelerated

Methods included from Controllers::ErrorRendering

#excp_string, #mail_to_for_error_reporting, #render_400, #render_404, #render_406, #render_410, #render_500, #render_invalid_authenticity_token, #render_ip_spoof_error, #safe_referer_or_fallback

Methods included from Controllers::TurnstileVerification

#load_turnstile_script_tag, #turnstile_lazy_widget, #turnstile_script_tag, #turnstile_widget, #validate_turnstile!

Methods included from Controllers::CloudflareCaching

edge_cached, #edge_cached_action?, #reset_cloudflare_cache, #set_cloudflare_cache, #skip_session

Methods included from Controllers::Webpackable

#preload_webpack_fonts, #webpack_css_include, #webpack_css_url, #webpack_js_include, #wpd_is_running?

Methods included from Controllers::Localizable

#cloudflare_country_locale, #determine_request_locale, #geocoder_locale, #guest_user_locale_check, #locale_optional_www_auth_path?, #param_locale, #set_locale, #set_request_locale, #skip_localization?, #warmlyyours_ip_locale

Methods included from Controllers::Authenticable

#access_denied, #authenticate_account, #authenticate_account!, #authenticate_account_from_login_token!, #authenticate_account_from_token!, #check_is_a_manager, #check_is_a_sales_manager, #check_is_an_admin, #check_is_an_employee, #check_party, #clear_mismatched_guest_user, #create_guest_user, #credentials?, #current_or_guest_user, #current_or_guest_user_id_read_only, #current_user, #devise_mapping, #fully_logged_in?, #generate_bot_id, #guest_user, #identifiable?, #init_current_user, #initialize_guest, #load_context_user, #logging_in, #resource, #resource_name, #restrict_access_for_non_employees, #scrubbed_request_path, #user_object, #warn_on_session_guest_id_leak

Methods included from ApplicationHelper

#better_number_to_currency, #check_force_logout, #check_or_cross, #check_or_times, #error_messages, #general_disclaimer_on_product_installation_and_local_codes, #gridjs_from_html_table, #gridjs_table, #is_wy_ip, #line_break, #parent_layout, #pass_or_fail, #render_error_messages_list, #render_video_card, #resolved_auth_form_turbo_frame, #return_path_or, #safe_css_color, #set_return_path_if_present, #set_section_if_present, #tab_frame_id, #to_underscore, #track_page?, #turbo_section_wrapper, #turbo_tabs_request?, #url_on_same_domain_as_request, #widget_index_daily_focus_index_path, #working_hours?, #yes_or_no, #yes_or_no_highlighted, #yes_or_no_with_check_or_cross, #youtube_video

Methods included from UppyUploaderHelper

#file_uploader, #image_uploader, #large_file_uploader_s3, #lead_sketch_uploader, #rma_image_uploader, #rma_image_uploader_s3, #uppy_uploader, #video_uploader

Methods included from Www::ImagesHelper

#image_asset_tag, #image_asset_url

Methods included from Www::SeoHelper

#add_page_schema, #canada?, #company_social_links, #ensure_context_json, #json_ld_script_tag, #local_business_schema, #online_store_id, #online_store_schema, #page_main_entity, #page_main_entity_json, #render_auto_collection_page_schema, #render_collection_page_schema, #render_local_business_schema, #render_online_store_schema, #render_page_schemas, #render_page_video_schemas, #render_webpage_schema, #render_webpage_schema_with_collections, #usa?

Methods included from UrlsHelper

#catalog_breadcrumb_links, #catalog_link, #catalog_link_for_product_line, #catalog_link_for_sku, #cms_link, #delocalized_path, #path_to_sales_product_sku, #path_to_sales_product_sku_for_product_line, #path_to_sales_product_sku_for_product_line_slug, #product_line_from_catalog_link, #protocol_neutral_url, #sanitize_external_url, #valid_external_url?

Methods included from IconHelper

#account_nav_icon, #fa_icon, #star_rating_html

Instance Method Details

#set ⇒ Object

rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity

# File 'app/controllers/globals_controller.rb', line 98

def set
  # set_locale before_action is skipped for globals (no locale in URL).
  # Honour the client-reported locale so tracking, translations, and
  # rendered partials all use the correct locale for this visitor.
  CurrentScope.locale = params[:apparent_locale] if params[:apparent_locale].present? && params[:apparent_locale].in?(AVAILABLE_LOCALE_STRINGS)

