OpenRisk

A sophisticated, real-time risk assessment and fraud detection system for web applications. OpenRisk leverages behavioral analysis, device fingerprinting, and advanced signal processing to identify suspicious patterns and prevent malicious activities.

🏗️ Architecture Overview

OpenRisk consists of three main components working together to provide comprehensive risk assessment:

graph TB
    subgraph "Client Side"
        A[openrisk-client] --> B["Signal Collection (Server Controlled)"]
        A --> C[Behavior Analysis]
        A --> D["Event Emission (Raw Data Only)"]
    end
    
    subgraph "Server Side"
        E[openrisk-server] --> F[Session Management]
        E --> G[Risk Assessment]
        E --> H["Scoring Engine (Full Control)"]
    end
    
    subgraph "Development Tools"
        I[openrisk-devtools] --> J[Debug Interface]
        I --> K[Monitoring]
    end
    
    A -->|Real-time Events| E
    I -->|Debug Data| A
    I -->|Monitoring| E
    
    subgraph "Example Application"
        L[examples] --> M[Demo Implementation]
    end

Loading

🚀 Quick Start

Installation

# Clone the repository
git clone https://github.com/ari-rocha/openrisk.git
cd openrisk

# Install dependencies
bun install

# Build the client
cd openrisk-client && bun run build

# Start the server
cd ../openrisk-server && bun run index.ts

Basic Usage

import { OpenRiskClient } from 'openrisk-client';

// Initialize the client
const client = new OpenRiskClient({
  endpoint: 'https://your-server.com/ingest',
  apiKey: 'your-api-key'
  // Note: All signal collection is controlled server-side
  // Client cannot disable or modify signals for security
});

// Start monitoring
client.start();

// Client sends events to server for risk assessment
// Risk decisions are made server-side only

📦 Packages

OpenRisk ships as separate npm packages for browser clients, React/Next.js, server handlers, and devtools:

• openrisk-client: Browser SDK (OpenRiskClient)
• openrisk-react: React/Next.js helpers (OpenRiskProvider, useOpenRiskClient)
• openrisk-server: Server handler utilities (createOpenRiskHandler)
• openrisk-devtools: Debug overlay (import for side effects)

React / Next.js

import { OpenRiskProvider } from "openrisk-react";

export default function App() {
  return (
    <>
      <OpenRiskProvider
        options={{ projectKey: "pk_test", endpoint: "/ingest", debug: true }}
      />
      {/* your app */}
    </>
  );
}

Server Handler

import { createOpenRiskHandler } from "openrisk-server";

export default {
  fetch: createOpenRiskHandler(),
};

Server Setup

# Start the OpenRisk server
cd openrisk-server
bun start

# Server runs on port 4000 by default
# Endpoint: http://localhost:4000/ingest

📊 Signal Collection System

OpenRisk collects comprehensive behavioral and technical signals to build accurate risk profiles:

mindmap
  root((Signal Collection))
    Device Fingerprinting
      Canvas fingerprint
      WebGL fingerprint
      Audio fingerprint
      User agent details
      Screen resolution
      Timezone information
    Behavioral Analysis
      Mouse movements
      Keyboard cadence
      Click patterns
      Scroll depth
      Interaction timing
    Environmental Signals
      IP geolocation
      Network information
      Browser capabilities
      Plugin detection
    Session Patterns
      Page navigation
      Tab switching
      Visibility changes
      Time on page
      Bounce behavior

Loading

🔧 Core Components

openrisk-client

The browser-based client library that:

• Collects Signals: Gathers 15+ different types of behavioral and technical signals
• Real-time Processing: Analyzes user interactions as they happen
• Memory Session Management: Tracks user sessions with configurable TTL
• Configurable Thresholds: Customizable risk scoring based on your needs

Key Features:

• Server-controlled signal collection (client cannot disable/modify)
• Device fingerprinting resistance to spoofing
• Behavioral pattern detection
• Cross-tab monitoring
• Canvas and WebGL fingerprinting
• Scroll depth analysis
• First interaction detection
• All risk decisions made server-side

openrisk-server

The server-side risk assessment engine:

• Session Storage: Memory-based session management with auto-cleanup
• Risk Scoring: Advanced algorithms to calculate risk scores
• Event Ingestion: High-throughput event processing
• Configurable Logic: Flexible assessment rules

Key Features:

• Automatic session cleanup
• Multi-factor risk assessment
• Real-time decision making
• RESTful API endpoints

openrisk-devtools

Development and debugging tools:

