DEV Community: Shadai Scott The latest articles on DEV Community by Shadai Scott (@shadai_scott). https://dev.to/shadai_scott https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3832988%2Fc7b257ee-a2a3-47c6-ab88-22dd69192a6f.png DEV Community: Shadai Scott https://dev.to/shadai_scott en Detecting Account Takeover Attempts with Fingerprint Shadai Scott Mon, 23 Mar 2026 16:50:00 +0000 https://dev.to/shadai_scott/detecting-account-takeover-attempts-with-fingerprint-4600 https://dev.to/shadai_scott/detecting-account-takeover-attempts-with-fingerprint-4600 <p>When a hacker executes an account takeover (ATO), their main goal is to gain control of an account and exploit it for profit. For SaaS platforms this is dangerous for three reasons:</p> <ul> <li><p>High-Value Targets and Rich Data: SaaS platforms act as central repositories for sensitive customer data, financial records, and intellectual property.</p></li> <li><p>Difficulty in Detection: Once attackers are inside a SaaS platform, their actions often look like normal employee behaviour. They download files, share documents or even send messages. </p></li> <li><p>Monetization Opportunities: Stolen SaaS accounts are valuable for stealing money, accessing financial apps, selling access on the black market, and launching further scams.</p></li> </ul> <p>Traditional defenses like IP blocking fall short because attackers rotate IPs constantly. This guide shows you how to use Fingerprint's device intelligence to identify suspicious login attempts at the device level before access is granted.</p> <p><strong>Prerequisites</strong></p> <ul> <li><p><a href="https://fingerprint.com/" rel="noopener noreferrer">Fingerprint account</a> (free tier works)</p></li> <li><p>A basic login form in any frontend framework</p></li> </ul> <p><strong>How Fingerprint Identifies Suspicious Logins</strong></p> <p>Fingerprint generates a stable visitor ID by creating a unique signature based on a device's inherent hardware and software configurations, rather than relying on stored data like cookies. This identifier is persistent because it relies on the machine's actual characteristics. This makes it difficult to change, allowing it to bypass incognito mode, cookie deletion, and VPN-based IP masking. </p> <p>For every identification request, a confidence score and suspect score is computed internally. The confidence score indicates the probability of a false-positive identification. It is a floating-point number whose value ranges from 0 to 1. The higher the value, the more confident Fingerprint is about not misidentifying this browser as another.</p> <p>You can use the confidence score to request additional verification. For example, request OTP for browsers whose confidence score is below 0.95.</p> <p>Suspect Score is a single value representing how many Smart Signals indicative of suspicious or fraudulent activity were triggered for a particular Event (identified by an event_id). Each triggered Smart Signal is represented by a positive integer called a weight. Weights are additive, meaning that the more Smart Signals return a positive value, the higher the final score.</p> <p>Suspect Score can be used to flag and review possible suspicious activity. It can be used to quickly integrate Smart Signals into your fraud protection workflow without the need to explore fraud correlations of individual Smart Signals.</p> <p><strong>Installing the Fingerprint Javascript Agent</strong></p> <p>The Fingerprint JavaScript agent is a high-performance JavaScript function that collects multiple device and browser signals and sends them to the Fingerprint API for visitor identification and device intelligence analysis.</p> <p>There are several options on how the FingerPrint Javascript Agent can be installed. These are: </p> <ul> <li>Import the agent directly from a CDN (fastest for a quick test).</li> <li>Install the agent loader using NPM (includes TypeScript support).</li> <li>Use a frontend SDK for your specific framework like React, Vue, Svelte, or Angular (recommended, includes built-in caching strategies and framework-specific APIs).</li> </ul> <p>In this guide we will use the Vue SDK framework as an example. </p> <p><em>Installation Guide</em></p> <ul> <li>Get API Key from your dashboard and add to your .env file. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">VITE_FINGERPRINT_API_KEY</span><span class="p">=</span><span class="s">your_public_api_key_here</span> </code></pre> </div> <ul> <li>Install the fingerprint dependency into the root of your project. This can be installed via npm or yarn. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @fingerprintjs/fingerprintjs-pro-vue-v3 yarn add @fingerprintjs/fingerprintjs-pro-vue-v3 </code></pre> </div> <ul> <li>Register the plugin in your Vue.js application. This snippet can be found on Fingerprint under the Vue Integration. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/main.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createApp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">App</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./App.vue</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">fpjsPlugin</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@fingerprintjs/fingerprintjs-pro-vue-v3</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">createApp</span><span class="p">(</span><span class="nx">App</span><span class="p">);</span> <span class="nx">app</span> <span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">fpjsPlugin</span><span class="p">,</span> <span class="p">{</span> <span class="na">loadOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_FINGERPRINT_API_KEY</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">mount</span><span class="p">(</span><span class="dl">'</span><span class="s1">#app</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <ul> <li>Use the <code>useVisitorData</code> hook in your components to identify visitors. This is a sample of how it can be implemented. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nt">script</span> <span class="na">setup</span> <span class="na">lang</span><span class="p">=</span><span class="s">"ts"</span><span class="p">&gt;</span> import <span class="si">{</span> <span class="nx">ref</span> <span class="si">}</span> from 'vue'; import <span class="si">{</span> <span class="nx">useVisitorData</span> <span class="si">}</span> from '@fingerprintjs/fingerprintjs-pro-vue-v3'; import <span class="si">{</span> <span class="nx">useRouter</span> <span class="si">}</span> from 'vue-router'; const email = ref(''); const password = ref(''); const isLoading = ref(false); const error = ref(''); const fpResult = ref<span class="p">&lt;</span><span class="nt">null</span> <span class="err">|</span> <span class="si">{</span> <span class="nx">visitorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">requestId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">confidence</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">suspectScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="si">}</span><span class="p">&gt;</span>(null); const router = useRouter(); const <span class="si">{</span> <span class="nx">getData</span> <span class="si">}</span> = useVisitorData( <span class="si">{</span> <span class="nx">extendedResult</span><span class="p">:</span> <span class="kc">true</span> <span class="si">}</span>, <span class="si">{</span> <span class="nx">immediate</span><span class="p">:</span> <span class="kc">false</span> <span class="si">}</span> ); function getRiskLevel(confidence: number, suspectScore: number) <span class="si">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">suspectScore</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="o">||</span> <span class="nx">confidence</span> <span class="o">&lt;</span> <span class="mf">0.85</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">suspectScore</span> <span class="o">===</span> <span class="mi">1</span> <span class="o">||</span> <span class="nx">confidence</span> <span class="o">&lt;</span> <span class="mf">0.95</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">;</span> <span class="si">}</span> async function handleLogin() <span class="si">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nx">value</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nx">isLoading</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">error</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Always get a fresh result on login — never use cached data for security checks</span> <span class="kd">const</span> <span class="nx">fpData</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getData</span><span class="p">({</span> <span class="na">ignoreCache</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fpData</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Fingerprint identification failed</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">visitorId</span><span class="p">,</span> <span class="nx">requestId</span><span class="p">,</span> <span class="nx">confidence</span><span class="p">,</span> <span class="nx">suspectScore</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">fpData</span> <span class="k">as</span> <span class="kr">any</span><span class="p">;</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">visitorId</span><span class="p">,</span> <span class="nx">requestId</span><span class="p">,</span> <span class="na">confidence</span><span class="p">:</span> <span class="nx">confidence</span><span class="p">?.</span><span class="nx">score</span> <span class="o">??</span> <span class="mi">0</span><span class="p">,</span> <span class="na">suspectScore</span><span class="p">:</span> <span class="nx">suspectScore</span> <span class="o">??</span> <span class="mi">0</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// Send credentials + Fingerprint data to your backend</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">password</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="nx">visitorId</span><span class="p">,</span> <span class="nx">requestId</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="nx">error</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Login failed</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">requiresOtp</span><span class="p">)</span> <span class="p">{</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/verify-otp</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">error</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Something went wrong. Please try again.</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nx">isLoading</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="si">}</span> <span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">template</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"min-h-screen bg-gray-50 flex items-center justify-center px-4"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-full max-w-md"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Card</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"bg-white border border-gray-200 rounded-2xl p-8 shadow-sm"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Logo</span> <span class="err">/</span> <span class="na">Header</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex items-center gap-3 mb-8"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-9 h-9 rounded-lg bg-indigo-600 flex items-center justify-center shrink-0"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">svg</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-5 h-5 text-white"</span> <span class="na">viewBox</span><span class="p">=</span><span class="s">"0 0 24 24"</span> <span class="na">fill</span><span class="p">=</span><span class="s">"none"</span> <span class="na">xmlns</span><span class="p">=</span><span class="s">"http://www.w3.org/2000/svg"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">path</span> <span class="na">d</span><span class="p">=</span><span class="s">"M12 2L4 6v6c0 5.25 3.5 10.15 8 11.35C16.5 22.15 20 17.25 20 12V6L12 2z"</span> <span class="na">fill</span><span class="p">=</span><span class="s">"currentColor"</span> <span class="na">opacity</span><span