  # Sanitize JSON bodies that may contain null bytes or invalid utf-8
  if request.format.json? && request.body.present?
    begin
      raw = request.raw_post.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '').delete("\u0000")
      incoming = begin
        JSON.parse(raw)
      rescue StandardError
        {}
      end
      if incoming.is_a?(Hash)
        # Support legacy payload wrapper like { "body.value": "{...json...}" }
        nested = incoming['body.value'] || incoming.dig('body', 'value')
        @globals_payload = parse_json_safe(nested) if nested.is_a?(String)
      end
    rescue StandardError
      @globals_payload = {}
    end
  end
  # window.webpack_nonce = '<%# request&.content_security_policy_nonce %>'; // REQ
  # window.RMTREV = '<%# Heatwave::Application.config.x.revision rescue 'error' %>' || 'error'; // TIME SESSION
  # window.current_user = <%#= user_object rescue '{}' %>; // SESSION
  # window.$crisp = window.$crisp || [];
  # window.tracVis = <%#= track_visitor? rescue 'false' %> || false; // SESSION
  webpack_nonce = request&.content_security_policy_nonce
  rmtrev = begin
    Heatwave::Application.config.x.revision
  rescue StandardError
    'error'
  end
  current_user_object = user_object
  tracking_params = params.to_unsafe_h.slice(:landing_page, :screen_width, :screen_height, :referrer, :bot_sig, :path)
  tracking_params['globals'] = @globals_payload if defined?(@globals_payload) && @globals_payload.is_a?(Hash)
  visit_res = Tracking::Tracker.track_visit(CurrentScope.user, request: request, params: tracking_params)

  if params[:path].present? && params[:path] != 'globals'
    msg = "Globals was not initiated from root path, but called on #{params[:path]}"
    # For now make this a warning
    Rails.logger.warn msg
    ErrorReporting.warning(msg)
  end

  if (trac_vis = visit_res.track_visit?)
    if visit_res.visit
      session[:visit_id] = visit_res.visit.id
      # visit_id/visit_event_id removed from JS payload - not used client-side
    else
      Rails.logger.error "track_visit returned true but no visit object returned. #{visit_res.message}"
    end
    # If there is a source tracking phone number present, let's set the ga_phone cookie
    if cookies[:ga_phone].nil? && (tracking_number = CurrentScope.user&.source&.tracking_phone_number)
      cookies[:ga_phone] = {
         value: tracking_number,
         expires: 30.days.from_now
       }
    end
  else
    Rails.logger.debug { "[track_visit] skipped — #{visit_res.message}" }
  end
  errors = [flash[:error].presence, (@report_errors_for || []).map { |r| r.errors.full_messages }].flatten.compact
  error_queue = errors.present? ? safe_join(errors, '<br>'.html_safe) : nil
  (@report_errors_for || []).each { |record| record.errors.clear }
  warning_queue = flash[:warning].present? ? safe_join([flash[:warning]].flatten, '. ') : nil

  notice_queue = flash[:info].present? ? safe_join([flash[:info]].flatten, '. ') : nil

  live_event = LiveEvent.get_live
  live_event_banner = if live_event
                        Rails.cache.fetch("live_event_banner/#{live_event.id}-#{live_event.updated_at.to_i}", expires_in: 5.minutes) do
                          render_to_string('www/live_events/_live_event_banner', formats: [:html], layout: false, locals: { live_event: live_event })
                        end
                      end
  page_csrf = {
    param: request_forgery_protection_token,
    token: form_authenticity_token
  }

  locale_to_send = I18n.locale.to_s

  ErrorReporting.warning("Globals: apparent_locale '#{params[:apparent_locale]}' is not a valid locale; using '#{locale_to_send}'") if params[:apparent_locale].present? && params[:apparent_locale] != locale_to_send

  # ==========================================================================
  # TRACKING DATA - Single source of truth for all tracking decisions
  # Consent is stored on Party for persistence across visits
  # ==========================================================================

  # Extract visitor geo from Cloudflare headers
  visitor_country = request.env['HTTP_CF_IPCOUNTRY']&.upcase
  visitor_country = 'US' if visitor_country.blank? || visitor_country == 'XX'
  visitor_region = request.env['HTTP_CF_REGION_CODE']&.upcase

  # Determine current location's consent mode
  current_location_mode = Tracking::ConsentPreferences.determine_mode(visitor_country, visitor_region)

  # Initialize or retrieve consent preferences from Party
  # This eliminates the need for a separate /globals/consent call for defaults
  party = CurrentScope.user

  # Check if user needs to re-consent (e.g., US visitor now in GDPR region)
  requires_reconsent = party.present? &&
                       party.consent_preferences.present? &&
                       Tracking::ConsentPreferences.requires_reconsent?(
                         party,
                         current_country: visitor_country,
                         current_region: visitor_region
                       )

  consent_prefs = if party.present? && party.consent_preferences.blank?
                    # First visit - set defaults based on geo
                    Tracking::ConsentPreferences.initialize_defaults(
                      party,
                      country: visitor_country,
                      region: visitor_region
                    )
                  elsif party.present?
                    party.consent_preferences
                  else
                    # No party (edge case) - return defaults without persisting
                    Tracking::ConsentPreferences.build_defaults(
                      current_location_mode,
                      visitor_country,
                      visitor_region
                    )
                  end

  # Use CURRENT location's consent mode (not stored) for compliance
  # If user is in GDPR country, they need GDPR-level consent regardless of stored prefs
  consent_mode = current_location_mode

