Auth: Implement device fingerprinting #2
Description
Context
Track and verify devices used to access identities for basic security in Phase 1. This fulfills the Phase 1 KYC requirement: "None (basic email/device verification only)".
Scope
- Device fingerprint generation (User-Agent, IP, screen resolution, timezone)
- Store device fingerprints per identity
- Detect new device logins
- API endpoint:
GET /api/v1/identity/devices - API endpoint:
DELETE /api/v1/identity/devices/{device_id} - Alert mechanism for new device (log for now, email later)
Dependencies
None - independent feature
Development Setup
Starting branch: feature/sid-integration (contains latest crypto refactoring)
Recommended workflow:
# Clone and checkout base branch
git checkout feature/sid-integration
git pull origin feature/sid-integration
# Create feature branch for this work
git checkout -b feature/device-fingerprinting
# Work on implementation
# When done, push and create PR to merge back to feature/sid-integration
git push origin feature/device-fingerprintingAcceptance Criteria
- Fingerprint generation from HTTP headers
- Unique device ID generated (hash of fingerprint)
- Store max 5 devices per identity
- New device detection triggers alert
- List devices API returns all devices with metadata
- Revoke device API removes device from identity
- Unit tests for fingerprint generation
- Integration tests for device management
- API documentation
Technical Notes
- Device fingerprint = hash(User-Agent + timezone + screen resolution)
- Store: device_id, fingerprint, first_seen, last_seen, IP
- Consider privacy implications (minimal data collection)
- Use lib-crypto for hashing (SHA3-256 recommended)
- Identity struct location: lib-identity/src/identity/core.rs