18

I want to identify users accessing my API even if they clear the cookies or localstorage wherever I am storing the current session information. I see that browser fingerprinting is one of the ways to achieve this up to some accuracy. I am working on an angular2 project for the frontend. I have the following questions:

  1. Are there any libraries available for angular2 which creates the browser fingerprint? (I have seen ng2-device-detector. This doesn't give much info and also no hashed fingerprint. So, do I have to hash it myself? )
  2. Have seen fingerprintjs2 this does take a lot of info but has no implementation for angular2, but I wonder how would the hashed fingerprint actually matter? For a Request in my API, I will check if the payload contained a fingerprint which already existed in any of the existing sessions? (Really payload? It will just be a POST request. The user can simply send a random long string as the hashed fingerprint and the API will treat the request as if it came from a different person.)
  3. I guess then I will have to use some API which not only generates a hashed fingerprint in the frontend but also validates after the request has reached the API, something like Google's reCaptcha. Are there any APIs like such?
  4. If there aren't any APIs as such then I guess I will have to implement such functionality in my API itself?

Please write your suggestions.

Ashish Ranjan
  • 12,760
  • 5
  • 27
  • 51

2 Answers2

6

1. It seems there isn't any library(ported or otherwise) especially for Angular2.

2. You don't need an Angular2 version of it, just inject the source file in your index.html and you can use it like this, PLUNKER

declare var Fingerprint2: any;

@Component({
  selector: 'my-app',
  template: `Hello`,
})
export class App {
  constructor() {
    new Fingerprint2().get(function(result, components){
      console.log(result); // a hash, representing your device fingerprint
      console.log(components); // an array of FP components
    });
  }
}

You have to treat this hash as any other token like JWT, exclusively or inclusively. But you do need to store it somewhere, just like any other token, that's how you will be able check it's authenticity. If a user tempers with the request and hash, JWT has a validation mechanism that makes it invalid on tampering, but I suppose fingerprinting hash can't provide that safety.

3. No, none (IMK).

4. If no.-2 works for you I suppose you'll be far better off.

Ankit Singh
  • 24,525
  • 11
  • 66
  • 89
  • 2
    Instead of 'declare var...' you should use the full typings from here: https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/fingerprintjs2 – Ludwig Jun 27 '17 at 13:05
  • Thanks, @Ankit Singh, after your answer I stopped looking for ways in which I can validate the fingerprint. My requirement was to identify an intruder(who could definitely try out with random fingerprints). Using `fingerprintjs2` will definitely be useful for identifying a normal user. – Ashish Ranjan Jul 05 '17 at 02:39
  • @Ludwig can you please explain a bit? – Sarah Mandana Jan 07 '19 at 01:32
1

Ankit pretty much answered in relation to Angular. Here is an API that provides a fingerprint so you do not need to implement it yourself:

Browser Fingerprint API

Although this solution is not an Angular component (or what-have-you), you can make an AJAX call to get the fingerprint and submit it to your server.

Full Disclosure: I am the developer of this service.

B Seven
  • 44,484
  • 66
  • 240
  • 385
  • Yes he did, I will have a look at this API but I believe this will be similar to using https://github.com/Valve/fingerprintjs2 – Ashish Ranjan Jul 05 '17 at 02:33
  • @AshishRanjan- It is a bit different from FingerprintJS. You don't need to include a JS file or call a JS function, so the integration is simpler. However, since the service is API based it is not as accurate as Fingerprint JS. – B Seven Jul 05 '17 at 03:57