vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(push): persist app attest state before relay registration

Browse Source
This commit is contained in:
Nimrod Gutman
2026-03-11 21:14:35 +02:00
parent a46047ab00
commit 4093adec71
2 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/ios/Sources/Push/PushRelayClient.swift
View File

@@ -115,10 +115,6 @@ private struct PushRelayAppAttestProof {
var assertion: String var assertion: String
var clientDataHash: String var clientDataHash: String
var signedPayloadBase64: String var signedPayloadBase64: String
var includesAttestationObject: Bool {
self.attestationObject != nil
}
} }
private final class PushRelayAppAttestService { private final class PushRelayAppAttestService {
@@ -167,6 +163,10 @@ private final class PushRelayAppAttestService {
let challengeData = Data(challenge.utf8) let challengeData = Data(challenge.utf8)
let clientDataHash = Data(SHA256.hash(data: challengeData)) let clientDataHash = Data(SHA256.hash(data: challengeData))
let attestation = try await service.attestKey(keyID, clientDataHash: clientDataHash) let attestation = try await service.attestKey(keyID, clientDataHash: clientDataHash)
// Apple treats App Attest key attestation as a one-time operation. Save the
// attested marker immediately so later receipt/network failures do not cause a
// permanently broken re-attestation loop on the same key.
_ = PushRelayRegistrationStore.saveAttestedKeyID(keyID)
return attestation.base64EncodedString() return attestation.base64EncodedString()
} }
@@ -285,9 +285,6 @@ final class PushRelayClient: @unchecked Sendable {
message: Self.decodeErrorMessage(data: data)) message: Self.decodeErrorMessage(data: data))
} }
let decoded = try self.decode(PushRelayRegisterResponse.self, from: data) let decoded = try self.decode(PushRelayRegisterResponse.self, from: data)
if appAttest.includesAttestationObject {
_ = PushRelayRegistrationStore.saveAttestedKeyID(appAttest.keyId)
}
return decoded return decoded
} }

8
scripts/ios-beta-prepare.sh
View File

@@ -64,10 +64,16 @@ validate_push_relay_base_url() {
exit 1 exit 1
fi fi
if [[ ! "${value}" =~ ^https://[A-Za-z0-9.-]+(:[0-9]{1,5})?(/[A-Za-z0-9._~!&*+,;:@%/-]*)?$ ]]; then if [[ ! "${value}" =~ ^https://[A-Za-z0-9.-]+(:([0-9]{1,5}))?(/[A-Za-z0-9._~!&*+,;:@%/-]*)?$ ]]; then
echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: expected https://host[:port][/path]." >&2 echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: expected https://host[:port][/path]." >&2
exit 1 exit 1
fi fi
local port="${BASH_REMATCH[2]:-}"
if [[ -n "${port}" ]] && (( 10#${port} > 65535 )); then
echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: port must be between 1 and 65535." >&2
exit 1
fi
} }
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do