class="p">=</span><span class="s">"0.9"</span><span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">path</span> <span class="na">d</span><span class="p">=</span><span class="s">"M9 12l2 2 4-4"</span> <span class="na">stroke</span><span class="p">=</span><span class="s">"white"</span> <span class="na">stroke-width</span><span class="p">=</span><span class="s">"1.5"</span> <span class="na">stroke-linecap</span><span class="p">=</span><span class="s">"round"</span> <span class="na">stroke-linejoin</span><span class="p">=</span><span class="s">"round"</span><span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">svg</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-sm font-medium text-gray-900 leading-tight"</span><span class="p">&gt;</span>Secure sign in<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-xs text-gray-400 leading-tight mt-0.5"</span><span class="p">&gt;</span>Protected by Fingerprint<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Form</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="err">@</span><span class="na">submit</span><span class="err">.</span><span class="na">prevent</span><span class="p">=</span><span class="s">"handleLogin"</span> <span class="na">class</span><span class="p">=</span><span class="s">"space-y-5"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Email</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"space-y-1.5"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">for</span><span class="p">=</span><span class="s">"email"</span> <span class="na">class</span><span class="p">=</span><span class="s">"block text-sm text-gray-500"</span><span class="p">&gt;</span> Email address <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">id</span><span class="p">=</span><span class="s">"email"</span> <span class="na">v-model</span><span class="p">=</span><span class="s">"email"</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">autocomplete</span><span class="p">=</span><span class="s">"email"</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"you@example.com"</span> <span class="na">required</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-full h-10 px-3 text-sm bg-gray-50 border border-gray-200 rounded-lg text-gray-900 placeholder-gray-300 outline-none transition focus:border-indigo-400 focus:ring-2 focus:ring-indigo-100"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Password</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"space-y-1.5"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">for</span><span class="p">=</span><span class="s">"password"</span> <span class="na">class</span><span class="p">=</span><span class="s">"block text-sm text-gray-500"</span><span class="p">&gt;</span> Password <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">id</span><span class="p">=</span><span class="s">"password"</span> <span class="na">v-model</span><span class="p">=</span><span class="s">"password"</span> <span class="na">type</span><span class="p">=</span><span class="s">"password"</span> <span class="na">autocomplete</span><span class="p">=</span><span class="s">"current-password"</span> <span class="na">placeholder</span><span class="p">=</span><span class="s">"••••••••"</span> <span class="na">required</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-full h-10 px-3 text-sm bg-gray-50 border border-gray-200 rounded-lg text-gray-900 placeholder-gray-300 outline-none transition focus:border-indigo-400 focus:ring-2 focus:ring-indigo-100"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Error</span> <span class="na">message</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">v-if</span><span class="p">=</span><span class="s">"error"</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-xs text-red-500 bg-red-50 border border-red-100 rounded-lg px-3 py-2"</span><span class="p">&gt;</span> <span class="si">{</span><span class="p">{</span> <span class="nx">error</span> <span class="p">}</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Submit</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="p">=</span><span class="s">"submit"</span> <span class="err">:</span><span class="na">disabled</span><span class="p">=</span><span class="s">"isLoading"</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-full h-10 text-sm font-medium rounded-lg transition active:scale-[0.98] disabled:opacity-50 disabled:cursor-not-allowed"</span> <span class="err">:</span><span class="na">class</span><span class="p">=</span><span class="err">"</span><span class="na">isLoading</span> <span class="err">?</span> <span class="s">'bg-indigo-400 text-white cursor-not-allowed'</span> <span class="err">:</span> <span class="s">'bg-indigo-600 hover:bg-indigo-700 text-white'</span><span class="err">"</span> <span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">v-if</span><span class="p">=</span><span class="s">"isLoading"</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex items-center justify-center gap-2"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">svg</span> <span class="na">class</span><span class="p">=</span><span class="s">"w-4 h-4 animate-spin"</span> <span class="na">viewBox</span><span class="p">=</span><span class="s">"0 0 24 24"</span> <span class="na">fill</span><span class="p">=</span><span class="s">"none"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">circle</span> <span class="na">class</span><span class="p">=</span><span class="s">"opacity-25"</span> <span class="na">cx</span><span class="p">=</span><span class="s">"12"</span> <span class="na">cy</span><span class="p">=</span><span class="s">"12"</span> <span class="na">r</span><span class="p">=</span><span class="s">"10"</span> <span class="na">stroke</span><span class="p">=</span><span class="s">"currentColor"</span> <span class="na">stroke-width</span><span class="p">=</span><span class="s">"4"</span><span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">path</span> <span class="na">class</span><span class="p">=</span><span class="s">"opacity-75"</span> <span class="na">fill</span><span class="p">=</span><span class="s">"currentColor"</span> <span class="na">d</span><span class="p">=</span><span class="s">"M4 12a8 8 0 018-8v8H4z"</span><span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">svg</span><span class="p">&gt;</span> Verifying device... <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">v-else</span><span class="p">&gt;</span>Sign in<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Fingerprint</span> <span class="na">result</span> <span class="na">panel</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">v-if</span><span class="p">=</span><span class="s">"fpResult"</span> <span class="na">class</span><span class="p">=</span><span class="s">"mt-5 rounded-lg border px-4 py-3 text-xs space-y-2"</span> <span class="err">:</span><span class="na">class</span><span class="p">=</span><span class="err">"</span><span class="si">{</span> <span class="dl">'</span><span class="s1">bg-green-50 border-green-100</span><span class="dl">'</span><span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bg-yellow-50 border-yellow-100</span><span class="dl">'</span><span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bg-red-50 border-red-100</span><span class="dl">'</span><span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="si">}</span><span class="err">"</span> <span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Risk</span> <span class="na">badge</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex items-center justify-between mb-1"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"font-medium text-gray-700"</span><span class="p">&gt;</span>Fingerprint result<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-xs font-medium px-2 py-0.5 rounded-full"</span> <span class="err">:</span><span class="na">class</span><span class="p">=</span><span class="err">"</span><span class="si">{</span> <span class="dl">'</span><span class="s1">bg-green-100 text-green-700</span><span class="dl">'</span><span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bg-yellow-100 text-yellow-700</span><span class="dl">'</span><span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bg-red-100 text-red-700</span><span class="dl">'</span><span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="si">}</span><span class="err">"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="p">{</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">clear</span><span class="dl">'</span> <span class="p">:</span> <span class="nf">getRiskLevel</span><span class="p">(</span><span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">,</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">review</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">high risk</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Signal</span> <span class="na">rows</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"divide-y divide-gray-100 border-t border-gray-100 pt-2 space-y-1.5"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex justify-between pt-1"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-400"</span><span class="p">&gt;</span>visitorId<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"font-mono text-gray-700 truncate max-w-[55%]"</span><span class="p">&gt;</span><span class="si">{</span><span class="p">{</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">visitorId</span> <span class="p">}</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex justify-between pt-1"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-400"</span><span class="p">&gt;</span>requestId<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"font-mono text-gray-700 truncate max-w-[55%]"</span><span class="p">&gt;</span><span class="si">{</span><span class="p">{</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">requestId</span> <span class="p">}</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex justify-between pt-1"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-400"</span><span class="p">&gt;</span>confidence score<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"font-mono text-gray-700"</span><span class="p">&gt;</span><span class="si">{</span><span class="p">{</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">confidence</span><span class="p">.</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="p">}</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">class</span><span class="p">=</span><span class="s">"flex justify-between pt-1"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-400"</span><span class="p">&gt;</span>suspect score<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">class</span><span class="p">=</span><span class="s">"font-mono text-gray-700"</span><span class="p">&gt;</span><span class="si">{</span><span class="p">{</span> <span class="nx">fpResult</span><span class="p">.</span><span class="nx">suspectScore</span> <span class="p">}</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-400 pt-1"</span><span class="p">&gt;</span> In production, <span class="p">&lt;</span><span class="nt">code</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-500"</span><span class="p">&gt;</span>visitorId<span class="p">&lt;/</span><span class="nt">code</span><span class="p">&gt;</span> and <span class="p">&lt;</span><span class="nt">code</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-gray-500"</span><span class="p">&gt;</span>requestId<span class="p">&lt;/</span><span class="nt">code</span><span class="p">&gt;</span> are sent to your Firebase Cloud Function for server-side Smart Signal verification. <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="err">!--</span> <span class="na">Footer</span> <span class="na">note</span> <span class="err">--</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">class</span><span class="p">=</span><span class="s">"text-xs text-gray-300 text-center mt-6"</span><span class="p">&gt;</span> Fingerprint collects device signals on submission <span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">template</span><span class="p">&gt;</span> </code></pre> </div> <p><strong>Server-Side Verification with Smart Signals</strong></p> <p>Verification should be done server-side with Smart Signals fingerprinting primarily to ensure the security, integrity, and accuracy of fraud detection data, as client-side environments (browsers/mobile apps) are easily tampered with by malicious actors.