feat: integrate AppCheck for integrity/attestation antispam

Signed-off-by: Brandon McAnsh <git@bmcreations.dev>

Author: bmc08gt

api/build.gradle.kts

@@ -63,6 +63,9 @@ dependencies {
     implementation(Libs.okhttp)
     implementation(Libs.mixpanel)
 
+    implementation(platform(Libs.firebase_bom))
+    implementation(Libs.firebase_appcheck)
+
     implementation(Libs.androidx_paging_runtime)
 
     kapt(Libs.androidx_room_compiler)

api/src/main/java/com/getcode/model/intents/IntentType.kt

@@ -5,6 +5,7 @@ import com.getcode.ed25519.Ed25519
 import com.getcode.solana.keys.Signature
 import com.getcode.model.intents.actions.ActionType
 import com.getcode.model.intents.actions.numberActions
+import com.getcode.network.appcheck.toDeviceToken
 import com.getcode.network.repository.*
 import com.getcode.solana.keys.PublicKey
 
@@ -42,14 +43,18 @@ abstract class IntentType {
             .build()
     }
 
-    fun requestToSubmitActions(owner: Ed25519.KeyPair): TransactionService.SubmitIntentRequest {
+    fun requestToSubmitActions(owner: Ed25519.KeyPair, deviceToken: String? = null): TransactionService.SubmitIntentRequest {
         val submitActionsBuilder = TransactionService.SubmitIntentRequest.SubmitActions.newBuilder()
         submitActionsBuilder.owner = owner.publicKeyBytes.toSolanaAccount()
         submitActionsBuilder.id = id.toIntentId()
         submitActionsBuilder.metadata = metadata()
         submitActionsBuilder.addAllActions(actionGroup.actions.map { it.action() })
         submitActionsBuilder.signature = submitActionsBuilder.sign(owner)
 
+        if (deviceToken != null) {
+            submitActionsBuilder.setDeviceToken(deviceToken.toDeviceToken())
+        }
+
         return TransactionService.SubmitIntentRequest.newBuilder()
             .setSubmitActions(submitActionsBuilder)
             .build()

api/src/main/java/com/getcode/network/appcheck/AppCheck.kt

@@ -0,0 +1,43 @@
+package com.getcode.network.appcheck
+
+import com.codeinc.gen.common.v1.Model
+import com.google.firebase.Firebase
+import com.google.firebase.appcheck.AppCheckToken
+import com.google.firebase.appcheck.appCheck
+import io.reactivex.rxjava3.core.BackpressureStrategy
+import io.reactivex.rxjava3.core.Flowable
+import io.reactivex.rxjava3.core.Single
+import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.reactive.asFlow
+
+object AppCheck {
+
+    @Deprecated("Replace with Flow variant")
+    fun limitedUseTokenSingle(): Single<AppCheckToken> {
+        return Single.create { emitter ->
+            Firebase.appCheck.limitedUseAppCheckToken
+                .addOnSuccessListener { emitter.onSuccess(it) }
+                .addOnFailureListener { emitter.onError(it) }
+        }
+    }
+
+    @Deprecated("Replace with Flow variant")
+    fun limitedUseTokenFlowable(
+        backpressureStrategy: BackpressureStrategy = BackpressureStrategy.BUFFER
+    ): Flowable<AppCheckToken> {
+        return Flowable.create({ emitter ->
+            Firebase.appCheck.limitedUseAppCheckToken
+                .addOnSuccessListener { emitter.onNext(it) }
+                .addOnFailureListener { emitter.onError(it) }
+        }, backpressureStrategy)
+    }
+
+    fun limitedUseToken(
+        backpressureStrategy: BackpressureStrategy = BackpressureStrategy.BUFFER
+    ): Flow<AppCheckToken> {
+        return limitedUseTokenFlowable(backpressureStrategy).asFlow()
+    }
+}
+
+fun AppCheckToken.toDeviceToken() = Model.DeviceToken.newBuilder().setValue(token).build()
+fun String.toDeviceToken() = Model.DeviceToken.newBuilder().setValue(this).build()

