Support Play Integrity API additionally to SafetyNet Attestation API.

td/generate/scheme/td_api.tl

@@ -59,9 +59,10 @@ authenticationCodeTypeMissedCall phone_number_prefix:string length:int32 = Authe
 authenticationCodeTypeFragment url:string length:int32 = AuthenticationCodeType;
 
 //@description A digit-only authentication code is delivered via Firebase Authentication to the official Android application
-//@nonce Nonce to pass to the SafetyNet Attestation API
+//@use_play_integrity True, if Play Integrity API must be used for device verification. Otherwise, SafetyNet Attestation API must be used
+//@nonce Nonce to pass to the Play Integrity API or the SafetyNet Attestation API
 //@length Length of the code
-authenticationCodeTypeFirebaseAndroid nonce:bytes length:int32 = AuthenticationCodeType;
+authenticationCodeTypeFirebaseAndroid use_play_integrity:Bool nonce:bytes length:int32 = AuthenticationCodeType;
 
 //@description A digit-only authentication code is delivered via Firebase Authentication to the official iOS application
 //@receipt Receipt of successful application token validation to compare with receipt from push notification
@@ -7513,7 +7514,7 @@ checkAuthenticationPasswordRecoveryCode recovery_code:string = Ok;
 recoverAuthenticationPassword recovery_code:string new_password:string new_hint:string = Ok;
 
 //@description Sends Firebase Authentication SMS to the phone number of the user. Works only when the current authorization state is authorizationStateWaitCode and the server returned code of the type authenticationCodeTypeFirebaseAndroid or authenticationCodeTypeFirebaseIos
-//@token SafetyNet Attestation API token for the Android application, or secret from push notification for the iOS application
+//@token Play Integrity API or SafetyNet Attestation API token for the Android application, or secret from push notification for the iOS application
 sendAuthenticationFirebaseSms token:string = Ok;
 
 //@description Reports that authentication code wasn't delivered via SMS; for official mobile apps only. Works only when the current authorization state is authorizationStateWaitCode @mobile_network_code Current mobile network code
@@ -9897,7 +9898,7 @@ setBusinessStartPage start_page:inputBusinessStartPage = Ok;
 sendPhoneNumberCode phone_number:string settings:phoneNumberAuthenticationSettings type:PhoneNumberCodeType = AuthenticationCodeInfo;
 
 //@description Sends Firebase Authentication SMS to the specified phone number. Works only when received a code of the type authenticationCodeTypeFirebaseAndroid or authenticationCodeTypeFirebaseIos
-//@token SafetyNet Attestation API token for the Android application, or secret from push notification for the iOS application
+//@token Play Integrity API or SafetyNet Attestation API token for the Android application, or secret from push notification for the iOS application
 sendPhoneNumberFirebaseSms token:string = Ok;
 
 //@description Reports that authentication code wasn't delivered via SMS to the specified phone number; for official mobile apps only @mobile_network_code Current mobile network code

td/telegram/SendCodeHelper.cpp

@@ -21,7 +21,8 @@ void SendCodeHelper::on_sent_code(telegram_api::object_ptr<telegram_api::auth_se
   next_code_timestamp_ = Time::now() + sent_code->timeout_;
 
