Google Tag Manager setup

[ajeety4]

Product Description

Sets up Google Tag Manager at the HQ end along with logic to send user_id and related properies to GTM.

Technical Summary

Ticket is available here

Note that earlier way of installation of GTM script via base.html was replaced with loading it through javascript. This was
done to be in consistent with other analytics tooling load mechanism and also to reuse the exisiting efficient loading technique.

Related Cloud PR - dimagi/commcare-cloud#6279 for adding the GTM ID.

Feature Flag

Safety Assurance

Safety story

This is a fairly straight forward setup code for loading gtm installtion script. Similar to what we do for other tooling which makes changes safe.
Tested on local.
Testing on staging pending.

Automated test coverage

QA Plan

None

Rollback instructions

• This PR can be reverted after deploy with no further considerations

Labels & Review

• Risk label is set correctly
• The set of people pinged as reviewers is appropriate for the level of risk of the change

[mkangia]

nit: I'd suggest saving that as gtm.userIsCommCareUser since that makes it more clear.

[ajeety4]

Addressed in ac89b8a

[mkangia]

why we are using escapejs here?

[ajeety4]

Thanks for pointing this out.
I reused this code from google.html. I believe it was added to avoid XSS attack . After looking more into it and don't think it is needed here as we are capturing domain from the url and it should not allow js mixed into it.
Removed it in ac89b8a

[mkangia]

Oh, in that case I say we should retain it.

I assume its possible for someone to put anything in the domain part in the url & HQ will look for it. No actual domain page would load but I assume this part still gets added to the page, hence the escapejs.

[Charl1996]

Just a spitball suggestion (feel free to ignore):
I agree with Manish's concern about someone manually changing the domain part of the url, so either

1. keep the escapejs filter
2. access the domain through a way we know it's right, e.g. request.couch_user.domain (maybe even request.domain?)

Option 2 seems least pretty though.

[orangejenny]

If the domain is invalid, the page should have 404ed long before this point.

[ajeety4]

If the domain is invalid, the page should have 404ed long before this point.

Yes, this was tested and it is not possible to add script from the url.

@Charl1996 Correct me if I am wrong, my understanding is that domain for request or request.couch_user is still obtained from url ? (A user may be associated with multiple domains.)

[Charl1996]

That's true, but as far as I know there's some sanity checks it goes through in middleware such that it will fail if the domain is wrong (Jenny's comment maybe hints at this). That said, I haven't looked at the code.

[mkangia]

where is this happening now? or its not needed anymore?

same for iframe that was removed later?

[ajeety4]

The loading of gtm.js now happens here hence excluded from html. This was
done to be in consistent with other analytics tooling load mechanism and also to reuse the existing efficient loading technique with logs and validations.

The iframe one was optional and is only for scenario where JavaScript is disabled.

[mkangia]

How do we confirm this does not break anything that was being tracked already?

[orangejenny]

Check in with SaaS tech about this, please.

[ajeety4]

I was able to confirm that Google Tag manager is not used at present by checking below things

• No option in Cloud PR to add GTM_ID without which above snippet is not executed.
• Checked through browser tools that gtm.js is not loaded for Prod or India.

I think it is wise to double check with SAAS though.

[mkangia]

Hi @ajeety4
I believe you were able to check with SaaS about it? Are there changes coming from your discussion?

[ajeety4]

Hey @mkangia , I checked with SAAS about this. They do not use it and suggested to check with Marketing.
I talked with Marketing and they do use Google Tag Manager, I am just waiting for more details on it, should be able to get that in next couple of days.

[ajeety4]

Update: We reached out to marketing and they do have a Google Tag manager account with a container for CommcareHQ. As expected, the container for CommcareHQ is empty and not currently being used and aligns with the current findings.

(Just for FYI - they have a container for www.dimagi.com which is currently in use)

[mkangia]

So it is safe to remove this section or not?

[ajeety4]

Yes it is. It is safe even it was being used as the change just loads the same file from the javascript instead of the html.
I think it is still wise to merge this only after the decision to use GTM is finalised.
(No use to have the code that is not actively used or planned to be used.)

[ajeety4]

Update - GTD has decided to go ahead with Google Analytics as the primary tooling so we will be leveraging Google Tag Manager along with GA.
Requesting for a final review.

[ajeety4]

Hey @mkangia , requesting for a final pass on this.

[mkangia]

is this copied from gtm?

[ajeety4]

No, this script does the job of loading the analytics script and passing the desired user info here.
This is same approach used for loading other analytics tooling script.

[mkangia]

nit: Its script is available in gtm.js?

[mkangia]

nit: what is referred to from "related code"?

[ajeety4]

Addressed in a15d0df.
"related code" is just the script code.

[mkangia]

nit: The goal is to track ...?

goal instead of purpose?

[mkangia]

👍

[mkangia]

Apologies, I didn't know you were blocked for review on this. Looks good to me.
I see you didn't take this through so I assume you tested this well for all pages or any kinds of pages this would modify.

[ajeety4]

Apologies, I didn't know you were blocked for review on this. Looks good to me. I see you didn't take this through so I assume you tested this well for all pages or any kinds of pages this would modify.

Thanks Manish.
This was tested on the staging environment and has been deployed there for quite a time now.