api/src/main/java/com/getcode/network/repository/PhoneRepository.kt

@@ -1,5 +1,6 @@
 package com.getcode.network.repository
 
+import com.codeinc.gen.common.v1.Model.DeviceToken
 import com.codeinc.gen.phone.v1.PhoneVerificationService
 import com.getcode.db.Database
 import com.getcode.db.InMemoryDao
@@ -8,13 +9,30 @@ import com.getcode.model.PrefsBool
 import com.getcode.model.PrefsString
 import com.getcode.network.core.NetworkOracle
 import com.getcode.network.api.PhoneApi
+import com.getcode.network.appcheck.AppCheck
+import com.getcode.network.appcheck.toDeviceToken
+import com.google.firebase.Firebase
+import com.google.firebase.appcheck.AppCheckToken
+import com.google.firebase.appcheck.appCheck
+import io.reactivex.rxjava3.core.BackpressureStrategy
 import io.reactivex.rxjava3.core.Flowable
 import io.reactivex.rxjava3.core.Single
 import kotlinx.coroutines.flow.MutableStateFlow
 import java.io.ByteArrayOutputStream
 import javax.inject.Inject
 import javax.inject.Singleton
 
+
+fun appCheckToken(
+    backpressureStrategy: BackpressureStrategy = BackpressureStrategy.BUFFER
+): Flowable<AppCheckToken> {
+    return Flowable.create({ emitter ->
+        Firebase.appCheck.limitedUseAppCheckToken
+            .addOnSuccessListener { emitter.onNext(it) }
+            .addOnFailureListener { emitter.onError(it) }
+    }, backpressureStrategy)
+}
+
 @Singleton
 class PhoneRepository @Inject constructor(
     private val phoneApi: PhoneApi,
@@ -37,14 +55,18 @@ class PhoneRepository @Inject constructor(
         if (isMock()) return Single.just(PhoneVerificationService.SendVerificationCodeResponse.Result.OK)
             .toFlowable()
 
-        val request =
-            PhoneVerificationService.SendVerificationCodeRequest.newBuilder()
-                .setPhoneNumber(phoneValue.toPhoneNumber())
-                .build()
+        return AppCheck.limitedUseTokenFlowable()
+            .flatMap { tokenResult ->
+                val request =
+                    PhoneVerificationService.SendVerificationCodeRequest.newBuilder()
+                        .setPhoneNumber(phoneValue.toPhoneNumber())
+                        .setDeviceToken(tokenResult.toDeviceToken())
+                        .build()
 
-        return phoneApi.sendVerificationCode(request)
-            .map { it.result }
-            .let { networkOracle.managedRequest(it) }
+                phoneApi.sendVerificationCode(request)
+                    .map { it.result }
+                    .let { networkOracle.managedRequest(it) }
+            }
     }
 
     fun checkVerificationCode(
@@ -68,7 +90,7 @@ class PhoneRepository @Inject constructor(
     ): Flowable<GetAssociatedPhoneNumberResponse> {
         if (isMock()) {
             return Flowable.just(
-                GetAssociatedPhoneNumberResponse(true, true,  false,"+12223334455")
+                GetAssociatedPhoneNumberResponse(true, true, false, "+12223334455")
             )
         }
 

api/src/main/java/com/getcode/network/repository/TransactionRepository.kt

@@ -24,6 +24,7 @@ import com.getcode.model.intents.IntentType
 import com.getcode.model.intents.IntentUpgradePrivacy
 import com.getcode.model.intents.ServerParameter
 import com.getcode.network.api.TransactionApiV2
+import com.getcode.network.appcheck.AppCheck
 import com.getcode.solana.keys.AssociatedTokenAccount
 import com.getcode.solana.keys.PublicKey
 import com.getcode.solana.organizer.AccountType
@@ -86,7 +87,11 @@ class TransactionRepository @Inject constructor(
             .delay(1, TimeUnit.SECONDS)
 
         val createAccounts = IntentCreateAccounts.newInstance(organizer)
-        return submit(createAccounts, organizer.tray.owner.getCluster().authority.keyPair)
+
+        return AppCheck.limitedUseTokenSingle()
+            .flatMap { tokenResult ->
+                submit(createAccounts, organizer.tray.owner.getCluster().authority.keyPair, tokenResult.token)
+            }
     }
 
     fun transfer(
@@ -236,7 +241,7 @@ class TransactionRepository @Inject constructor(
         return submit(intent, owner = organizer.tray.owner.getCluster().authority.keyPair)
     }
 
