Fix click_id API validation error (#3668)

Summary:
## Description

After WooC 3.5.10 added ParamBuilder integration for improved fbc/fbp coverage, the plugin started receiving API validation errors from Facebook's Conversions API:

**Error:** `Server Side Api Parameter Error: Unexpected key "click_id" on param "$['data'][0]['user_data']"`

This fix addresses the root causes:

**Problem 1: Broken conditional logic in `get_click_id()`**
The original code had `else if ( ! $fbc )` after checking for cookies. Since `$fbc` was initialized as an empty string `''`, this condition always evaluated to true when the cookie was empty, preventing subsequent checks from executing. The priority order was broken.

**Problem 2: Empty/null values sent to API**
When ParamBuilder or other sources returned null or empty values, these were still being sent to Facebook's API because:
- Empty strings pass `isset()` checks (returns true for `''`)
- The transformation code only conditionally removed the keys
- `array_filter()` only filters the top-level array, not nested `user_data`

**Changes Made:**

1. **Updated FBC/FBP priority order** (in `Event.php`):
   - **FBC Priority:** Cookie → ParamBuilder → Request parameter (`fbclid`) → Session
   - **FBP Priority:** Cookie → ParamBuilder → Session
   - Uses `empty()` checks instead of if-elseif-else to allow fallthrough to each source

2. **Simplified transformation checks** (in `Request.php`):
   - Use `! empty()` directly instead of `isset() && ! empty()` (redundant since `empty()` handles undefined keys)
   - Only copy to `fbc`/`fbp` when non-empty values exist

3. **Unconditional cleanup:**
   - Always unset `click_id` and `browser_id` keys after processing to ensure they're never sent to the API

4. **Return null for empty values:**
   - Changed both `get_click_id()` and `get_browser_id()` to return `null` instead of empty string when no value found

This ensures that `click_id` and `browser_id` (internal parameter names) are never sent to Facebook's API, only their transformed equivalents (`fbc` and `fbp`) when valid values exist.

### Type of change

- [x] Fix (non-breaking change which fixes an issue)

## Checklist

- [x] I have commented my code, particularly in hard-to-understand areas, if any.
- [x] I have confirmed that my changes do not introduce any new PHPCS warnings or errors.
- [x] I have checked plugin debug logs that my changes do not introduce any new PHP warnings or FATAL errors.
- [x] I followed general Pull Request best practices. Meta employees to follow this [wiki]([url](https://fburl.com/wiki/2cgfduwc)).
- [ ] I have added tests (if necessary) and all the new and existing unit tests pass locally with my changes.
- [x] I have completed dogfooding and QA testing, or I have conducted thorough due diligence to ensure that it does not break existing functionality.
- [ ] I have updated or requested update to plugin documentations (if necessary). Meta employees to follow this [wiki]([url](https://fburl.com/wiki/nhx73tgs)).

## Changelog entry

Fixed API validation error where click_id parameter was being sent to Facebook Conversions API instead of being properly transformed to fbc.

Pull Request resolved: #3668

Test Plan:
Manually tested the following scenarios to verify the new FBC/FBP priority order:
1. **Cookie exists** - Uses cookie value (highest priority for both FBC and FBP)
2. **No cookie, ParamBuilder returns value** - Uses ParamBuilder value (2nd priority)
3. **No cookie, no ParamBuilder, fbclid in URL** - Creates fbc from query parameter (3rd priority, FBC only)
4. **Session fallback** - Uses session value when all above unavailable (lowest priority)
5. **Empty/null from all sources** - Returns null, does not send empty click_id/browser_id to API

Verified using browser dev tools and API payload inspection that `click_id` and `browser_id` are never present in the final payload sent to Facebook's Conversions API. Only their transformed equivalents (`fbc` and `fbp`) are sent when valid values exist.

Ran `arc lint` to confirm no PHPCS violations introduced.

## Screenshots

N/A - This is a backend API integration fix with no UI changes.

