CCCT1397 - integrity error checks

[pm-dimagi]

Product Description

https://dimagi.atlassian.net/browse/CCCT-1397
To show the proper dialogs based out of integrity error checks send by the server based on these subcodes

Screen_Recording_20250708_170002_CommCare.Debug.mp4

Screen_Recording_20250708_170227_CommCare.Debug.mp4

UNLICENSED_APP_ERROR
APP_INTEGRITY_ERROR
INTEGRITY_REQUEST_ERROR
these error will redirect to the play store to find the exact matched apps
DEVICE_INTEGRITY_ERROR will redirect to the message fragment as device is not comply the checks

Technical Summary

Feature Flag

Safety Assurance

Safety story

Automated test coverage

QA Plan

Labels and Review

• Do we need to enhance the manual QA test coverage ? If yes, the "QA Note" label is set correctly
• Does the PR introduce any major changes worth communicating ? If yes, the "Release Note" label is set and a "Release Note" is specified in PR description.
• Risk label is set correctly
• The set of people pinged as reviewers is appropriate for the level of risk of the change

[coderabbitai]

📝 Walkthrough

Walkthrough

This set of changes updates the integrity token handling and error management within the application. The IntegrityTokenCallback interface and related methods are modified to pass the full StandardIntegrityToken object, not just the token string, through the callback chain. Error handling is expanded to recognize a new INTEGRITY_ERROR code, with logic for processing sub-error codes and displaying appropriate dialogs to the user. The PersonalIdPhoneFragment is updated to handle and propagate the new token object and to manage integrity-related errors with specific user feedback.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant PersonalIdPhoneFragment
    participant IntegrityTokenViewModel
    participant StandardIntegrityManager
    participant API

    User->>PersonalIdPhoneFragment: Initiate integrity token request
    PersonalIdPhoneFragment->>IntegrityTokenViewModel: requestIntegrityToken()
    IntegrityTokenViewModel->>StandardIntegrityManager: Request Token
    StandardIntegrityManager-->>IntegrityTokenViewModel: Return StandardIntegrityToken
    IntegrityTokenViewModel-->>PersonalIdPhoneFragment: onTokenReceived(token, hash, StandardIntegrityToken)
    PersonalIdPhoneFragment->>API: makeStartConfigurationCall(token, hash, body, StandardIntegrityToken)
    API-->>PersonalIdPhoneFragment: Response (may include INTEGRITY_ERROR)
    alt INTEGRITY_ERROR
        PersonalIdPhoneFragment->>PersonalIdPhoneFragment: handleIntegritySubError(StandardIntegrityToken, subError)
        PersonalIdPhoneFragment->>StandardIntegrityToken: showDialog(activity, code)
    end

Loading

Possibly related PRs

• Personal ID Sign Up: Adds Integrity token to 'start_configuration' #3127: Introduces integrity token integration into the start_configuration API call and token provisioning flow, which is directly extended in this PR.
• Integrity token issue solved #3138: Modifies the PersonalIdPhoneFragment to adjust parameter order for makeStartConfigurationCall, related to the same method updated in this PR.

Suggested reviewers

• shubham1g5
• OrangeAndGreen

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0bd2b8c and ef887fa.

📒 Files selected for processing (4)

• app/src/org/commcare/android/integrity/IntegrityTokenViewModel.kt (3 hunks)
• app/src/org/commcare/connect/network/base/BaseApiCallback.kt (1 hunks)
• app/src/org/commcare/connect/network/base/BaseApiHandler.kt (1 hunks)
• app/src/org/commcare/fragments/personalId/PersonalIdPhoneFragment.java (5 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: shubham1g5
PR: dimagi/commcare-android#0
File: :0-0
Timestamp: 2025-05-08T11:08:18.530Z
Learning: PR #3048 "Phase 4 Connect PR" introduces a substantial feature called "Connect" to the CommCare Android app, which includes messaging, job management, delivery tracking, payment processing, authentication flows, and learning modules. It follows a modern architecture using Navigation Components with three navigation graphs, segregated business logic in Manager classes, and proper database persistence.

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3121
File: app/src/org/commcare/activities/CommCareSetupActivity.java:360-364
Timestamp: 2025-05-22T14:28:35.959Z
Learning: In CommCareSetupActivity.java, the call to installFragment.showConnectErrorMessage() after fragment transactions is intentionally unguarded with null checks. This follows the app's design pattern where critical error paths prefer immediate crashes over silent failures, making potential issues immediately visible during development rather than hiding them with defensive programming.

Learnt from: Jignesh-dimagi
PR: dimagi/commcare-android#0
File: :0-0
Timestamp: 2025-05-08T13:40:19.645Z
Learning: PR #3048 introduces a comprehensive messaging system in the Connect feature, implementing secure encryption using AES-GCM for message content, proper channel management with consent flows, and a well-designed UI separation between sent and received messages with real-time notification integration.

Learnt from: pm-dimagi
PR: dimagi/commcare-android#3113
File: app/src/org/commcare/utils/OTPVerificationCallback.java:1-9
Timestamp: 2025-05-16T15:00:47.041Z
Learning: Public interfaces, classes, and methods in the CommCare Android codebase should include proper JavaDoc comments that describe their purpose, parameters, return values, and exceptions where applicable.

Learnt from: shubham1g5
PR: dimagi/commcare-android#2949
File: app/src/org/commcare/fragments/connectId/ConnectIdPasswordVerificationFragment.java:173-247
Timestamp: 2025-03-10T08:16:29.416Z
Learning: In the ConnectIdPasswordVerificationFragment, password comparisons should use MessageDigest.isEqual() rather than equals() to prevent timing attacks, and empty password validation should be implemented before verification attempts.

app/src/org/commcare/connect/network/base/BaseApiCallback.kt (1)

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3108
File: app/src/org/commcare/connect/network/PersonalIdApiHandler.java:51-56
Timestamp: 2025-06-13T15:53:12.951Z
Learning: For `PersonalIdApiHandler`, the team’s convention is to propagate `JSONException` as an unchecked `RuntimeException` so the app crashes, signalling a contract/implementation bug rather than attempting a graceful retry.

app/src/org/commcare/connect/network/base/BaseApiHandler.kt (1)

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3108
File: app/src/org/commcare/connect/network/PersonalIdApiHandler.java:51-56
Timestamp: 2025-06-13T15:53:12.951Z
Learning: For `PersonalIdApiHandler`, the team’s convention is to propagate `JSONException` as an unchecked `RuntimeException` so the app crashes, signalling a contract/implementation bug rather than attempting a graceful retry.

app/src/org/commcare/fragments/personalId/PersonalIdPhoneFragment.java (8)

Learnt from: shubham1g5
PR: dimagi/commcare-android#0
File: :0-0
Timestamp: 2025-05-08T11:08:18.530Z
Learning: PR #3048 "Phase 4 Connect PR" introduces a substantial feature called "Connect" to the CommCare Android app, which includes messaging, job management, delivery tracking, payment processing, authentication flows, and learning modules. It follows a modern architecture using Navigation Components with three navigation graphs, segregated business logic in Manager classes, and proper database persistence.

Learnt from: shubham1g5
PR: dimagi/commcare-android#2949
File: app/src/org/commcare/fragments/connectId/ConnectIdPasswordVerificationFragment.java:173-247
Timestamp: 2025-03-10T08:16:29.416Z
Learning: In the ConnectIdPasswordVerificationFragment, password comparisons should use MessageDigest.isEqual() rather than equals() to prevent timing attacks, and empty password validation should be implemented before verification attempts.

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3108
File: app/src/org/commcare/fragments/connect/ConnectUnlockFragment.java:62-64
Timestamp: 2025-06-04T19:17:21.213Z
Learning: In ConnectUnlockFragment.java, the user prefers to let getArguments() potentially throw NullPointerException rather than adding null checks, as the arguments are required for proper navigation flow and their absence indicates a programming error that should fail fast.

Learnt from: shubham1g5
PR: dimagi/commcare-android#3042
File: app/src/org/commcare/fragments/BreadcrumbBarViewModel.java:50-55
Timestamp: 2025-04-21T15:02:17.492Z
Learning: ViewModels should not store View or Activity references as this can cause memory leaks. Unlike Fragments with setRetainInstance(true), ViewModels don't have automatic view detachment mechanisms. When migrating from Fragments to ViewModels, view references should be replaced with data-only state in the ViewModel.

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3121
File: app/src/org/commcare/fragments/SelectInstallModeFragment.java:201-205
Timestamp: 2025-05-22T14:26:41.341Z
Learning: In SelectInstallModeFragment.java, the showConnectErrorMessage method intentionally omits null checks because it's called at a specific point in the startup flow where UI is guaranteed to be loaded. It's designed to crash if activity or view is null to make potential issues immediately visible rather than hiding them with defensive programming.

Learnt from: pm-dimagi
PR: dimagi/commcare-android#2847
File: app/src/org/commcare/connect/network/connectId/ApiService.java:8-63
Timestamp: 2025-01-28T09:38:59.882Z
Learning: The ConnectID API service methods should use Map<String, String> for request bodies and ResponseBody for responses, as per team preference.