  # Check if user has Global Privacy Control enabled
  has_gpc = request.env['HTTP_SEC_GPC'] == '1'

  # Determine effective consent based on re-consent requirement
  # If re-consent required, treat as no consent until they explicitly opt-in
  effective_analytics = if requires_reconsent
                          false # Must re-consent in stricter region
                        else
                          consent_prefs&.dig('consent_analytics') != false
                        end
  effective_marketing = if requires_reconsent
                          false # Must re-consent in stricter region
                        else
                          consent_prefs&.dig('consent_marketing') != false
                        end

  is_gdpr = Tracking::ConsentPreferences::GDPR_COUNTRIES.include?(visitor_country)

  clarity_enabled = MicrosoftClarity.enabled?
  clarity_config = { enabled: clarity_enabled }
  clarity_config[:project_id] = MicrosoftClarity.project_id if clarity_enabled

  tracking_config = {
    visitor_country: visitor_country,
    visitor_region: visitor_region,
    consent_mode: consent_mode,
    gdpr_country: is_gdpr,
    has_gpc: has_gpc,
    requires_reconsent: requires_reconsent,
    consent: {
      analytics: effective_analytics,
      marketing: effective_marketing,
      updated_at: consent_prefs&.dig('consent_updated_at')
    }.compact,
    clarity: clarity_config
  }

  # Drain any server-queued analytics events from the session.
  # These are queued by controllers via track_event() before redirects.
  # Session storage (rather than flash) keeps payloads safe from being
  # consumed/dropped by intermediate requests between the redirect and
  # the next globals.json fetch.
  analytics_events = consume_queued_analytics_events

  # Keep a JS-readable cookie in sync so edge-cached pages can show the correct
  # cart count immediately (without waiting for this async globals.json response).
  cart_qty_val = current_user_object.is_a?(Hash) ? (current_user_object[:cartQty] || 0) : 0
  cookies[:cart_qty] = { value: cart_qty_val.to_s, expires: 1.day.from_now, path: '/' }

  # Build response, removing nil values to reduce payload
  response_data = {
    pageCsrf: page_csrf,
    webpack_nonce: webpack_nonce,
    RMTREV: rmtrev,
    current_user: current_user_object,
    tracVis: trac_vis,
    tracking: tracking_config,
    analyticsEvents: analytics_events,
    error_queue: error_queue,
    warning_queue: warning_queue,
    notice_queue: notice_queue,
    live_event_banner: live_event_banner,
    locale: locale_to_send
  }.compact

  respond_to do |format|
    format.json { render json: response_data, status: :ok }
    format.turbo_stream { head :not_found }
  end
end

#update_consent ⇒ Object

POST /globals/consent
Called when user CHANGES consent preferences (via cookie banner)
Updates Party's consent_preferences and records a VisitEvent for audit
rubocop:disable Metrics/AbcSize, Metrics/MethodLength

# File 'app/controllers/globals_controller.rb', line 10

def update_consent
  party = CurrentScope.user
  unless party
    render json: { success: false, error: 'No user session' }, status: :ok
    return
  end

  analytics = params[:analytics_consent].to_b
  marketing = params[:marketing_consent].to_b

  # Update Party's consent_preferences (persistent)
  updated_prefs = Tracking::ConsentPreferences.update_consent(
    party,
    analytics: analytics,
    marketing: marketing,
    mode: params[:consent_mode],
    country: params[:consent_country],
    region: params[:consent_region]
  )

  # Also record a VisitEvent for audit trail (ephemeral but detailed)
  visit_id = session[:visit_id]
  if visit_id && (visit = Visit.find_by(id: visit_id))
    visit.visit_events.create!(
      user_id: visit.user_id,
      name: '$consent',
      time: Time.current,
      properties: {
        mode: params[:consent_mode],
        country: params[:consent_country],
        region: params[:consent_region],
        analytics: analytics,
        marketing: marketing,
        gpc: params[:has_gpc].to_b,
        url: request.referer,
        source: 'user_action' # Distinguish from implicit defaults
      }
    )
  end

  render json: { success: true, consent: updated_prefs }, status: :ok
rescue StandardError => e
  Rails.logger.error "[GlobalsController#update_consent] Error: #{e.message}"
  ErrorReporting.error(e)
  render json: { success: false, error: e.message }, status: :ok
end

#visit_event ⇒ Object

POST /globals/visit_event
Records a visit event from client-side (e.g., modal open, form interactions)
Used for tracking user engagement without requiring form submission
rubocop:disable Metrics/AbcSize

# File 'app/controllers/globals_controller.rb', line 62

def visit_event
  visit_id = session[:visit_id]
  unless visit_id
    render json: { success: false, error: 'No visit session' }, status: :ok
    return
  end

  visit = Visit.find_by(id: visit_id)
  unless visit
    render json: { success: false, error: 'Visit not found' }, status: :ok
    return
  end

  event_name = params[:name].to_s.presence || '$custom_event'
  properties = params[:properties].to_h.merge(
    url: request.referer,
    user_agent: request.user_agent
  )

  visit.visit_events.create!(
    user_id: visit.user_id,
    name: event_name,
    time: Time.current,
    properties: properties
  )

  render json: { success: true }, status: :ok
rescue StandardError => e
  Rails.logger.error "[GlobalsController#visit_event] Error: #{e.message}"
  render json: { success: false, error: e.message }, status: :ok
end