Chore: Pass signed user_hash to Intercom via Rudderstack (#63921)

* move analytics identifiers to backend * implement hash function * grab secret from env * expose and retrieve intercom secret from config * concat email with appUrl to ensure uniqueness * revert to just using email * Revert "revert to just using email" This reverts commit 8f10f9b1bc. * add docstring
2025-02-25 18:55:37 -06:00 · 2023-03-03 14:39:53 +00:00
parent fed59b1d43
commit d61bcdf4ca
15 changed files with 89 additions and 66 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -265,6 +265,9 @@ rudderstack_sdk_url =
 # Rudderstack Config url, optional, used by Rudderstack SDK to fetch source config
 rudderstack_config_url =
 # Intercom secret, optional, used to hash user_id before passing to Intercom via Rudderstack
 intercom_secret =
 # Application Insights connection string. Specify an URL string to enable this feature.
 application_insights_connection_string =
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -272,6 +272,9 @@
 # Rudderstack Config url, optional, used by Rudderstack SDK to fetch source config
 ;rudderstack_config_url =
 # Intercom secret, optional, used to hash user_id before passing to Intercom via Rudderstack
 ;intercom_secret =
 # Controls if the UI contains any links to user feedback forms
 ;feedback_links_enabled = true
--- a/packages/grafana-data/src/types/config.ts
+++ b/packages/grafana-data/src/types/config.ts
@@ -96,6 +96,16 @@ export type OAuth =
 */
 export type OAuthSettings = Partial<Record<OAuth, { name: string; icon?: IconName }>>;
 /**
 * Information needed for analytics providers
 *
 * @internal
 */
 export interface AnalyticsSettings {
  identifier: string;
  intercomIdentifier?: string;
 }
 /** Current user info included in bootData
 *
 * @internal
@@ -119,6 +129,7 @@ export interface CurrentUserDTO {
  locale: string;
  language: string;
  permissions?: Record<string, boolean>;
  analytics: AnalyticsSettings;
  /** @deprecated Use theme instead */
  lightTheme: boolean;
--- a/packages/grafana-data/src/types/index.ts
+++ b/packages/grafana-data/src/types/index.ts
@@ -38,6 +38,7 @@ export * from './geometry';
 export { isUnsignedPluginSignature } from './pluginSignature';
 export type {
  CurrentUserDTO,
  AnalyticsSettings,
  BootData,
  OAuth,
  OAuthSettings,
--- a/pkg/api/dtos/models.go
+++ b/pkg/api/dtos/models.go
@@ -48,6 +48,12 @@ type CurrentUser struct {
 	HelpFlags1                 user.HelpFlags1    `json:"helpFlags1"`
 	HasEditPermissionInFolders bool               `json:"hasEditPermissionInFolders"`
 	Permissions                UserPermissionsMap `json:"permissions,omitempty"`
 	Analytics                  AnalyticsSettings  `json:"analytics"`
 }
 type AnalyticsSettings struct {
 	Identifier         string `json:"identifier"`
 	IntercomIdentifier string `json:"intercomIdentifier,omitempty"`
 }
 type UserPermissionsMap map[string]bool
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@@ -112,6 +112,10 @@ func (hs *HTTPServer) setIndexViewData(c *contextmodel.ReqContext) (*dtos.IndexV
 			Language:                   language,
 			HelpFlags1:                 c.HelpFlags1,
 			HasEditPermissionInFolders: hasEditPerm,
 			Analytics: dtos.AnalyticsSettings{
 				Identifier:         c.SignedInUser.Analytics.Identifier,
 				IntercomIdentifier: c.SignedInUser.Analytics.IntercomIdentifier,
 			},
 		},
 		Settings:                            settings,
 		Theme:                               prefs.Theme,
--- a/pkg/services/user/model.go
+++ b/pkg/services/user/model.go
@@ -193,6 +193,11 @@ type GetSignedInUserQuery struct {
 	OrgID  int64 `xorm:"org_id"`
 }
 type AnalyticsSettings struct {
 	Identifier         string
 	IntercomIdentifier string
 }
 type SignedInUser struct {
 	UserID             int64 `xorm:"user_id"`
 	OrgID              int64 `xorm:"org_id"`
@@ -212,6 +217,7 @@ type SignedInUser struct {
 	HelpFlags1         HelpFlags1
 	LastSeenAt         time.Time
