fix(rest): return full checksum string for JS tracker compatibility

parhumm · parhumm · commit d764e44d60d2 · 2026-03-14T17:12:31.000+01:00
The REST handler was stripping the checksum and returning only the bare
numeric ID. The JS tracker stores the response as params.id and sends
it back on subsequent requests (events, consent upgrade), where
Utils::getValueWithoutChecksum() requires the full "&lt;id&gt;.&lt;hash&gt;" format.

Also applies Yoda conditions per WP coding standards, removes redundant
conditional assertion in fallback test, and strengthens REST response
test to validate checksum format.
diff --git a/src/Controllers/Rest/TrackingRestController.php b/src/Controllers/Rest/TrackingRestController.php
@@ -189,13 +189,15 @@ public function handle_tracking(\WP_REST_Request $request)
         $result = Tracker::slimtrack_ajax();
 
         // Success: pure numeric ID (rare — most paths return checksum format)
-        if (is_numeric($result) && (int) $result > 0) {
+        if (is_numeric($result) && 0 < (int) $result) {
             return rest_ensure_response((string) $result);
         }
 
         // Success: checksum-formatted string "<id>.<hash>" from Utils::getValueWithChecksum()
-        if (is_string($result) && preg_match('/^(\d+)\.[0-9a-fA-F]+$/', $result, $matches) && (int) $matches[1] > 0) {
-            return rest_ensure_response($matches[1]);
+        // Return the full checksum string so the JS tracker can send it back for
+        // subsequent requests (consent upgrade, events) where getValueWithoutChecksum() validates it.
+        if (is_string($result) && preg_match('/^(\d+)\.[0-9a-fA-F]+$/', $result, $matches) && 0 < (int) $matches[1]) {
+            return rest_ensure_response($result);
         }
 
         // If no valid tracking ID detected, return a non-200 status to trigger fallback tracking methods
diff --git a/tests/e2e/tracking-request-methods.spec.ts b/tests/e2e/tracking-request-methods.spec.ts
@@ -145,11 +145,17 @@ test.describe('Tracking Request Methods — All Transports', () => {
       const stat = await waitForStatRow(marker);
       expect(stat).toBeTruthy();
 
-      // If we captured the response, verify it contains a numeric ID
-      // REST response wraps the result in JSON — the body should contain a numeric string
+      // If we captured the response, verify it contains a valid checksum-formatted tracking ID
       if (restResponseBody) {
-        // Response should be parseable (not a 500 error page)
         expect(restResponseBody).not.toContain('Internal Server Error');
+        // REST wraps the result in JSON — parse and verify checksum format "<id>.<hash>"
+        try {
+          const parsed = JSON.parse(restResponseBody);
+          const body = typeof parsed === 'string' ? parsed : String(parsed);
+          expect(body).toMatch(/^\d+\.[0-9a-fA-F]+$/);
+        } catch {
+          // sendBeacon may produce non-JSON response — skip format check
+        }
       }
     });
   });
@@ -331,10 +337,7 @@ test.describe('Tracking Request Methods — All Transports', () => {
       expect(stat!.resource).toContain(marker);
 
       // When REST is blocked, AJAX should be used as fallback
-      // (unless server-side tracking captured it first)
-      if (ajaxFallbackUsed) {
-        expect(ajaxFallbackUsed).toBe(true);
-      }
+      expect(ajaxFallbackUsed).toBe(true);
     });
   });
 
