diff --git a/docs/plans/app-check-enforcement.md b/docs/plans/app-check-enforcement.md new file mode 100644 index 0000000..c461d15 --- /dev/null +++ b/docs/plans/app-check-enforcement.md @@ -0,0 +1,42 @@ +# Plan — App Check enforcement audit and hardening + +- **Status:** Proposed +- **Effort:** Small +- **Firebase services:** App Check (Play Integrity, DeviceCheck / App Attest), Cloud Functions, Firestore, Storage, RTDB + +## Overview + +App Check is already configured client-side for Android release. This plan audits and enforces App Check on every Firebase service the app uses so that API keys leaked from a release binary cannot be used to call the backend from an unmodified environment. + +## Checklist + +1. **Android debug provider** — add `AndroidDebugProvider` with a debug token committed to developer machines only, not the repo. +2. **iOS** — activate `AppleProvider` (`DeviceCheck` / `AppAttest`) once iOS builds are wired up. Block until then. +3. **Firebase Console enforcement:** + - Cloud Functions (callable + HTTPS) → enforce. + - Firestore → enforce. + - Cloud Storage → enforce. + - Realtime Database (if/when presence plan ships) → enforce. +4. **Cloud Functions code:** for each callable, `context.app` must be set; reject with `failed-precondition` if absent (on top of platform enforcement, for defence-in-depth). +5. **Monitoring:** add a Cloud Monitoring alert on App Check denial rate spikes. + +## Files affected + +- `lib/main.dart` — expand provider selection per platform. +- `functions/src/index.ts` — guard helper for `context.app` presence. +- New `functions/src/_appCheck.ts` — wrap callables. + +## Rollout + +- Enable in **monitor mode** first for 7 days to measure legitimate-traffic denial rate. +- Switch to **enforce** if denial rate < 1 %. +- Keep a break-glass env var to temporarily disable the explicit `context.app` check in case of provider outage. + +## Risks + +- Older device OS versions where Play Integrity is flaky → collect denial telemetry and whitelist a device fallback if needed. +- Internal CI/integration tests calling Functions — use App Check debug tokens, never disable enforcement. + +## Testing + +- Integration test that calls a Function without App Check header → expect denial when enforce is on. diff --git a/lib/claim.dart b/lib/claim.dart index 952c5d2..f14cf7e 100644 --- a/lib/claim.dart +++ b/lib/claim.dart @@ -125,11 +125,14 @@ class _ClaimState extends State with TickerProviderStateMixin { postboxes[entry.key as String] = Map.from(entry.value as Map); } + // Cloud Functions serialise JS numbers as either int or double; + // assigning a double to a typed int field throws, so normalise via num. + int asInt(dynamic v) => (v as num?)?.toInt() ?? 0; setState(() { - _count = counts['total'] ?? 0; - _maxPoints = points['max'] ?? 0; - _minPoints = points['min'] ?? 0; - _claimedToday = counts['claimedToday'] ?? 0; + _count = asInt(counts['total']); + _maxPoints = asInt(points['max']); + _minPoints = asInt(points['min']); + _claimedToday = asInt(counts['claimedToday']); _postboxes = postboxes; currentStage = _count > 0 ? ClaimStage.results : ClaimStage.empty; }); diff --git a/lib/nearby.dart b/lib/nearby.dart index 4f743cb..a047335 100644 --- a/lib/nearby.dart +++ b/lib/nearby.dart @@ -113,23 +113,26 @@ class _NearbyState extends State { final claimedCompass = data['claimedCompass'] != null ? Map.from(data['claimedCompass'] as Map) : {}; + // Cloud Functions serialise JS numbers as either int or double; assigning + // a double to a typed int field throws, so normalise every count via num. + int asInt(dynamic v) => (v as num?)?.toInt() ?? 0; setState(() { - _count = counts['total'] ?? 0; - _maxPoints = pts['max'] ?? 0; - _minPoints = pts['min'] ?? 0; + _count = asInt(counts['total']); + _maxPoints = asInt(pts['max']); + _minPoints = asInt(pts['min']); currentStage = NearbyStage.results; for (final dir in const [ 'N', 'NNE', 'NE', 'ENE', 'E', 'ESE', 'SE', 'SSE', 'S', 'SSW', 'SW', 'WSW', 'W', 'WNW', 'NW', 'NNW', ]) { - _compassCounts[dir] = compass[dir] ?? 