Skip to content

feat: add MaxMind minFraud device tracking script#1289

Merged
mattdjenkinson merged 1 commit into
mainfrom
feat/maxmind-device-tracking
May 11, 2026
Merged

feat: add MaxMind minFraud device tracking script#1289
mattdjenkinson merged 1 commit into
mainfrom
feat/maxmind-device-tracking

Conversation

@mattdjenkinson
Copy link
Copy Markdown
Contributor

@mattdjenkinson mattdjenkinson commented May 11, 2026
edited
Loading

Merge order (3 of 5)

Part of a cross-repo rollout enabling MaxMind device fingerprinting in the signup fraud check.

  1. auth-provider-zitadel — datum-cloud/zitadel-provider#109
  2. fraud — datum-cloud/fraud#39
  3. datum.net (this PR) — marketing-site fingerprint coverage
  4. auth-ui — datum-cloud/auth-ui#77
  5. infra — datum-cloud/infra#2412 — must merge last

Independent of the other PRs — safe to merge any time. Cookies are per-domain, so this just supplements the (required) collection on `auth.datum.net`.

Summary

  • Add MaxMind device.js snippet (account ID 1313245, production-only) to `Layout.astro` and `LayoutSimple.astro`, following the existing HelpScout/Marker.io deferred-load pattern.
  • Add `dns-prefetch` for `device.maxmind.com` so the first MaxMind request resolves quickly.

The browser-collected token is read by `auth-ui` at signup and forwarded to the existing minFraud check server-side. Cookies are per-domain — this PR is the "marketing supplementary coverage" leg of the rollout; the strictly-required collection happens on `auth.datum.net`.

Reuses the same MaxMind account (`1313245`) already used by the fraud service, so browser fingerprints correlate with backend scores without extra config.

Test plan

  • Build site locally and confirm `device.js` request fires on `Layout.astro` and `LayoutSimple.astro` pages in a production build.
  • Verify the `__mmapiwsid` cookie is set on `.datum.net` after page load.
  • Confirm dev / preview builds do not contact MaxMind (production-gated).

@mattdjenkinson
feat: add MaxMind minFraud device tracking script
ea926e0 
Add the MaxMind device.js snippet (account ID 1313245) to both site
layouts so the marketing-site browsing session contributes a device
fingerprint to the existing minFraud check that runs server-side on
signup. Token is collected per-domain by MaxMind via first-party
cookie plus their cross-site storage; this captures pre-conversion
visitors who later sign up at auth.datum.net.

Key features/changes:
- Add dns-prefetch hint for device.maxmind.com in both layouts
- Inject inline IIFE in Layout.astro and LayoutSimple.astro that
  sets window.__mmapiws.accountId and lazy-loads device.js via
  requestIdleCallback, following the existing HelpScout and
  Marker.io deferred-load pattern
- Production-gated via the existing isProduction toggle so dev and
  preview builds never hit MaxMind

Same account ID is already used server-side by the fraud service
when it submits minFraud queries, so browser fingerprints correlate
with backend scores without any additional configuration.
This was referenced May 11, 2026
Merged
Merged
Merged
@mattdjenkinson mattdjenkinson merged commit 8e0c479 into main May 11, 2026
5 checks passed
@mattdjenkinson mattdjenkinson deleted the feat/maxmind-device-tracking branch May 11, 2026 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yahyafakhroji yahyafakhroji yahyafakhroji approved these changes

@ronggur ronggur Awaiting requested review from ronggur

@felixwidjaja felixwidjaja Awaiting requested review from felixwidjaja

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattdjenkinson @yahyafakhroji