Investigate App Attest / Play Integrity for headless auth

Headless auth endpoints accept passwords directly. CORS restricts browser access, but native apps bypass CORS entirely. Currently any app can call these endpoints—we can't distinguish our genuine Divine app from a malicious clone.

App Attest (iOS) and Play Integrity (Android) let us verify requests come from legitimate app installations before accepting credentials.

This spans both backend and mobile:
- **Backend**: Verify attestation tokens with Apple/Google, store key IDs, check assertions on login/register
- **Mobile**: Generate attestations via platform APIs and include in requests

**References:**
- [draft-ietf-oauth-first-party-apps](https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/) §5.2 recommends attestation
- [Apple App Attest](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity)
- [Play Integrity](https://developer.android.com/google/play/integrity)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Investigate App Attest / Play Integrity for headless auth #8

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Investigate App Attest / Play Integrity for headless auth #8

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions