fix(push): persist app attest state before relay registration

2026-03-12 07:20:45 +00:00 · 2026-03-11 21:14:35 +02:00
parent a46047ab00
commit 4093adec71
2 changed files with 11 additions and 8 deletions
--- a/apps/ios/Sources/Push/PushRelayClient.swift
+++ b/apps/ios/Sources/Push/PushRelayClient.swift
@@ -115,10 +115,6 @@ private struct PushRelayAppAttestProof {
    var assertion: String
    var clientDataHash: String
    var signedPayloadBase64: String
-
-    var includesAttestationObject: Bool {
-        self.attestationObject != nil
-    }
 }

 private final class PushRelayAppAttestService {
@@ -167,6 +163,10 @@ private final class PushRelayAppAttestService {
        let challengeData = Data(challenge.utf8)
        let clientDataHash = Data(SHA256.hash(data: challengeData))
        let attestation = try await service.attestKey(keyID, clientDataHash: clientDataHash)
+        // Apple treats App Attest key attestation as a one-time operation. Save the
+        // attested marker immediately so later receipt/network failures do not cause a
+        // permanently broken re-attestation loop on the same key.
+        _ = PushRelayRegistrationStore.saveAttestedKeyID(keyID)
        return attestation.base64EncodedString()
    }

@@ -285,9 +285,6 @@ final class PushRelayClient: @unchecked Sendable {
                message: Self.decodeErrorMessage(data: data))
        }
        let decoded = try self.decode(PushRelayRegisterResponse.self, from: data)
-        if appAttest.includesAttestationObject {
-            _ = PushRelayRegistrationStore.saveAttestedKeyID(appAttest.keyId)
-        }
        return decoded
    }

--- a/scripts/ios-beta-prepare.sh
+++ b/scripts/ios-beta-prepare.sh
@@ -64,10 +64,16 @@ validate_push_relay_base_url() {
    exit 1
  fi

-  if [[ ! "${value}" =~ ^https://[A-Za-z0-9.-]+(:[0-9]{1,5})?(/[A-Za-z0-9._~!&*+,;:@%/-]*)?$ ]]; then
+  if [[ ! "${value}" =~ ^https://[A-Za-z0-9.-]+(:([0-9]{1,5}))?(/[A-Za-z0-9._~!&*+,;:@%/-]*)?$ ]]; then
    echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: expected https://host[:port][/path]." >&2
    exit 1
  fi
+
+  local port="${BASH_REMATCH[2]:-}"
+  if [[ -n "${port}" ]] && (( 10#${port} > 65535 )); then
+    echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: port must be between 1 and 65535." >&2
+    exit 1
+  fi
 }

 while [[ $# -gt 0 ]]; do