{"id":27624413,"url":"https://github.com/0x48piraj/fastapi-appattest","last_synced_at":"2025-10-07T20:55:06.392Z","repository":{"id":288843153,"uuid":"969283314","full_name":"0x48piraj/fastapi-appattest","owner":"0x48piraj","description":"FastAPI extension for device request verification on iOS devices using Apple’s DeviceCheck service.","archived":false,"fork":false,"pushed_at":"2025-04-20T00:50:07.000Z","size":21,"stargazers_count":2,"open_issues_count":3,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-19T01:09:04.812Z","etag":null,"topics":["apple","authorization","device-attestation","fastapi","fastapi-appattest","fastapi-extension","ios","jwt","plugin","python3","request-origin-validation","security","security-automation"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x48piraj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-19T19:51:34.000Z","updated_at":"2025-08-24T20:17:21.000Z","dependencies_parsed_at":"2025-04-19T23:18:38.444Z","dependency_job_id":"5e9986ef-c639-4bce-94b3-3e234cf705c8","html_url":"https://github.com/0x48piraj/fastapi-appattest","commit_stats":null,"previous_names":["0x48piraj/fastapi-appattest"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0x48piraj/fastapi-appattest","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Ffastapi-appattest","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Ffastapi-appattest/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Ffastapi-appattest/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Ffastapi-appattest/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x48piraj","download_url":"https://codeload.github.com/0x48piraj/fastapi-appattest/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Ffastapi-appattest/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278846352,"owners_count":26056090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apple","authorization","device-attestation","fastapi","fastapi-appattest","fastapi-extension","ios","jwt","plugin","python3","request-origin-validation","security","security-automation"],"created_at":"2025-04-23T11:40:31.232Z","updated_at":"2025-10-07T20:55:06.387Z","avatar_url":"https://github.com/0x48piraj.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FastAPI-Appattest\n\nAs mobile applications increasingly rely on unauthenticated APIs for performance and user experience, the absence of robust security controls creates a soft target for exploitation. Left unprotected, these endpoints can expose sensitive logic and open vectors for abuse—ranging from data leakage to unauthorized system interaction.\n\nMobile apps commonly rely on unauthenticated APIs for tasks such as retrieving configuration data or serving publicly accessible content. While this approach reduces friction, it also introduces risk. Without proper safeguards, these endpoints become easy targets for misuse. Malicious actors can:\n\n- Generate synthetic traffic to manipulate and/or disrupt backend operations. \n- Interact with the APIs from compromised environments—such as emulators, rooted devices, or unauthorized clients—bypassing intended usage boundaries.\n\n**FastAPI-Appattest** is a lightweight FastAPI extension that integrates Apple’s App Attest, offering a secure and developer-friendly way to validate device integrity. Designed for minimal overhead and seamless integration, it adds a critical layer of trust to unauthenticated mobile API traffic—without complicating your stack.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://docs-assets.developer.apple.com/published/4af6b5e0a27bb7176fa92a73104de5e3/establishing_your_app_s_integrity-1~dark@2x.png\" alt=\"Establishing App Integrity\" /\u003e\n\u003c/p\u003e\n\n## Features\n\n- 🔐 **Apple App Attest Integration**  \n  Securely validates requests from your genuine iOS app using Apple’s App Attest — no more trusting just User-Agents or public tokens.\n\n- 🧾 **Challenge–Response Flow**  \n  Implements a secure challenge mechanism to prevent replay attacks and validate device ownership with a time-limited, per-device challenge.\n\n- ✅ **Signed Session Tokens**  \n  Issues short-lived JWT tokens to attested clients — tokens are cryptographically signed and tamper-proof.\n\n- ⏱️ **One-Time Validation per Device/Session**  \n  Attestation is performed only once per session or device; future requests just use the lightweight session token.\n\n- 🚫 **Tamper-Proof Assurance**  \n  Clients cannot spoof or forge tokens — the signature must match Apple's public key and challenge.\n\n- 🔄 **Session Expiry \u0026 Rotation**  \n  Expiring tokens reduces the attack surface, and tokens can be revoked or rotated as needed.\n\n- 🧱 **Lightweight \u0026 Modular**  \n  Drop-in FastAPI extension — no heavy frameworks, easily integrates into any app structure.\n\n- 🧠 **In-Memory Store with Redis-Ready Design**  \n  Uses an in-memory challenge store by default, with a clear path to swap in Redis for production use.\n\n- 🌐 **Built-in Public Key Caching**  \n  Efficiently fetches and caches Apple’s public keys to validate tokens without excessive network requests.\n\n- 🧪 **Example Project Included**  \n  Comes with a plug-and-play example showcasing the full attestation flow from client to protected route.\n\n- 📦 **Configurable \u0026 Developer Friendly**  \n  Environment-based configuration with sensible defaults using `pydantic-settings`.\n\n## Installation\n\n```bash\n# Install via PyPI\npip install fastapi-appattest\n```\n\n## 🔬 Demo\n\nAn end-to-end working example is included under [`example/`](https://github.com/0x48piraj/fastapi-appattest/tree/master/example) showing:\n\n- How to generate a challenge\n- How to verify the attestation token\n- How to issue + consume signed session tokens\n\n👉 **[See example/README.md for details →](https://github.com/0x48piraj/fastapi-appattest/blob/master/example/README.md)**\n\n## Development \u0026 Testing\n\nClone the repo and install dependencies with [Poetry](https://python-poetry.org):\n\n```bash\ngit clone https://github.com/0x48piraj/fastapi-appattest.git\ncd fastapi-appattest\npoetry install\n```\n\nRun the example server:\n\n```bash\ncd example/\npoetry run uvicorn main:app --reload\n```\n\n## Usage\n\nAfter installing `fastapi-appattest`, you can secure your unauthenticated mobile API endpoints in just a few steps.\n\n### 1. Import and register the attestation router\n\n```python\nfrom fastapi import FastAPI, Depends\nfrom fastapi_appattest import get_current_session, appattest_router\n\napp = FastAPI()\n\n# Mount attestation endpoints at `/device/*`\napp.include_router(appattest_router, prefix=\"/device\")\n```\n\nThis automatically sets up:\n- `GET /device/challenge?device_id=...` – generate a challenge\n- `POST /device/attest` – verify the token and issue a session token\n\n---\n\n### 2. Protect routes using attested session\n\nSecure any endpoint by requiring a valid attested session token:\n\n```python\n@app.get(\"/api/config\")\ndef get_config(session=Depends(get_current_session)):\n    return {\n        \"device\": session[\"device_id\"],\n        \"config\": {\n            \"feature_flags\": [\"app_default_config\", \"dark_mode\"],\n            \"min_supported_version\": \"1.0.0\",\n        },\n    }\n```\n\nIf the client does not present a valid token:\n- Request is **rejected**\n- No extra code needed — validation is handled by `get_current_session`\n\n### 3. Configure via environment variables (.env)\n\n```env\nAPPLE_PUBLIC_KEYS_URL=https://apple-public-keys-url\nAPP_BUNDLE_ID=com.your.app.bundleid\nCHALLENGE_EXPIRY_SECONDS=300\nJWT_SECRET=your-secret-signing-key\nJWT_EXPIRY_SECONDS=1800\n```\n\nOr set them directly via `pydantic-settings`.\n\n### Complete Client Flow (in brief)\n\n1. **Client requests a challenge:**\n\n   `GET /device/challenge?device_id=...`\n\n2. **App performs attestation on-device using the challenge**\n\n3. **App sends the attestation payload to the server:**\n\n   `POST /device/attest` with:\n\n   ```json\n   {\n     \"token\": \"\u003capple_signed_attestation_token\u003e\",\n     \"challenge\": \"\u003cchallenge_from_step_1\u003e\",\n     \"device_id\": \"\u003cunique_device_id\u003e\"\n   }\n   ```\n\n4. **Server verifies and returns a `session_token`**\n\n5. **Client includes this token in future requests:**\n\n   ```http\n   Authorization: Bearer \u003csession_token\u003e\n   ```\n\n## Show your support\n\nStar (⭐) the repository and consider following me on [GitHub](https://github.com/0x48piraj) if this project saved you time or taught you something.\n\n## Roadmap\n\n- [ ] Add IP address / user-agent binding to session tokens\n- [ ] Store active tokens in Redis with revocation support\n- [ ] Use short-lived JWTs + refresh token flow\n- [ ] Log suspicious token re-use or mismatched device claims\n- [ ] Integrate Google's Play Integrity API (???)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x48piraj%2Ffastapi-appattest","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x48piraj%2Ffastapi-appattest","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x48piraj%2Ffastapi-appattest/lists"}