Merge pull request #149 from code-payments/chore/integrate-appcheck-for-device-token-validation

feat: integrate AppCheck for integrity/attestation antispam

Author: bmc08gt

api/build.gradle.kts

@@ -63,6 +63,11 @@ dependencies {
     implementation(Libs.okhttp)
     implementation(Libs.mixpanel)
 
+    implementation(platform(Libs.firebase_bom))
+    implementation(Libs.firebase_appcheck)
+    implementation(Libs.firebase_appcheck_debug)
+    implementation(Libs.firebase_appcheck_playintegrity)
+
     implementation(Libs.androidx_paging_runtime)
 
     kapt(Libs.androidx_room_compiler)

api/src/main/java/com/getcode/model/intents/IntentType.kt

@@ -5,6 +5,7 @@ import com.getcode.ed25519.Ed25519
 import com.getcode.solana.keys.Signature
 import com.getcode.model.intents.actions.ActionType
 import com.getcode.model.intents.actions.numberActions
+import com.getcode.network.appcheck.toDeviceToken
 import com.getcode.network.repository.*
 import com.getcode.solana.keys.PublicKey
 
@@ -42,12 +43,17 @@ abstract class IntentType {
             .build()
     }
 
-    fun requestToSubmitActions(owner: Ed25519.KeyPair): TransactionService.SubmitIntentRequest {
+    fun requestToSubmitActions(owner: Ed25519.KeyPair, deviceToken: String? = null): TransactionService.SubmitIntentRequest {
         val submitActionsBuilder = TransactionService.SubmitIntentRequest.SubmitActions.newBuilder()
         submitActionsBuilder.owner = owner.publicKeyBytes.toSolanaAccount()
         submitActionsBuilder.id = id.toIntentId()
         submitActionsBuilder.metadata = metadata()
         submitActionsBuilder.addAllActions(actionGroup.actions.map { it.action() })
+
+        if (deviceToken != null) {
+            submitActionsBuilder.setDeviceToken(deviceToken.toDeviceToken())
+        }
+
         submitActionsBuilder.signature = submitActionsBuilder.sign(owner)
 
         return TransactionService.SubmitIntentRequest.newBuilder()

api/src/main/java/com/getcode/network/appcheck/AppCheck.kt

@@ -0,0 +1,95 @@
+package com.getcode.network.appcheck
+
+import com.codeinc.gen.common.v1.Model
+import com.getcode.api.BuildConfig
+import com.google.firebase.Firebase
+import com.google.firebase.appcheck.AppCheckToken
+import com.google.firebase.appcheck.AppCheckTokenResult
+import com.google.firebase.appcheck.appCheck
+import com.google.firebase.appcheck.debug.DebugAppCheckProviderFactory
+import com.google.firebase.appcheck.debug.internal.DebugAppCheckProvider
+import com.google.firebase.appcheck.playintegrity.PlayIntegrityAppCheckProviderFactory
+import io.reactivex.rxjava3.core.BackpressureStrategy
+import io.reactivex.rxjava3.core.Flowable
+import io.reactivex.rxjava3.core.Single
+import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.reactive.asFlow
+import timber.log.Timber
+import java.lang.Exception
+
+data class DeviceTokenResult(
+    val token: AppCheckToken?
+)
+
+object AppCheck {
+
+    fun register() {
+        if (BuildConfig.DEBUG) {
+            Firebase.appCheck.installAppCheckProviderFactory(
+                DebugAppCheckProviderFactory.getInstance()
+            )
+        } else {
+            Firebase.appCheck.installAppCheckProviderFactory(
+                PlayIntegrityAppCheckProviderFactory.getInstance()
+            )
+        }
+    }
+
+    private fun handleAppCheckError(error: Exception): Boolean {
+        val match = "code: \\d+".toRegex().find(error.message.orEmpty())
+        val errorCode = match?.value?.removePrefix("code: ")?.toInt() ?: -1
+        Timber.e("Failed to get appcheck token: errorCode=$errorCode ${error.message}")
+
+        return errorCode == 403 // bad attestation
+                || errorCode >= 500
+    }
+
+    @Deprecated("Replace with Flow variant")
+    fun limitedUseTokenSingle(): Single<DeviceTokenResult> {
+        return Single.create { emitter ->
+            Firebase.appCheck.limitedUseAppCheckToken
+                .addOnSuccessListener {
+                    Timber.d("attestation passed")
+                    emitter.onSuccess(DeviceTokenResult(it))
+                }
+                .addOnFailureListener { error ->
+                    if (!handleAppCheckError(error)) {
+                        emitter.onError(error)
+                        return@addOnFailureListener
+                    }
+
+                    emitter.onSuccess(DeviceTokenResult(null))
+                }
+        }
+    }
+
+    @Deprecated("Replace with Flow variant")
+    fun limitedUseTokenFlowable(
+        backpressureStrategy: BackpressureStrategy = BackpressureStrategy.BUFFER
+    ): Flowable<DeviceTokenResult> {
+        return Flowable.create({ emitter ->
+            Firebase.appCheck.limitedUseAppCheckToken
+                .addOnSuccessListener {
+                    Timber.d("attestation passed")
+                    emitter.onNext(DeviceTokenResult(it))
+                }
+                .addOnFailureListener { error ->
+                    if (!handleAppCheckError(error)) {
+                        emitter.onError(error)
+                        return@addOnFailureListener
+                    }
+
+                    emitter.onNext(DeviceTokenResult(null))
+                }
+        }, backpressureStrategy)
+    }
+
+    fun limitedUseToken(
+        backpressureStrategy: BackpressureStrategy = BackpressureStrategy.BUFFER
+    ): Flow<DeviceTokenResult> {
+        return limitedUseTokenFlowable(backpressureStrategy).asFlow()
+    }
+}
+
+fun AppCheckToken.toDeviceToken() = Model.DeviceToken.newBuilder().setValue(this.token).build()
+fun String.toDeviceToken() = Model.DeviceToken.newBuilder().setValue(this).build()