</p> <p>After your Vue component collects the visitorId and requestId from Fingerprint, those two values need to be sent to a backend for verification. This step is not optional as Smart Signals are deliberately unavailable in the client-side response to prevent tampering. </p> <p>The flow looks like this: </p> <ul> <li><p>Vue form collects <code>vistorId</code> and <code>requestId</code> on submission. </p></li> <li><p>Both values are sent to your backend along with the user's credentials. </p></li> <li><p>Your backend calls the Fingerprint Server API using <code>requestId</code> to retrieve the full Smart Signals for that login events. </p></li> <li><p>Your backend evaluates the signals and decides whether to allow, challenge with OTP, or block. </p></li> <li><p>Your backend returns the decision to the Vue application. </p></li> </ul> <p><em>What each backend response means for your UI</em></p> <ul> <li><p><code>200 OK</code> with no <code>requiresOtp</code> flag: Login is clean, redirect to dashboard.</p></li> <li><p><code>200 OK</code> with <code>requiresOtp: true</code>: Fingerprint flagged the device as medium risk (VPN detected, low confidence score, or a single suspect signal). Route the user to an OTP screen before granting access. Pass <code>visitorId</code> along as a query param so your OTP handler can reference the same device context.</p></li> <li><p><code>401 Unauthorized</code> : The backend detected high-risk signals (bot activity, browser tampering, blocklisted IP). Show an error and do not proceed. Do not tell the user exactly why they were blocked. A vague message is intentional.</p></li> </ul> <p>Device fingerprinting is one layer in a broader account security strategy not a silver bullet. Pair it with rate limiting, multi-factor authentication, and anomaly detection to build a login flow that's genuinely difficult to compromise.</p> webdev fingerprint security cybersecurity What's Device Fingerprinting? Shadai Scott Sat, 21 Mar 2026 21:46:00 +0000 https://dev.to/shadai_scott/whats-device-fingerprinting-1bmi https://dev.to/shadai_scott/whats-device-fingerprinting-1bmi <p>Imagine this. A user clears their cookies, switches to incognito mode or connects to a VPN and your webapp still recognizes them. That’s what device fingerprinting is. The official definition is that it’s a technique used to identify and track unique users by collecting specific data points from their browser, hardware, and operating system. This article explains how it works and how it fits into your security stack. </p> <p><strong>The Problem with Cookies</strong></p> <p>Cookies were the original device identifiers but there’s a downside to them. Some browsers block them by default, incognito mode bypass them entirely not to mention that some users delete them. As traditional methods lose effectiveness device fingerprinting has surged as the alternative. It doesn’t store anything on the user’s device, only read what’s there. </p> <p><strong>How a fingerprint is built</strong></p> <p>Device-fingerprinting services create fingerprints based on a combination a number of data points. These include but not limited to: </p> <ul> <li>IP address</li> <li>HTTP Request Headers</li> <li>User agent string</li> <li>Client time zone</li> <li>Information about the client device: screen resolution, touch support, operating system and language</li> <li>VPN</li> <li>Battery Information</li> <li>Mouse Movement</li> <li>Scroll Velocity</li> </ul> <p><strong>Passive vs Active Fingerprinting</strong></p> <p>Active Fingerprinting: It explicitly interrogates the browser for extra information. </p> <p>Passive Fingerprinting: The server simply gathers the information passed by the browser and the different HTTP connection layers.</p> <p><strong>What makes a fingerprint persistent</strong></p> <p>Device fingerprinting is persistent because it relies on signals that are inherent to the hardware and software configuration, not stored data. Fraudsters can attempt to manipulate their fingerprint through factory resets or OS changes but modern fingerprinting systems use machine learning similarity detection to recognize devices even as their fingerprints shift.</p> <p><strong>How it fits into a security stack</strong></p> <p>In a Zero Trust model, no device is implicitly trusted even after a successful login. Fingerprinting becomes a foundational signal for maintaining ongoing confidence in device integrity, with every request evaluated against past trusted sessions to detect anomalies. This should be a layer of your security and not a complete solution. </p> webdev security fingerprint cybersecurity Handling DodoPayments Webhooks with Firebase Cloud Functions Shadai Scott Thu, 19 Mar 2026 20:32:55 +0000 https://dev.to/shadai_scott/handling-dodopayments-webhooks-with-firebase-cloud-functions-2gla https://dev.to/shadai_scott/handling-dodopayments-webhooks-with-firebase-cloud-functions-2gla <p>This guide walks through integrating DodoPayments webhook events into a Firebase Cloud Function. Firebase is a natural choice for handling webhooks because it provides a serverless environment that scales automatically and minimizes infrastructure management. By the end of this guide you'll have a deployed Cloud Function that receives DodoPayments events, verifies their authenticity, and writes the results to Firestore. </p> <p><strong>Prerequisites</strong></p> <ul> <li>Firebase project set up with Blaze plan</li> <li>DodoPayments merchant account in test mode</li> <li>Firebase CLI installed</li> </ul> <p><strong>Setting up Firebase Function</strong></p> <p>This guide assumes your Firebase CLI is already installed and you are at the root of your project.