patelnav

Apple App Attest assertion verification on Cloudflare Workers (TypeScript)

A working, MIT-licensed reference implementation for verifying Apple App Attest attestations and assertions on Cloudflare Workers using TypeScript.

TL;DR

• Verifies fmt: apple-appattest attestation objects (from DCAppAttestService) and subsequent assertions on the server, on the Workers runtime (no Node crypto, no Firebase, no Swift).
• Two non-obvious gotchas bite everyone: Apple ships DER-encoded ECDSA signatures but WebCrypto wants IEEE P1363 raw r||s; and credentialId is SHA256 of the raw X9.62 uncompressed EC point (65 bytes: 0x04 || X || Y), NOT SHA256 of the SPKI DER.
• Deps: @peculiar/x509, @peculiar/asn1-ecc, @peculiar/asn1-schema, cbor-x. jose for issuing your session JWT afterwards.

patelnav

---
description: Guidelines and best practices for creating .mdc (Markdown Configuration) files in Cursor, including structure, metadata annotations, and formatting rules
globs: ["**/*.mdc"]
---

# Cursor MDC File Guidelines

@context {
    "type": "documentation",
    "purpose": "cursor_rules",