From 71c60c807b931055bf1a290c104b17c160f0f1a2 Mon Sep 17 00:00:00 2001
From: Andrew Heard <andrewheard@google.com>
Date: Thu, 13 Jul 2023 15:50:58 -0400
Subject: [PATCH] [App Check] Set `limited_use` request param for App Attest
 (#11544)

Hardcoded the `limited_use` request parameter to `true` in App Check requests for App Attest. This requests a short-lived App Check token with a TTL of 5 minutes.

Note: This feature is only available in the `v1beta` API of App Check.
---
 .../AppAttestProvider/API/GACAppAttestAPIService.m   | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/AppCheck/Sources/AppAttestProvider/API/GACAppAttestAPIService.m b/AppCheck/Sources/AppAttestProvider/API/GACAppAttestAPIService.m
index be31815c944..bcd8eeea5a6 100644
--- a/AppCheck/Sources/AppAttestProvider/API/GACAppAttestAPIService.m
+++ b/AppCheck/Sources/AppAttestProvider/API/GACAppAttestAPIService.m
@@ -35,6 +35,7 @@
 static NSString *const kRequestFieldAttestation = @"attestation_statement";
 static NSString *const kRequestFieldChallenge = @"challenge";
 static NSString *const kRequestFieldKeyID = @"key_id";
+static NSString *const kRequestFieldLimitedUse = @"limited_use";
 
 static NSString *const kExchangeAppAttestAssertionEndpoint = @"exchangeAppAttestAssertion";
 static NSString *const kExchangeAppAttestAttestationEndpoint = @"exchangeAppAttestAttestation";
@@ -44,6 +45,11 @@
 static NSString *const kJSONContentType = @"application/json";
 static NSString *const kHTTPMethodPost = @"POST";
 
+// TODO(andrewheard): Remove constant when limited-use token feature is implemented.
+// Value for `kRequestFieldLimitedUse` parameter. When `limited_use` is `YES`, forces a short-lived
+// token with a 5 minute TTL.
+static const BOOL kLimitedUseValue = YES;
+
 @interface GACAppAttestAPIService ()
 
 @property(nonatomic, readonly) id<GACAppCheckAPIServiceProtocol> APIService;
@@ -187,7 +193,8 @@ - (nullable NSData *)randomChallengeFromResponseBody:(NSData *)response error:(N
                             id JSONObject = @{
                               kRequestFieldArtifact : [self base64StringWithData:artifact],
                               kRequestFieldChallenge : [self base64StringWithData:challenge],
-                              kRequestFieldAssertion : [self base64StringWithData:assertion]
+                              kRequestFieldAssertion : [self base64StringWithData:assertion],
+                              kRequestFieldLimitedUse : @(kLimitedUseValue)
                             };
 
                             return [self HTTPBodyWithJSONObject:JSONObject];
@@ -209,7 +216,8 @@ - (nullable NSData *)randomChallengeFromResponseBody:(NSData *)response error:(N
                             id JSONObject = @{
                               kRequestFieldKeyID : keyID,
                               kRequestFieldAttestation : [self base64StringWithData:attestation],
-                              kRequestFieldChallenge : [self base64StringWithData:challenge]
+                              kRequestFieldChallenge : [self base64StringWithData:challenge],
+                              kRequestFieldLimitedUse : @(kLimitedUseValue)
                             };
 
                             return [self HTTPBodyWithJSONObject:JSONObject];