</p> <ul> <li>Authenticate and initalize functions </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>firebase login firebase init functions </code></pre> </div> <ul> <li><p>Select an existing project or create a new one. Choose TypeScript when prompted. It's recommended for modern Nuxt projects. Opt in to install dependencies when prompted.</p></li> <li><p>In your index.ts file write a placeholder function to get your public endpoint URL:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">onRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase-functions/v2/https</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dodoWebhook</span> <span class="o">=</span> <span class="nf">onRequest</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">OK</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <ul> <li>Deploy it </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>functions firebase deploy <span class="nt">--only</span> functions:dodoWebhook <span class="nt">--project</span> your-project-name </code></pre> </div> <ul> <li>Copy the URL from the terminal output. You'll need it in the next step.</li> </ul> <p><strong>Registering the Endpoint in DodoPayments</strong></p> <ul> <li><p>In your DodoPayments Dashboard go to Developer -&gt; Webhook -&gt; Add Endpoint</p></li> <li><p>Paste your Firebase Function URL. </p></li> <li><p>Select the events you want to listen for. At minimum: payment.succeeded, payment.failed, subscription.active, subscription.cancelled</p></li> <li><p>Save and copy the webhook secret key that is generated.</p></li> </ul> <p><strong>Storing your Webhook Secret</strong></p> <p>Never hardcode secrets in your function. Store it using Firebase's secret manager:</p> <p><code>firebase functions:secrets:set DODO_WEBHOOK_SECRET --project your-project-name</code></p> <p>Paste your webhook secret when prompted.</p> <p><strong>Writing the Webhook Function</strong></p> <p>Install the DodoPayments SDK inside your functions folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>functions npm <span class="nb">install </span>dodopayments </code></pre> </div> <p>Replace the contents of index.ts with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">onRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase-functions/v2/https</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">initializeApp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase-admin/app</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getFirestore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase-admin/firestore</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineSecret</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase-functions/params</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="nf">initializeApp</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">dodoWebhookSecret</span> <span class="o">=</span> <span class="nf">defineSecret</span><span class="p">(</span><span class="dl">'</span><span class="s1">DODO_WEBHOOK_SECRET</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Next is to add the signature verification helper. DodoPayments follows the Standard Webhooks spec. Verification works by concatenating the webhook-id, webhook-timestamp, and raw payload separated by periods, then computing an HMAC SHA256 of that string using your secret key and comparing it against the webhook-signature header.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyDodoSignature</span><span class="p">(</span> <span class="nx">rawBody</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">signature</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">,</span> <span class="nx">webhookId</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">,</span> <span class="nx">secret</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">signedContent</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">webhookId</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">timestamp</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">rawBody</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">secretBytes</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">secret</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">_</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">],</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">computedSignature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secretBytes</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">signedContent</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">signatures</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">signature</span><span class="p">)</span> <span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">s</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">signatures</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">s</span> <span class="o">=&gt;</span> <span class="nx">s</span> <span class="o">===</span> <span class="nx">computedSignature</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now we move on to write the firebase function. In this function verification is done first to ensure security after which the processes are carried out. It is good to write handler functions as it makes it easier to make any changes if needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">dodoWebhook</span> <span class="o">=</span> <span class="nf">onRequest</span><span class="p">(</span> <span class="p">{</span> <span class="na">timeoutSeconds</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">memory</span><span class="p">:</span> <span class="dl">'</span><span class="s1">512MiB</span><span class="dl">'</span><span class="p">,</span> <span class="na">secrets</span><span class="p">:</span> <span class="p">[</span><span class="nx">dodoWebhookSecret</span><span class="p">],</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">405</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Method not allowed</span><span class="dl">'</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">webhook-signature</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">timestamp</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">webhook-timestamp</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">webhookId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">webhook-id</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">rawBody</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyDodoSignature</span><span class="p">(</span> <span class="nx">rawBody</span><span class="p">,</span> <span class="nx">signature</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">webhookId</span><span class="p">,</span> <span class="nx">dodoWebhookSecret</span><span class="p">.