Reviewed By: jarretth

Differential Revision: D84942070

Pulled By: devbodaghe

fbshipit-source-id: c5171f70e46043b1877753e019d470465f9b5f69

Author: David Evbodaghe

includes/API/Pixel/Events/Request.php

@@ -63,20 +63,22 @@ public function get_data() {
 
 			$event_data = $event->get_data();
 
-			if ( isset( $event_data['user_data']['click_id'] ) ) {
+			if ( ! empty( $event_data['user_data']['click_id'] ) ) {
 
 				$event_data['user_data']['fbc'] = $event_data['user_data']['click_id'];
-
-				unset( $event_data['user_data']['click_id'] );
 			}
 
-			if ( isset( $event_data['user_data']['browser_id'] ) ) {
+			if ( ! empty( $event_data['user_data']['browser_id'] ) ) {
 
 				$event_data['user_data']['fbp'] = $event_data['user_data']['browser_id'];
-
-				unset( $event_data['user_data']['browser_id'] );
 			}
 
+			// These are valid field names, so when they're provided they
+			// create event validation issues.
+			// unset these no matter what.
+			unset( $event_data['user_data']['click_id'] );
+			unset( $event_data['user_data']['browser_id'] );
+
 			$data['data'][] = array_filter( $event_data );
 		}
 

includes/Events/Event.php

@@ -250,6 +250,13 @@ protected function get_client_user_agent() {
 
 	/**
 	 * Gets the click ID from the cookie or the query parameter.
+	 * In order, rely on:
+	 * 1. If an _fbc cookie is set
+	 * 2. If we have stored fbc in the session
+	 * 3. The FBC result from param builder
+	 * 4. Construct our own FBC
+	 *
+	 * The resulting value is stored in the session for future requests.
 	 *
 	 * @see https://developers.facebook.com/docs/marketing-api/server-side-api/parameters/fbp-and-fbc#fbp-and-fbc-parameters
 	 *
@@ -261,43 +268,61 @@ protected function get_click_id() {
 		$fbc = '';
 		if ( ! empty( $_COOKIE['_fbc'] ) ) {
 			$fbc = wc_clean( wp_unslash( $_COOKIE['_fbc'] ) );
-		} else if ( ! $fbc ) {
+		}
+
+		if ( empty( $fbc ) && ! empty( $_SESSION['_fbc'] ) ) {
+			$fbc = $_SESSION['_fbc']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		}
+
+		if ( empty( $fbc ) ) {
 			$param_builder = \WC_Facebookcommerce_EventsTracker::get_param_builder();
 			$fbc = $param_builder->getFbc();
-		} elseif ( isset( $_REQUEST['fbclid'] ) ) {
+		}
+
+		if ( empty( $fbc ) && ! empty( $_REQUEST['fbclid'] ) ) {
 			$creation_time = time();
 			$fbclid = wc_clean( wp_unslash( $_REQUEST['fbclid'] ) ); // phpcs:ignore WordPress.Security.NonceVerification
 			$fbc = "fb.1.{$creation_time}.{$fbclid}";
-		} elseif ( isset( $_SESSION['_fbc'] ) ) {
-			$fbc = $_SESSION['_fbc']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		}
-		if ( $fbc ) {
+
+		if ( ! empty( $fbc ) ) {
 			$_SESSION['_fbc'] = $fbc;
 		}
-		return $fbc;
+		// Return null instead of empty string
+		return ! empty( $fbc ) ? $fbc : null;
 	}
 
 
 	/**
 	 * Gets the browser ID from the cookie.
+	 * In order, rely on:
+	 * 1. If an _fbp cookie is set
+	 * 2. If we have stored fbp in the session
+	 * 3. The FBP result from param builder
+	 *
+	 * The resulting value is stored in the session for future requests.
 	 *
 	 * @since 2.0.0
 	 *
 	 * @return string
 	 */
 	protected function get_browser_id() {
 		$fbp = ! empty( $_COOKIE['_fbp'] ) ? wc_clean( wp_unslash( $_COOKIE['_fbp'] ) ) : '';
-		if ( ! $fbp ) {
+
+		if ( empty( $fbp ) && ! empty( $_SESSION['_fbp'] ) ) {
+			$fbp = $_SESSION['_fbp']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		}
+
+		if ( empty( $fbp ) ) {
 			$param_builder = \WC_Facebookcommerce_EventsTracker::get_param_builder();
 			$fbp = $param_builder->getFbp();
 		}
-		if ( ! $fbp && isset( $_SESSION['_fbp'] ) ) {
-			$fbp = $_SESSION['_fbp']; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		}
-		if ( $fbp ) {
+
+		if ( ! empty( $fbp ) ) {
 			$_SESSION['_fbp'] = $fbp;
 		}
-		return $fbp;
+		// Return null instead of empty string
+		return ! empty( $fbp ) ? $fbp : null;
 	}