api/src/main/java/com/getcode/network/repository/PhoneRepository.kt

@@ -2,19 +2,33 @@ package com.getcode.network.repository
 
 import com.codeinc.gen.phone.v1.PhoneVerificationService
 import com.getcode.db.Database
-import com.getcode.db.InMemoryDao
 import com.getcode.ed25519.Ed25519
-import com.getcode.model.PrefsBool
-import com.getcode.model.PrefsString
-import com.getcode.network.core.NetworkOracle
 import com.getcode.network.api.PhoneApi
+import com.getcode.network.appcheck.AppCheck
+import com.getcode.network.appcheck.toDeviceToken
+import com.getcode.network.core.NetworkOracle
+import com.google.firebase.Firebase
+import com.google.firebase.appcheck.AppCheckToken
+import com.google.firebase.appcheck.appCheck
+import io.reactivex.rxjava3.core.BackpressureStrategy
 import io.reactivex.rxjava3.core.Flowable
 import io.reactivex.rxjava3.core.Single
 import kotlinx.coroutines.flow.MutableStateFlow
 import java.io.ByteArrayOutputStream
 import javax.inject.Inject
 import javax.inject.Singleton
 
+
+fun appCheckToken(
+    backpressureStrategy: BackpressureStrategy = BackpressureStrategy.BUFFER
+): Flowable<AppCheckToken> {
+    return Flowable.create({ emitter ->
+        Firebase.appCheck.limitedUseAppCheckToken
+            .addOnSuccessListener { emitter.onNext(it) }
+            .addOnFailureListener { emitter.onError(it) }
+    }, backpressureStrategy)
+}
+
 @Singleton
 class PhoneRepository @Inject constructor(
     private val phoneApi: PhoneApi,
@@ -37,14 +51,22 @@ class PhoneRepository @Inject constructor(
         if (isMock()) return Single.just(PhoneVerificationService.SendVerificationCodeResponse.Result.OK)
             .toFlowable()
 
-        val request =
-            PhoneVerificationService.SendVerificationCodeRequest.newBuilder()
-                .setPhoneNumber(phoneValue.toPhoneNumber())
-                .build()
+        return AppCheck.limitedUseTokenFlowable()
+            .flatMap { tokenResult ->
+                val request =
+                    PhoneVerificationService.SendVerificationCodeRequest.newBuilder()
+                        .setPhoneNumber(phoneValue.toPhoneNumber())
+                        .apply {
+                            if (tokenResult.token != null) {
+                                setDeviceToken(tokenResult.token.toDeviceToken())
+                            }
+                        }.build()
 