0; - _claimedCompassCounts[dir] = claimedCompass[dir] ?? 0; + _compassCounts[dir] = asInt(compass[dir]); + _claimedCompassCounts[dir] = asInt(claimedCompass[dir]); } - _claimedToday = counts['claimedToday'] ?? 0; + _claimedToday = asInt(counts['claimedToday']); for (final cipher in MonarchInfo.all) { - _cipherTotals[cipher] = counts[cipher] ?? 0; - _cipherClaimed[cipher] = counts['${cipher}_claimed'] ?? 0; + _cipherTotals[cipher] = asInt(counts[cipher]); + _cipherClaimed[cipher] = asInt(counts['${cipher}_claimed']); } _lastScanned = DateTime.now(); }); diff --git a/lib/wear/wear_claim_page.dart b/lib/wear/wear_claim_page.dart index 32e1baf..b8f2445 100644 --- a/lib/wear/wear_claim_page.dart +++ b/lib/wear/wear_claim_page.dart @@ -52,8 +52,10 @@ class _WearClaimPageState extends State { }); if (!mounted) return; final counts = result.data['counts'] ?? {}; - final total = (counts['total'] as int?) ?? 0; - final claimed = (counts['claimedToday'] as int?) ?? 0; + // Cloud Functions serialise JS numbers as either int or double; `as int?` + // would throw on a double, so normalise via num. + final total = (counts['total'] as num?)?.toInt() ?? 0; + final claimed = (counts['claimedToday'] as num?)?.toInt() ?? 0; _postboxes = Map.from(result.data['postboxes'] ?? {}); setState(() { _count = total; diff --git a/lib/wear/wear_compass_page.dart b/lib/wear/wear_compass_page.dart index 8ab96c3..48174e2 100644 --- a/lib/wear/wear_compass_page.dart +++ b/lib/wear/wear_compass_page.dart @@ -75,8 +75,13 @@ class _WearCompassPageState extends State { final counts = result.data['counts'] ?? {}; final compassRaw = result.data['compass'] ?? {}; setState(() { - _totalCount = (counts['total'] as int?) ?? 0; - _compassCounts = Map.from(compassRaw); + // Cloud Functions serialise JS numbers as either int or double; + // `as int?` would throw on a double, so normalise via num. + _totalCount = (counts['total'] as num?)?.toInt() ?? 0; + _compassCounts = { + for (final e in (compassRaw as Map).entries) + e.key as String: (e.value as num).toInt(), + }; _stage = _CompassStage.results; }); // Haptic pulse to signal scan complete. @@ -206,7 +211,13 @@ class _WearCompassPageState extends State { angle: -rotation, child: CustomPaint( size: Size(size, size), - painter: FuzzyCompassPainter(sectors: sectorValues), + // Pass rotation so the painter counter-rotates the 'N' label; + // otherwise it spins with the canvas and is unreadable whenever + // the watch is not pointing north. + painter: FuzzyCompassPainter( + sectors: sectorValues, + rotation: rotation, + ), ), ), // Centre count overlay (doesn't rotate) diff --git a/lib/wear/wear_status_page.dart b/lib/wear/wear_status_page.dart index 6a2147a..093233d 100644 --- a/lib/wear/wear_status_page.dart +++ b/lib/wear/wear_status_page.dart @@ -18,10 +18,14 @@ class WearStatusPage extends StatefulWidget { class _WearStatusPageState extends State { final StreakService _streakService = StreakService(); late final Stream _streakStream = _streakService.streakStream(); + // Cache so the StreamBuilder doesn't re-subscribe (and briefly show empty + // stats) on every rebuild. Computed once in initState from the uid at mount. + late final Stream>>? _userDocStream = + _buildUserDocStream(); String? get _displayName => FirebaseAuth.instance.currentUser?.displayName; - Stream>>? _userDocStream() { + Stream>>? _buildUserDocStream() { final uid = FirebaseAuth.instance.currentUser?.uid; if (uid == null) return null; return FirebaseFirestore.instance.collection('users').doc(uid).snapshots(); @@ -71,7 +75,7 @@ class _WearStatusPageState extends State { // Lifetime points StreamBuilder>>( - stream: _userDocStream(), + stream: _userDocStream, builder: (context, snap) { final data = snap.data?.data(); final lifetimePoints =