Skip to content

feat: add device fingerprinting to referral anti-abuse system#362

Open
decentraland-bot wants to merge 4 commits intomainfrom
feat/400-device-fingerprint-referral
Open

feat: add device fingerprinting to referral anti-abuse system#362
decentraland-bot wants to merge 4 commits intomainfrom
feat/400-device-fingerprint-referral

Conversation

@decentraland-bot
Copy link
Copy Markdown
Contributor

@decentraland-bot decentraland-bot commented Mar 20, 2026

Summary

  • Adds a lightweight device fingerprinting utility (src/shared/utils/deviceFingerprint.ts) that generates a SHA-256 hash from stable browser properties (canvas rendering, WebGL renderer, screen dimensions, timezone, hardware concurrency)
  • Updates useTrackReferral hook to compute and send the fingerprint as an x-device-fingerprint header on referral creation/update requests
  • Backward-compatible: header is omitted if fingerprint generation fails or returns empty

How It Works

The fingerprint is computed client-side from browser characteristics that remain stable across VPN/proxy changes:

  • Canvas rendering output (GPU-dependent)
  • WebGL vendor and renderer strings
  • Screen resolution, color depth, device pixel ratio
  • Timezone, language, platform
  • Hardware concurrency and device memory

These are hashed with SHA-256 into a hex string and sent as a request header. The backend (social-service-ea) will read this header and apply a REFERRAL_MAX_DEVICE_MATCHES limit per referrer, similar to the existing IP-based check.

Why

IP-only detection is easily bypassed with VPN rotation. A user switching IPs will still produce the same device fingerprint, catching abuse that the current system misses.

Changes

  • src/shared/utils/deviceFingerprint.ts — New utility
  • src/shared/utils/deviceFingerprint.spec.ts — Tests for the utility
  • src/hooks/useTrackReferral.ts — Updated to include fingerprint header
  • src/hooks/useTrackReferral.spec.ts — New comprehensive tests for the hook

Testing

  • Unit tests for fingerprint generation (success, failure, consistency)
  • Unit tests for hook (header sent, header omitted when empty, error handling)
  • CI will run full test suite

Related

🤖 Created via Slack with Claude
Requested by Braian Mellor via Slack

feat: add device fingerprinting to referral anti-abuse system
ee16675 
- Add deviceFingerprint utility that generates a SHA-256 hash from stable
  browser properties (canvas, WebGL, screen, timezone, hardware)
- Send fingerprint as x-device-fingerprint header on referral creation
- Header is optional/backward-compatible: omitted if fingerprint is empty
- Add comprehensive tests for both the utility and the hook

Relates to decentraland/social-service-ea#400
@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth Ready Ready Preview, Comment Mar 20, 2026 1:11pm

Request Review

fix: rewrite tests to follow DCL testing standards
d057660 
- Restructure tests using describe/when/and context-building pattern
- Use lowercase describe sentences with 'when' for top-level contexts
- Use 'should' prefix for it blocks describing expectations
- Build context in nested describes with beforeEach setup
- Move jest.clearAllMocks to afterEach instead of beforeEach
- Properly separate identity-available vs identity-unavailable scenarios
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add device fingerprinting to referral anti-abuse system

1 participant

@decentraland-bot