   if (next_code_info_.type == AuthenticationCodeInfo::Type::None &&
-      (sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseAndroid ||
+      (sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseAndroidSafetyNet ||
+       sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseAndroidPlayIntegrity ||
        sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseIos)) {
     next_code_info_ = {AuthenticationCodeInfo::Type::Sms, sent_code_info_.length, string()};
   }
@@ -112,11 +113,18 @@ telegram_api::auth_requestFirebaseSms SendCodeHelper::request_firebase_sms(const
   string ios_push_secret;
   int32 flags = 0;
 #if TD_ANDROID
-  flags |= telegram_api::auth_requestFirebaseSms::SAFETY_NET_TOKEN_MASK;
-  safety_net_token = token;
+  if (sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseAndroidSafetyNet) {
+    flags |= telegram_api::auth_requestFirebaseSms::SAFETY_NET_TOKEN_MASK;
+    safety_net_token = token;
+  } else if (sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseAndroidPlayIntegrity) {
+    flags |= telegram_api::auth_requestFirebaseSms::PLAY_INTEGRITY_TOKEN_MASK;
+    play_integrity_token = token;
+  }
 #elif TD_DARWIN
-  flags |= telegram_api::auth_requestFirebaseSms::IOS_PUSH_SECRET_MASK;
-  ios_push_secret = token;
+  if (sent_code_info_.type == AuthenticationCodeInfo::Type::FirebaseIos) {
+    flags |= telegram_api::auth_requestFirebaseSms::IOS_PUSH_SECRET_MASK;
+    ios_push_secret = token;
+  }
 #endif
   return telegram_api::auth_requestFirebaseSms(flags, phone_number_, phone_code_hash_, safety_net_token,
                                                play_integrity_token, ios_push_secret);
@@ -204,14 +212,21 @@ SendCodeHelper::AuthenticationCodeInfo SendCodeHelper::get_sent_authentication_c
     }
     case telegram_api::auth_sentCodeTypeFirebaseSms::ID: {
       auto code_type = move_tl_object_as<telegram_api::auth_sentCodeTypeFirebaseSms>(sent_code_type_ptr);
+#if TD_ANDROID
       if ((code_type->flags_ & telegram_api::auth_sentCodeTypeFirebaseSms::NONCE_MASK) != 0) {
-        return AuthenticationCodeInfo{AuthenticationCodeInfo::Type::FirebaseAndroid, code_type->length_,
+        return AuthenticationCodeInfo{AuthenticationCodeInfo::Type::FirebaseAndroidSafetyNet, code_type->length_,
                                       code_type->nonce_.as_slice().str()};
       }
+      if ((code_type->flags_ & telegram_api::auth_sentCodeTypeFirebaseSms::PLAY_INTEGRITY_NONCE_MASK) != 0) {
+        return AuthenticationCodeInfo{AuthenticationCodeInfo::Type::FirebaseAndroidPlayIntegrity, code_type->length_,
+                                      code_type->play_integrity_nonce_.as_slice().str()};
+      }
+#elif TD_DARWIN
       if ((code_type->flags_ & telegram_api::auth_sentCodeTypeFirebaseSms::RECEIPT_MASK) != 0) {
         return AuthenticationCodeInfo{AuthenticationCodeInfo::Type::FirebaseIos, code_type->length_,
                                       std::move(code_type->receipt_), code_type->push_timeout_};
       }
+#endif
       return AuthenticationCodeInfo{AuthenticationCodeInfo::Type::Sms, code_type->length_, ""};
     }
     case telegram_api::auth_sentCodeTypeSmsWord::ID: {
@@ -253,8 +268,11 @@ td_api::object_ptr<td_api::AuthenticationCodeType> SendCodeHelper::get_authentic
     case AuthenticationCodeInfo::Type::Fragment:
       return td_api::make_object<td_api::authenticationCodeTypeFragment>(authentication_code_info.pattern,
                                                                          authentication_code_info.length);
-    case AuthenticationCodeInfo::Type::FirebaseAndroid:
-      return td_api::make_object<td_api::authenticationCodeTypeFirebaseAndroid>(authentication_code_info.pattern,
+    case AuthenticationCodeInfo::Type::FirebaseAndroidSafetyNet:
+      return td_api::make_object<td_api::authenticationCodeTypeFirebaseAndroid>(false, authentication_code_info.pattern,
+                                                                                authentication_code_info.length);
+    case AuthenticationCodeInfo::Type::FirebaseAndroidPlayIntegrity:
+      return td_api::make_object<td_api::authenticationCodeTypeFirebaseAndroid>(true, authentication_code_info.pattern,
                                                                                 authentication_code_info.length);
     case AuthenticationCodeInfo::Type::FirebaseIos:
       return td_api::make_object<td_api::authenticationCodeTypeFirebaseIos>(

td/telegram/SendCodeHelper.h

@@ -69,10 +69,11 @@ class SendCodeHelper {
       FlashCall,
       MissedCall,
       Fragment,
-      FirebaseAndroid,
+      FirebaseAndroidSafetyNet,
       FirebaseIos,
       SmsWord,
-      SmsPhrase
+      SmsPhrase,
+      FirebaseAndroidPlayIntegrity
     };
     Type type = Type::None;
     int32 length = 0;