Skip to content

Add app/device attestation for gated info-server requests#6076

Open
paullinator wants to merge 4 commits into
developfrom
paul/appAttestation
Open

Add app/device attestation for gated info-server requests#6076
paullinator wants to merge 4 commits into
developfrom
paul/appAttestation

Conversation

@paullinator

Copy link
Copy Markdown
Member

Summary

  • Adds iOS App Attest and Android Keystore native modules plus a JS attestation engine that obtains tokens from the info server.
  • Attaches x-attestation-token to Simplex jwtSign and Banxa createHmac requests so gated signing can require hardware attestation.
  • Documents the client flow in docs/APP_ATTESTATION.md and adds an optional INFO_SERVER env override for local testing.

Test plan

  • Cold-start app and confirm attestation handshake succeeds (token obtained without blocking UI)
  • Buy/sell via Simplex with attestation required on the info-server provider config; confirm quotes still work
  • Buy/sell via Banxa with attestation required; confirm HMAC creation still works
  • Break attestation (e.g. wrong package / rotated keys) and confirm gated providers disappear or fail closed
  • Restore attestation and confirm providers return

Made with Cursor

Introduce a background attestation engine (src/util/attestation.ts) that
runs the platform attestation handshake (Apple App Attest / Android
Keystore attestation) at app boot and caches a short-lived token,
self-rescheduling to refresh it two minutes before expiry.
getAttestationToken() returns the cached token immediately, or waits up to
three seconds for the initial handshake before returning undefined.

fetchInfo (util/network.ts) carries no attestation logic; the
attestation-gated plugins (Simplex/Banxa jwtSign and createHmac) call
getAttestationToken() and attach the x-attestation-token header themselves
only when a token is available, otherwise letting the info server decide.

Co-authored-by: Cursor <cursoragent@cursor.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

  • ✅ Fixed: Hung handshake blocks later attempts
    • The shared handshake lock now expires after the caller timeout and stale attempts cannot clear a newer lock.
  • ✅ Fixed: Unvalidated expires breaks token cache
    • Attestation responses now require expires to be a finite number before caching the token.

Create PR

Or push these changes by commenting:

@cursor push 836aed9d72
Preview (836aed9d72)
diff --git a/src/util/attestation.ts b/src/util/attestation.ts
--- a/src/util/attestation.ts
+++ b/src/util/attestation.ts
@@ -29,7 +29,7 @@
 const REFRESH_LEAD_MS = 2 * 60 * 1000
 // Small skew so a token that is about to expire is treated as unusable.
 const CLOCK_SKEW_MS = 5 * 1000
-// Max time getAttestationToken() blocks waiting on the initial handshake.
+// Max time a caller waits and one handshake attempt holds the shared lock.
 const GET_TOKEN_TIMEOUT_MS = 3 * 1000
 
 let cachedToken: CachedToken | undefined
@@ -89,6 +89,9 @@
   if (typeof token !== 'string') {
     throw new Error('attest response missing token')
   }
+  if (typeof expires !== 'number' || !Number.isFinite(expires)) {
+    throw new Error('attest response missing expires')
+  }
   cachedToken = { token, expires }
 }
 
@@ -115,7 +118,7 @@
  */
 const runHandshake = (): void => {
   if (inFlight != null) return
-  inFlight = performHandshake()
+  const handshake: Promise<void> = performHandshake()
     .then(() => {
       if (cachedToken != null) scheduleRefresh(cachedToken.expires)
     })
@@ -123,8 +126,13 @@
       console.warn('[attestation] handshake failed:', String(error))
     })
     .finally(() => {
-      inFlight = undefined
+      if (inFlight === handshake) inFlight = undefined
     })
+  inFlight = handshake
+  // A stuck native call may continue, but it must not block later attempts.
+  setTimeout(() => {
+    if (inFlight === handshake) inFlight = undefined
+  }, GET_TOKEN_TIMEOUT_MS)
 }
 
 /**

You can send follow-ups to the cloud agent here.

Comment thread src/util/attestation.ts
Comment thread src/util/attestation.ts
paullinator and others added 3 commits July 16, 2026 07:53
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Watchdog allows overlapping handshakes
    • Kept the handshake lock after the watchdog until the uncancellable native promise settles and added regression coverage proving no second native attestation starts.