-    private fun submit(intent: IntentType, owner: KeyPair): Single<IntentType> {
+    private fun submit(intent: IntentType, owner: KeyPair, deviceToken: String? = null): Single<IntentType> {
         Timber.i("Submit ${intent.javaClass.simpleName}")
         val subject = SingleSubject.create<IntentType>()
 
@@ -319,7 +324,7 @@ class TransactionRepository @Inject constructor(
 
         // 1. Send `submitActions` request with
         // actions generated by the intent
-        serverMessageStream.onNext(intent.requestToSubmitActions(owner))
+        serverMessageStream.onNext(intent.requestToSubmitActions(owner, deviceToken))
 
         return subject
     }

app/build.gradle.kts

@@ -164,6 +164,7 @@ dependencies {
 
     implementation(platform(Libs.firebase_bom))
     implementation(Libs.firebase_analytics)
+    implementation(Libs.firebase_appcheck_playintegrity)
 
     implementation(Libs.hilt_nav_compose)
     implementation(Libs.lib_phone_number_port)

app/src/main/java/com/getcode/App.kt

@@ -6,6 +6,11 @@ import com.bugsnag.android.Bugsnag
 import com.getcode.manager.AuthManager
 import com.getcode.utils.ErrorUtils
 import com.getcode.view.main.bill.CashBillAssets
+import com.google.firebase.Firebase
+import com.google.firebase.app
+import com.google.firebase.appcheck.appCheck
+import com.google.firebase.appcheck.playintegrity.PlayIntegrityAppCheckProviderFactory
+import com.google.firebase.initialize
 import dagger.hilt.android.HiltAndroidApp
 import io.reactivex.rxjava3.plugins.RxJavaPlugins
 import timber.log.Timber
@@ -23,6 +28,11 @@ class App : Application() {
 
         CashBillAssets.load(this)
 
+        Firebase.initialize(this)
+        Firebase.appCheck.installAppCheckProviderFactory(
+            PlayIntegrityAppCheckProviderFactory.getInstance()
+        )
+
         AppCompatDelegate.setDefaultNightMode(AppCompatDelegate.MODE_NIGHT_YES)
 
         RxJavaPlugins.setErrorHandler {

buildSrc/src/main/java/Dependencies.kt

@@ -44,7 +44,7 @@ object Versions {
     const val kin_sdk: String = "1.0.1"
     const val grpc_android: String = "1.33.1"
     const val slf4j: String = "1.7.25"
-    const val firebase_bom: String = "29.1.0"
+    const val firebase_bom: String = "32.7.1"
     const val crashlytics_gradle: String = "2.8.1"
     const val play_service_auth = "20.4.0"
     const val play_service_auth_phone = "18.0.1"
@@ -175,6 +175,8 @@ object Libs {
 
     const val firebase_bom = "com.google.firebase:firebase-bom:${Versions.firebase_bom}"
     const val firebase_analytics = "com.google.firebase:firebase-analytics-ktx"
+    const val firebase_appcheck = "com.google.firebase:firebase-appcheck-ktx"
+    const val firebase_appcheck_playintegrity = "com.google.firebase:firebase-appcheck-playintegrity"
     const val firebase_crashlytics = "com.google.firebase:firebase-crashlytics-ktx"
     const val firebase_messaging = "com.google.firebase:firebase-messaging-ktx"
     const val firebase_perf = "com.google.firebase:firebase-perf-ktx"