diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-06-09 09:56:13 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-06-09 09:56:13 -0700 |
| commit | c3dcf8f162d5420d391814a9cde83237ee67e6a7 (patch) | |
| tree | fc9d912f68b177f6e5c51365bb97f4c4703fb4b3 | |
| parent | 15874f968008f9eaae1c72dd57180bd13218bbf4 (diff) | |
Add option to ignore SafetyNet timestamp
| -rw-r--r-- | packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts index 2865a46..ef9183f 100644 --- a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts +++ b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts @@ -10,13 +10,14 @@ type Options = { attStmt: AttestationStatement; clientDataHash: Buffer; authData: Buffer; + verifyTimestampMS?: boolean; }; /** * Verify an attestation response with fmt 'android-safetynet' */ export default function verifyAttestationAndroidSafetyNet(options: Options): boolean { - const { attStmt, clientDataHash, authData } = options; + const { attStmt, clientDataHash, authData, verifyTimestampMS = true } = options; const { response, ver } = attStmt; if (!ver) { @@ -40,17 +41,19 @@ export default function verifyAttestationAndroidSafetyNet(options: Options): boo */ const { nonce, ctsProfileMatch, timestampMs } = PAYLOAD; - // Make sure timestamp is in the past - let now = Date.now(); - if (timestampMs > Date.now()) { - throw new Error(`Payload timestamp "${timestampMs}" was later than "${now}" (SafetyNet)`); - } + if (verifyTimestampMS) { + // Make sure timestamp is in the past + let now = Date.now(); + if (timestampMs > Date.now()) { + throw new Error(`Payload timestamp "${timestampMs}" was later than "${now}" (SafetyNet)`); + } - // Consider a SafetyNet attestation valid within a minute of it being performed - const timestampPlusDelay = timestampMs + 60 * 1000; - now = Date.now(); - if (timestampPlusDelay < now) { - throw new Error(`Payload timestamp "${timestampPlusDelay}" has expired`); + // Consider a SafetyNet attestation valid within a minute of it being performed + const timestampPlusDelay = timestampMs + 60 * 1000; + now = Date.now(); + if (timestampPlusDelay < now) { + throw new Error(`Payload timestamp "${timestampPlusDelay}" has expired`); + } } const nonceBase = Buffer.concat([authData, clientDataHash]); |