Create PR

Or push these changes by commenting:

@cursor push fdfed897e3
Preview (fdfed897e3)
diff --git a/src/__tests__/util/attestation.test.ts b/src/__tests__/util/attestation.test.ts
--- a/src/__tests__/util/attestation.test.ts
+++ b/src/__tests__/util/attestation.test.ts
@@ -140,7 +140,7 @@
     await expect(tokenPromise).resolves.toBe('jwt-token')
   })
 
-  it('releases a hung handshake after the watchdog so a later attempt can succeed (Task 2.2)', async () => {
+  it('keeps a hung handshake locked after the watchdog', async () => {
     mockGetAttestation.mockImplementation(
       async () => await new Promise(() => {}) // never settles
     )
@@ -156,25 +156,19 @@
     await Promise.resolve()
     await Promise.resolve()
 
-    // Watchdog fires and clears the lock.
+    // The watchdog reports the hung handshake without clearing its lock.
     await jest.advanceTimersByTimeAsync(
       attestationTimingForTests.HANDSHAKE_WATCHDOG_MS
     )
 
-    // A subsequent attempt can start after the lock is released.
-    const expires = Date.now() + 10 * 60 * 1000
-    mockGetAttestation.mockResolvedValue({
-      keyId: 'key2',
-      attestation: 'att2',
-      bundleId: 'co.edgesecure.app'
-    })
-    mockSuccessfulHandshake(expires)
-
+    // A subsequent request waits on the existing handshake rather than
+    // starting overlapping native attestation work.
     const tokenPromise = getAttestationToken()
-    await Promise.resolve()
-    await Promise.resolve()
-    await Promise.resolve()
-    await expect(tokenPromise).resolves.toBe('jwt-token')
+    await jest.advanceTimersByTimeAsync(
+      attestationTimingForTests.GET_TOKEN_TIMEOUT_MS
+    )
+    await expect(tokenPromise).resolves.toBeUndefined()
+    expect(mockGetAttestation).toHaveBeenCalledTimes(1)
   })
 
   it('suppresses retries during the failure backoff window (Task 2.3)', async () => {

diff --git a/src/util/attestation.ts b/src/util/attestation.ts
--- a/src/util/attestation.ts
+++ b/src/util/attestation.ts
@@ -46,10 +46,8 @@
 const CLOCK_SKEW_MS = 5 * 1000
 // Max time getAttestationToken() blocks waiting on the initial handshake.
 const GET_TOKEN_TIMEOUT_MS = 3 * 1000
-// Watchdog: a handshake that has not settled after this long is considered
-// hung; release the lock so a later attempt can start. Sized well above a
-// slow-but-legitimate handshake so concurrent handshakes never overlap in
-// normal operation (Apple rate-limits attestation).
+// Watchdog: log when a handshake has not settled after this long. The lock
+// remains held since native attestation cannot be cancelled safely.
 const HANDSHAKE_WATCHDOG_MS = 90 * 1000
 // After a failed handshake, don't retry (and don't make gated callers wait)
 // for this long. Keeps a persistently-failing device from adding 3s of
@@ -258,12 +256,11 @@
       if (inFlight === handshake) inFlight = undefined
     })
   inFlight = handshake
-  // A hung native call must not block all future attempts. Only clear the
-  // lock if this same handshake still holds it.
+  // Do not release the lock here: the native call may still be running, and
+  // overlapping attempts can corrupt shared attestation key state.
   setTimeout(() => {
     if (inFlight === handshake) {
-      console.warn('[attestation] handshake watchdog fired; releasing lock')
-      inFlight = undefined
+      console.warn('[attestation] handshake watchdog fired; still in progress')
     }
   }, HANDSHAKE_WATCHDOG_MS)
 }

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit 03eb1ba. Configure here.

Comment thread src/util/attestation.ts
console.warn('[attestation] handshake watchdog fired; releasing lock')
inFlight = undefined
}
}, HANDSHAKE_WATCHDOG_MS)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Watchdog allows overlapping handshakes

High Severity

The 90s handshake watchdog clears inFlight without cancelling the underlying performHandshake promise. A new handshake can start while the hung one is still running native attestation, so two enrollments may run concurrently and race on the shared Android keystore alias or iOS attestation state.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 03eb1ba. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant