review: hash phone numbers

fingerprintjs · Apr 2, 2024 · 94be980 · 94be980
1 parent adfa3d5
commit 94be980
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 11 deletions.
diff --git a/src/pages/api/event/[requestId].ts b/src/pages/api/event/[requestId].ts
@@ -1,6 +1,6 @@
 import { isEventError } from '@fingerprintjs/fingerprintjs-pro-server-api';
 import { NextApiRequest, NextApiResponse } from 'next';
-import { fingerprintJsApiClient } from '../../../server/fingerprint-api';
+import { fingerprintServerApiClient } from '../../../server/fingerprint-server-api';
 import { ourOrigins } from '../../../server/server';
 import Cors from 'cors';
 
@@ -58,7 +58,7 @@ async function tryGetFingerprintEvent(
   retryDelay: number = 3000,
 ) {
   try {
-    const eventResponse = await fingerprintJsApiClient.getEvent(requestId);
+    const eventResponse = await fingerprintServerApiClient.getEvent(requestId);
     res.status(200).json(eventResponse);
   } catch (error) {
     // Retry only Not Found (404) requests.

diff --git a/src/pages/api/sms-fraud/send-verification-sms.ts b/src/pages/api/sms-fraud/send-verification-sms.ts
@@ -7,6 +7,7 @@ import { ONE_SECOND_MS, readableMilliseconds } from '../../../shared/timeUtils';
 import { Op } from 'sequelize';
 import { pluralize } from '../../../shared/utils';
 import Twilio from 'twilio';
+import { hashString } from '../../../server/server-utils';
 
 export type SendSMSPayload = {
   requestId: string;
@@ -30,13 +31,12 @@ const ATTEMPT_TIMEOUTS_MAP: Record<number, { timeout: number }> = {
   1: { timeout: 30 * ONE_SECOND_MS },
   2: { timeout: 60 * ONE_SECOND_MS },
 };
+const MAX_ATTEMPTS = Object.keys(ATTEMPT_TIMEOUTS_MAP).length + 1;
 
 // To avoid saying "Wait 0 seconds to send another message"
 const TIMEOUT_TOLERANCE_MS = ONE_SECOND_MS;
 const millisecondsToSeconds = (milliseconds: number) => Math.floor(milliseconds / 1000);
 
-const MAX_ATTEMPTS = Object.keys(ATTEMPT_TIMEOUTS_MAP).length + 1;
-
 const generateRandomSixDigitCode = () => Math.floor(100000 + Math.random() * 900000);
 const sendSms = async (phone: string, body: string) => {
   if (phone === TEST_PHONE_NUMBER) {
@@ -165,7 +165,7 @@ export default async function sendVerificationSMS(req: NextApiRequest, res: Next
     await sendSms(phone, `Your verification code for demo.fingerprint.com/sms-fraud is ${verificationCode}.`);
     await SmsVerificationModel.create({
       visitorId: identification.visitorId,
-      phoneNumber: phone,
+      phoneNumberHash: hashString(phone),
       email,
       timestamp: new Date(),
       code: verificationCode,

diff --git a/src/pages/api/sms-fraud/submit-code.ts b/src/pages/api/sms-fraud/submit-code.ts
@@ -4,6 +4,7 @@ import { getAndValidateFingerprintResult } from '../../../server/checks';
 import { isValidPostRequest } from '../../../server/server';
 import { SmsVerificationModel } from '../../../server/sms-fraud/database';
 import { Op } from 'sequelize';
+import { hashString } from '../../../server/server-utils';
 
 export type SubmitCodePayload = {
   requestId: string;
@@ -44,7 +45,7 @@ export default async function sendVerificationSMS(req: NextApiRequest, res: Next
   const latestSmsVerificationRequest = await SmsVerificationModel.findOne({
     where: {
       visitorId: identification?.visitorId,
-      phoneNumber: phoneNumber,
+      phoneNumberHash: hashString(phoneNumber),
       timestamp: {
         [Op.gte]: new Date(new Date().setHours(0, 0, 0, 0)),
       },

diff --git a/src/server/fingerprint-api.ts → src/server/fingerprint-server-api.ts b/src/server/fingerprint-api.ts → src/server/fingerprint-server-api.ts
@@ -1,7 +1,7 @@
 import { FingerprintJsServerApiClient, AuthenticationMode } from '@fingerprintjs/fingerprintjs-pro-server-api';
 import { BACKEND_REGION, SERVER_API_KEY } from './const';
 
-export const fingerprintJsApiClient = new FingerprintJsServerApiClient({
+export const fingerprintServerApiClient = new FingerprintJsServerApiClient({
   apiKey: SERVER_API_KEY,
   region: BACKEND_REGION,
   // Temporary fix for StackBlitz, remove once Server API supports CORS

diff --git a/src/server/server-utils.ts b/src/server/server-utils.ts
@@ -0,0 +1,8 @@
+import Crypto from 'crypto';
+
+export function hashString(phoneNumber: string) {
+  const salt = process.env.HASH_SALT || '';
+  const hash = Crypto.createHash('sha256');
+  hash.update(phoneNumber + salt);
+  return hash.digest('hex');
+}
diff --git a/src/server/server.ts b/src/server/server.ts
@@ -1,6 +1,6 @@
 import { Sequelize } from 'sequelize';
 import { areVisitorIdAndRequestIdValid } from './checks';
-import { fingerprintJsApiClient } from './fingerprint-api';
+import { fingerprintServerApiClient } from './fingerprint-server-api';
 import { CheckResult, checkResultType } from './checkResult';
 import { sendForbiddenResponse } from './response';
 import { NextApiRequest, NextApiResponse } from 'next';
@@ -66,7 +66,7 @@ export async function getIdentificationEvent(requestId?: string) {
   }
 
   // Use Fingerprint Node SDK get the identification event from the Server API.
-  return fingerprintJsApiClient.getEvent(requestId);
+  return fingerprintServerApiClient.getEvent(requestId);
 }
 
 // Report suspicious user activity according to internal processes here.

diff --git a/src/server/sms-fraud/database.ts b/src/server/sms-fraud/database.ts
@@ -4,7 +4,7 @@ import { Attributes, DataTypes, InferAttributes, InferCreationAttributes, Model
 interface SmsVerificationAttributes
   extends Model<InferAttributes<SmsVerificationAttributes>, InferCreationAttributes<SmsVerificationAttributes>> {
   visitorId: string;
-  phoneNumber: string;
+  phoneNumberHash: string;
   email: string;
   timestamp: Date;
   code: number;
@@ -14,7 +14,7 @@ export const SmsVerificationModel = sequelize.define<SmsVerificationAttributes>(
   visitorId: {
     type: DataTypes.STRING,
   },
-  phoneNumber: {
+  phoneNumberHash: {
     type: DataTypes.STRING,
   },
   email: {