• Visual Interface: See what signals are being collected
• Real-time Monitoring: Watch events as they happen
• Risk Score Tracking: Monitor risk calculations
• Session Debugging: Inspect session data

🎯 Use Cases

flowchart LR
    A[E-commerce] --> B[Payment Fraud Detection]
    C[Financial Services] --> D[Account Takeover Prevention]
    E[SaaS Platforms] --> F[Automated Bot Detection]
    G[Content Sites] --> F
    H[API Services] --> I[Abuse Prevention]
    J[Gaming] --> K[Cheating Detection]

Loading

📈 Risk Assessment Flow

sequenceDiagram
    participant U as User
    participant C as OpenRisk Client
    participant S as OpenRisk Server
    participant D as Database
    
    U->>C: User Interaction
    C->>C: Collect Signals
    C->>S: Emit Events
    S->>S: Calculate Risk Score
    S->>D: Store Session Data
    S->>C: Return Risk Assessment
    S->>C: Server Risk Decision
    C->>U: Enforce Server Decision

Loading

🧪 Testing

The project includes comprehensive testing using Playwright for e2e tests and Bun for unit tests:

# Run unit tests
cd openrisk-client && bun test

# Run e2e tests
cd openrisk-client && npm run test:e2e

# Run tests with UI
cd openrisk-client && npm run test:e2e:ui

# Run tests in headed mode
cd openrisk-client && npm run test:e2e:headed

📦 Project Structure

openrisk/
├── openrisk-client/          # Browser client library
│   ├── src/                  # TypeScript source code
│   ├── tests/                # Unit tests
│   ├── e2e/                  # End-to-end tests
│   └── examples/             # Demo implementation
├── openrisk-server/          # Server-side engine
│   ├── src/                  # TypeScript source code
│   └── tests/                # Unit tests
├── openrisk-devtools/        # Development tools
│   └── src/                  # Tool source code
├── examples/                 # Full demo application
└── dist/                     # Built artifacts

🔧 Configuration

Client Configuration

const client = new OpenRiskClient({
  endpoint: 'https://api.example.com/ingest',
  apiKey: 'your-api-key'
  // Note: All signal collection is controlled server-side
  // Client cannot disable or modify signals for security
});

Server Configuration

The server currently uses a simple Bun HTTP server on port 4000 with built-in risk assessment:

// Current server implementation (openrisk-server/index.ts)
serve({
  port: 4000,
  async fetch(req) {
    // Handles POST /ingest with CORS
    // Returns risk assessment response
  }
});

// Risk assessment includes:
// - Session-based risk scoring
// - Signal normalization  
// - Memory-based session storage

🤝 Contributing

We welcome contributions! Please see our Contributing Guide for details.

Development Workflow

# Fork the repository
git clone https://github.com/your-username/openrisk.git

# Create a feature branch
git checkout -b feature/session-management

# Make your changes
# Run tests
bun test

# Commit your changes
git commit -m 'feat: implement session management'

# Push to your fork
git push origin feature/session-management

# Open a pull request

📊 Performance Metrics

OpenRisk is optimized for performance:

• Client Size: <10KB gzipped
• Memory Usage: <2MB per session
• Latency: <50ms event processing
• Throughput: 10,000+ events/second
• Browser Support: Chrome 90+, Firefox 88+, Safari 14+

🔒 Security & Privacy

OpenRisk collects device and behavioral signals for fraud detection. Here's what's actually collected:

Data Collection Categories:

Device Information:

• User agent string, platform, hardware specifications
• Screen resolution, pixel ratio, touch support
• Canvas and device fingerprinting for identification

Environmental Data:

• Timezone, locale, language preferences
• Network performance metrics and timing data

Behavioral Signals:

• Mouse movement patterns and interaction cadence
• Tab switching and visibility changes
• Navigation patterns and session metrics

Security Features:

• Server-controlled signal collection (client cannot disable)
• Local processing before data transmission
• Session-based analysis rather than persistent tracking
• Configurable risk thresholds set server-side

Privacy Considerations:

⚠️ Note: While designed for security, this system:

• Collects device fingerprinting data that could be used for tracking
• Analyzes behavioral patterns across sessions
• May be subject to data protection regulations (GDPR, CCPA)

🔧 Recommendations:

• Ensure proper user consent mechanisms
• Consider privacy impact assessments
• Implement data retention policies
• Document signal collection purposes clearly

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

• Built with Bun for optimal performance
• Tested with Playwright
• Styled with TypeScript for type safety
• Inspired by modern fraud detection patterns

---

Developed by ari-rocha

OpenRisk - Server-controlled risk assessment for web applications.