 	Teams              []int64
 	Analytics          AnalyticsSettings
 	// Permissions grouped by orgID and actions
 	Permissions map[int64]map[string][]string `json:"-"`
 }
--- a/pkg/services/user/userimpl/store.go
+++ b/pkg/services/user/userimpl/store.go
@@ -432,6 +432,8 @@ func (ss *sqlStore) GetSignedInUser(ctx context.Context, query *user.GetSignedIn
 		if signedInUser.ExternalAuthModule != "oauth_grafana_com" {
 			signedInUser.ExternalAuthID = ""
 		}
 		signedInUser.Analytics = buildUserAnalyticsSettings(signedInUser, ss.cfg.IntercomSecret)
 		return nil
 	})
 	return &signedInUser, err
--- a/pkg/services/user/userimpl/user.go
+++ b/pkg/services/user/userimpl/user.go
@@ -2,6 +2,9 @@ package userimpl
 import (
 	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -560,3 +563,25 @@ func (s *Service) supportBundleCollector() supportbundles.Collector {
 		Fn:                collectorFn,
 	}
 }
 func hashUserIdentifier(identifier string, secret string) string {
 	key := []byte(secret)
 	h := hmac.New(sha256.New, key)
 	h.Write([]byte(identifier))
 	return hex.EncodeToString(h.Sum(nil))
 }
 func buildUserAnalyticsSettings(signedInUser user.SignedInUser, intercomSecret string) user.AnalyticsSettings {
 	var settings user.AnalyticsSettings
 	if signedInUser.ExternalAuthID != "" {
 		settings.Identifier = signedInUser.ExternalAuthID
 	} else {
 		settings.Identifier = signedInUser.Email + "@" + setting.AppUrl
 	}
 	if intercomSecret != "" {
 		settings.IntercomIdentifier = hashUserIdentifier(settings.Identifier, intercomSecret)
 	}
 	return settings
 }
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -401,6 +401,7 @@ type Cfg struct {
 	RudderstackWriteKey                 string
 	RudderstackSDKURL                   string
 	RudderstackConfigURL                string
 	IntercomSecret                      string
 	// AzureAD
 	AzureADSkipOrgRoleSync bool
@@ -1034,6 +1035,7 @@ func (cfg *Cfg) Load(args CommandLineArgs) error {
 	cfg.RudderstackDataPlaneURL = analytics.Key("rudderstack_data_plane_url").String()
 	cfg.RudderstackSDKURL = analytics.Key("rudderstack_sdk_url").String()
 	cfg.RudderstackConfigURL = analytics.Key("rudderstack_config_url").String()
 	cfg.IntercomSecret = analytics.Key("intercom_secret").String()
 	cfg.ReportingEnabled = analytics.Key("reporting_enabled").MustBool(true)
 	cfg.ReportingDistributor = analytics.Key("reporting_distributor").MustString("grafana-labs")
--- a/public/app/core/services/context_srv.ts
+++ b/public/app/core/services/context_srv.ts
@@ -1,6 +1,6 @@
 import { extend } from 'lodash';
-import { OrgRole, rangeUtil, WithAccessControlMetadata } from '@grafana/data';
+import { AnalyticsSettings, OrgRole, rangeUtil, WithAccessControlMetadata } from '@grafana/data';
 import { featureEnabled, getBackendSrv } from '@grafana/runtime';
 import { AccessControlAction, UserPermission } from 'app/types';
 import { CurrentUserInternal } from 'app/types/config';
@@ -28,6 +28,7 @@ export class User implements Omit<CurrentUserInternal, 'lightTheme'> {
  helpFlags1: number;
  hasEditPermissionInFolders: boolean;
  permissions?: UserPermission;
  analytics: AnalyticsSettings;
  fiscalYearStartMonth: number;
  constructor() {
@@ -51,6 +52,9 @@ export class User implements Omit<CurrentUserInternal, 'lightTheme'> {
    this.language = '';
    this.weekStart = '';
    this.gravatarUrl = '';
    this.analytics = {
      identifier: '',
    };
    if (config.bootData.user) {
      extend(this, config.bootData.user);
--- a/public/app/core/services/echo/backends/analytics/GA4Backend.ts
+++ b/public/app/core/services/echo/backends/analytics/GA4Backend.ts
@@ -1,7 +1,7 @@
 import { CurrentUserDTO } from '@grafana/data';
 import { EchoBackend, EchoEventType, PageviewEchoEvent } from '@grafana/runtime';
-import { getUserIdentifier, loadScript } from '../../utils';
+import { loadScript } from '../../utils';
 declare global {
  interface Window {