-        return phoneApi.sendVerificationCode(request)
-            .map { it.result }
-            .let { networkOracle.managedRequest(it) }
+
+                phoneApi.sendVerificationCode(request)
+                    .map { it.result }
+                    .let { networkOracle.managedRequest(it) }
+            }
     }
 
     fun checkVerificationCode(
@@ -68,7 +90,7 @@ class PhoneRepository @Inject constructor(
     ): Flowable<GetAssociatedPhoneNumberResponse> {
         if (isMock()) {
             return Flowable.just(
-                GetAssociatedPhoneNumberResponse(true, true,  false,"+12223334455")
+                GetAssociatedPhoneNumberResponse(true, true, false, "+12223334455")
             )
         }
 

api/src/main/java/com/getcode/network/repository/TransactionRepository.kt

@@ -24,6 +24,7 @@ import com.getcode.model.intents.IntentType
 import com.getcode.model.intents.IntentUpgradePrivacy
 import com.getcode.model.intents.ServerParameter
 import com.getcode.network.api.TransactionApiV2
+import com.getcode.network.appcheck.AppCheck
 import com.getcode.solana.keys.AssociatedTokenAccount
 import com.getcode.solana.keys.PublicKey
 import com.getcode.solana.organizer.AccountType
@@ -86,7 +87,11 @@ class TransactionRepository @Inject constructor(
             .delay(1, TimeUnit.SECONDS)
 
         val createAccounts = IntentCreateAccounts.newInstance(organizer)
-        return submit(createAccounts, organizer.tray.owner.getCluster().authority.keyPair)
+
+        return AppCheck.limitedUseTokenSingle()
+            .flatMap { tokenResult ->
+                submit(createAccounts, organizer.tray.owner.getCluster().authority.keyPair, tokenResult.token?.token)
+            }
     }
 
     fun transfer(
@@ -236,7 +241,7 @@ class TransactionRepository @Inject constructor(
         return submit(intent, owner = organizer.tray.owner.getCluster().authority.keyPair)
     }
 
-    private fun submit(intent: IntentType, owner: KeyPair): Single<IntentType> {
+    private fun submit(intent: IntentType, owner: KeyPair, deviceToken: String? = null): Single<IntentType> {
         Timber.i("Submit ${intent.javaClass.simpleName}")
         val subject = SingleSubject.create<IntentType>()
 
@@ -319,7 +324,7 @@ class TransactionRepository @Inject constructor(
 
         // 1. Send `submitActions` request with
         // actions generated by the intent
-        serverMessageStream.onNext(intent.requestToSubmitActions(owner))
+        serverMessageStream.onNext(intent.requestToSubmitActions(owner, deviceToken))
 
         return subject
     }

app/src/main/java/com/getcode/App.kt

@@ -4,8 +4,11 @@ import android.app.Application
 import androidx.appcompat.app.AppCompatDelegate
 import com.bugsnag.android.Bugsnag
 import com.getcode.manager.AuthManager
+import com.getcode.network.appcheck.AppCheck
 import com.getcode.utils.ErrorUtils
 import com.getcode.view.main.bill.CashBillAssets
+import com.google.firebase.Firebase
+import com.google.firebase.initialize
 import dagger.hilt.android.HiltAndroidApp
 import io.reactivex.rxjava3.plugins.RxJavaPlugins
 import timber.log.Timber
@@ -23,6 +26,9 @@ class App : Application() {
 
         CashBillAssets.load(this)
 
+        Firebase.initialize(this)
+        AppCheck.register()
+
         AppCompatDelegate.setDefaultNightMode(AppCompatDelegate.MODE_NIGHT_YES)
 
         RxJavaPlugins.setErrorHandler {

buildSrc/src/main/java/Dependencies.kt

@@ -179,6 +179,9 @@ object Libs {
 
     const val firebase_bom = "com.google.firebase:firebase-bom:${Versions.firebase_bom}"
     const val firebase_analytics = "com.google.firebase:firebase-analytics"
+    const val firebase_appcheck = "com.google.firebase:firebase-appcheck"
+    const val firebase_appcheck_debug = "com.google.firebase:firebase-appcheck-debug"
+    const val firebase_appcheck_playintegrity = "com.google.firebase:firebase-appcheck-playintegrity"
     const val firebase_crashlytics = "com.google.firebase:firebase-crashlytics"
     const val firebase_messaging = "com.google.firebase:firebase-messaging"
     const val firebase_perf = "com.google.firebase:firebase-perf"