</span><span class="nf">value</span><span class="p">()</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid webhook signature</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid signature</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Acknowledge immediately. DodoPayments expects a 2xx response </span> <span class="c1">// before you process. Failure to do so triggers a retry.</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="kd">type</span><span class="p">,</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">getFirestore</span><span class="p">();</span> <span class="k">switch </span><span class="p">(</span><span class="kd">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">payment.succeeded</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nf">handlePaymentSucceeded</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">db</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">payment.failed</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nf">handlePaymentFailed</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">db</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">subscription.active</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nf">handleSubscriptionActive</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">db</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">subscription.cancelled</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nf">handleSubscriptionCancelled</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">db</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="nl">default</span><span class="p">:</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Unhandled event type: </span><span class="p">${</span><span class="kd">type</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>Add your event handlers. The customerId comes from data.customer.customer_id in the DodoPayments payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">handlePaymentSucceeded</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">db</span><span class="p">:</span> <span class="nx">FirebaseFirestore</span><span class="p">.</span><span class="nx">Firestore</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">customerId</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">customer</span><span class="p">.</span><span class="nx">customer_id</span><span class="p">;</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">'</span><span class="s1">payments</span><span class="dl">'</span><span class="p">).</span><span class="nf">doc</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">payment_id</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="nx">customerId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">succeeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">total_amount</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">currency</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handlePaymentFailed</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">db</span><span class="p">:</span> <span class="nx">FirebaseFirestore</span><span class="p">.</span><span class="nx">Firestore</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">customerId</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">customer</span><span class="p">.</span><span class="nx">customer_id</span><span class="p">;</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">'</span><span class="s1">payments</span><span class="dl">'</span><span class="p">).</span><span class="nf">doc</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">payment_id</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="nx">customerId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleSubscriptionActive</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">db</span><span class="p">:</span> <span class="nx">FirebaseFirestore</span><span class="p">.</span><span class="nx">Firestore</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">customerId</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">customer</span><span class="p">.</span><span class="nx">customer_id</span><span class="p">;</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">'</span><span class="s1">subscriptions</span><span class="dl">'</span><span class="p">).</span><span class="nf">doc</span><span class="p">(</span><span class="nx">customerId</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">,</span> <span class="na">subscriptionId</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">subscription_id</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">merge</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleSubscriptionCancelled</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">db</span><span class="p">:</span> <span class="nx">FirebaseFirestore</span><span class="p">.</span><span class="nx">Firestore</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">customerId</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">customer</span><span class="p">.</span><span class="nx">customer_id</span><span class="p">;</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">'</span><span class="s1">subscriptions</span><span class="dl">'</span><span class="p">).</span><span class="nf">doc</span><span class="p">(</span><span class="nx">customerId</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cancelled</span><span class="dl">'</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">merge</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Deploying to Production</strong><br> <code>firebase deploy --only functions:dodoWebhook --project your-project-name</code></p> dodopayment firebase nuxt webhook