@@ -34,7 +34,7 @@ export class GA4EchoBackend implements EchoBackend<PageviewEchoEvent, GA4EchoBac
    };
    if (options.user) {
-      configOptions.user_id = getUserIdentifier(options.user);
+      configOptions.user_id = options.user.analytics.identifier;
    }
    this.googleAnalytics4SendManualPageViews = options.googleAnalytics4SendManualPageViews;
--- a/public/app/core/services/echo/backends/analytics/RudderstackBackend.ts
+++ b/public/app/core/services/echo/backends/analytics/RudderstackBackend.ts
@@ -1,4 +1,4 @@
-import type { identify, load, page, track } from 'rudder-sdk-js'; // SDK is loaded dynamically from config, so we only import types from the SDK package
+import type { apiOptions, identify, load, page, track } from 'rudder-sdk-js'; // SDK is loaded dynamically from config, so we only import types from the SDK package
 import { CurrentUserDTO } from '@grafana/data';
 import {
@@ -10,7 +10,7 @@ import {
  PageviewEchoEvent,
 } from '@grafana/runtime';
-import { getUserIdentifier, loadScript } from '../../utils';
+import { loadScript } from '../../utils';
 interface Rudderstack {
  identify: typeof identify;
@@ -70,13 +70,24 @@ export class RudderstackBackend implements EchoBackend<PageviewEchoEvent, Rudder
    window.rudderanalytics?.load?.(options.writeKey, options.dataPlaneUrl, { configUrl: options.configUrl });
    if (options.user) {
-      const identifier = getUserIdentifier(options.user);
+      const { identifier, intercomIdentifier } = options.user.analytics;
      const apiOptions: apiOptions = {};
-      window.rudderanalytics?.identify?.(identifier, {
+      if (intercomIdentifier) {
-        email: options.user.email,
+        apiOptions.Intercom = {
-        orgId: options.user.orgId,
+          user_hash: intercomIdentifier,
-        language: options.user.language,
+        };
-      });
+      }
      window.rudderanalytics?.identify?.(
        identifier,
        {
          email: options.user.email,
          orgId: options.user.orgId,
          language: options.user.language,
        },
        apiOptions
      );
    }
  }
--- a/public/app/core/services/echo/utils.test.ts
+++ b/public/app/core/services/echo/utils.test.ts
@@ -1,41 +0,0 @@
 import { CurrentUserDTO, OrgRole } from '@grafana/data';
 import { getUserIdentifier } from './utils';
 const baseUser: CurrentUserDTO = {
  isSignedIn: true,
  id: 3,
  login: 'myUsername',
  email: 'email@example.com',
  name: 'My Name',
  theme: 'dark',
  lightTheme: false, // deprecated
  orgCount: 1,
  orgId: 1,
  orgName: 'Main Org.',
  orgRole: OrgRole.Admin,
  isGrafanaAdmin: false,
  gravatarUrl: '/avatar/abc-123',
  timezone: 'browser',
  weekStart: 'browser',
  locale: 'en-AU',
  language: 'en-US',
  externalUserId: '',
 };
 const gcomUser: CurrentUserDTO = {
  ...baseUser,
  externalUserId: 'abc-123',
 };
 describe('echo getUserIdentifier', () => {
  it('should return the external user ID (gcom ID) if available', () => {
    const id = getUserIdentifier(gcomUser);
    expect(id).toBe('abc-123');
  });
  it('should fall back to the email address', () => {
    const id = getUserIdentifier(baseUser);
    expect(id).toBe('email@example.com');
  });
 });
--- a/public/app/core/services/echo/utils.ts
+++ b/public/app/core/services/echo/utils.ts
@@ -1,19 +1,5 @@
 import { CurrentUserDTO } from '@grafana/data';
 import { attachDebugger, createLogger } from '@grafana/ui';
 /**
 * Returns an opaque identifier for a user, for reporting purposes.
 * Because this is for use when reporting across multiple Grafana installations
 * It cannot simply be user.id because that's not unique across two installations.
 */
 export function getUserIdentifier(user: CurrentUserDTO) {
  if (user.externalUserId.length) {
    return user.externalUserId;
  }
  return user.email;
 }
 export function loadScript(url: string, async = false) {
  return new Promise((resolve) => {
    const script = document.createElement('script');