Skip to content

feat: play integrity#79

Merged
ti3x merged 15 commits intomainfrom
feat-play-integrity
Feb 12, 2026
Merged

feat: play integrity#79
ti3x merged 15 commits intomainfrom
feat-play-integrity

Conversation

@noahpodgurski
Copy link
Copy Markdown
Collaborator

@noahpodgurski noahpodgurski commented Jan 16, 2026
edited
Loading

What's new

@noahpodgurski noahpodgurski changed the title Draft: feat: play integrity feat: play integrity Feb 5, 2026
@noahpodgurski noahpodgurski requested review from subpath and ti3x February 6, 2026 19:00
ti3x
ti3x reviewed Feb 6, 2026
View reviewed changes
Comment thread src/mlpa/core/routers/play/play.py
Comment thread src/mlpa/core/routers/play/play.py Outdated
Comment thread src/mlpa/core/classes.py
# Google Play Integrity
class PlayIntegrityRequest(BaseModel):
integrity_token: str
user_id: str
Copy link
Copy Markdown
Contributor

@ti3x ti3x Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this allows empty value, but if it is empty, lower on https://github.com/Firefox-AI/MLPA/pull/79/changes#diff-b6cf33ca99c89749f7b57bcb0e80bf6fdc324b9f25577c2cb7af154baa0a62d9R37 may bypass the validation

Copy link
Copy Markdown
Collaborator Author

@noahpodgurski noahpodgurski Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean? play_user_id is only non null if extract_user_from_play_integrity_jwt succeeds

Copy link
Copy Markdown
Contributor

@ti3x ti3x Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahpodgurski so I was wondering if it's possible for play_user_id to be empty, 'cause if not, and it can't be invalid after extract_user_from_play_integrity_jwt succeeds, then maybe we don't need if play_user_id: on line 37 of authorize.py

Copy link
Copy Markdown
Contributor

@ti3x ti3x Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahpodgurski went over this with more analysis, think it's fine for now to handle the "" user_id situation:

extract_user_from_play_integrity_jwt has two outcomes:

  1. Returns payload["sub"] (a string)
  2. Raises HTTPException(401)

  It never returns None or empty string silently. If sub is missing, jwtoxide rejects it (it's in
  required_spec_claims). If decoding fails for any reason, the except block raises 401.

  The only way play_user_id could be empty string is the scenario from before -- someone issues a JWT with sub: ""
  -- which would require them to know MLPA_ACCESS_TOKEN_SECRET. At that point you have bigger problems.

@ti3x ti3x merged commit c1d3dc8 into main Feb 12, 2026
1 check passed
@ti3x ti3x deleted the feat-play-integrity branch February 12, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ti3x ti3x ti3x approved these changes

@subpath subpath Awaiting requested review from subpath

Assignees

No one assigned

Labels

pr-ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@noahpodgurski @ti3x