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3121
File: app/src/org/commcare/activities/CommCareSetupActivity.java:360-364
Timestamp: 2025-05-22T14:28:35.959Z
Learning: In CommCareSetupActivity.java, the call to installFragment.showConnectErrorMessage() after fragment transactions is intentionally unguarded with null checks. This follows the app's design pattern where critical error paths prefer immediate crashes over silent failures, making potential issues immediately visible during development rather than hiding them with defensive programming.

Learnt from: OrangeAndGreen
PR: dimagi/commcare-android#3108
File: app/src/org/commcare/connect/network/PersonalIdApiHandler.java:51-56
Timestamp: 2025-06-13T15:53:12.951Z
Learning: For `PersonalIdApiHandler`, the team’s convention is to propagate `JSONException` as an unchecked `RuntimeException` so the app crashes, signalling a contract/implementation bug rather than attempting a graceful retry.

🧬 Code Graph Analysis (1)

app/src/org/commcare/fragments/personalId/PersonalIdPhoneFragment.java (1)

app/src/org/commcare/android/integrity/IntegrityTokenViewModel.kt (2)

• onTokenReceived (119-122)
• onTokenReceived (120-120)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint Code Base

🔇 Additional comments (11)

app/src/org/commcare/connect/network/base/BaseApiHandler.kt (2)

31-32: LGTM! Clean addition of integrity error handling.

The new INTEGRITY_ERROR enum value follows the existing naming convention and integrates well with the error code structure.

---

35-37: Good inclusion of integrity error in retry logic.

Including INTEGRITY_ERROR in the retry-allowed logic is appropriate, as integrity-related failures could be transient and worth retrying.

app/src/org/commcare/connect/network/base/BaseApiCallback.kt (1)

70-77: Well-implemented integrity error handling.

The new INTEGRITY_ERROR handling follows the established pattern and correctly extracts the sub_code from the JSON response. The exception message propagation aligns with the downstream error handling in the UI layer.

app/src/org/commcare/android/integrity/IntegrityTokenViewModel.kt (3)

10-10: Necessary import for enhanced token handling.

The StandardIntegrityManager import is required for the new callback interface parameter.

---

70-71: Enhanced callback with full token response.

Passing the complete StandardIntegrityToken response object enables downstream handlers to access additional token properties beyond just the token string, which is essential for the new integrity error handling.

---

120-120: Interface update aligns with implementation changes.

The callback interface correctly includes the StandardIntegrityToken parameter, maintaining consistency with the updated requestIntegrityToken method implementation.

app/src/org/commcare/fragments/personalId/PersonalIdPhoneFragment.java (5)

28-28: Necessary import for enhanced integrity token handling.

The StandardIntegrityManager import is required for the new method signatures that handle the full integrity token response.

---

228-230: Callback signature updated to match interface changes.

The updated onTokenReceived callback correctly receives and forwards the StandardIntegrityToken object, maintaining consistency with the interface changes in IntegrityTokenViewModel.kt.

---

342-343: Method signature enhanced for integrity token access.

The updated makeStartConfigurationCall method signature correctly accepts the StandardIntegrityToken parameter, enabling access to the token object for integrity error handling.

---

383-384: Appropriate integrity error handling integration.

The new INTEGRITY_ERROR case correctly delegates to the specialized error handling method, passing both the token response and the sub-error message extracted from the throwable.

---

393-403: Java 17 confirmed – modern switch expressions are fully supported
The project’s app/build.gradle sets sourceCompatibility and targetCompatibility to Java 17, so the arrow-style switch expression in handleIntegritySubError is valid. The mapping of sub-error strings to dialog codes and the subsequent showDialog() call are correct. LGTM.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pm_ccct_1397

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[shubham1g5]

can we add video showing different resolution pathways and UX there.

[Jignesh-dimagi]

@pm-dimagi From where do you get this mapping? Here it has some mention but not able to map the server error with code type.

[pm-dimagi]

2c1f121

[Jignesh-dimagi]

@pm-dimagi We should show the device not eligible failure from message fragment?

[pm-dimagi]

2c1f121

[Jignesh-dimagi]

@pm-dimagi Same, we should show the device not eligible failure from message fragment?

[pm-dimagi]

2c1f121

[Jignesh-dimagi]

@pm-dimagi I think you have used to test the flow, please remove it.

[pm-dimagi]

2c1f121

[pm-dimagi]

@Jignesh-dimagi @shubham1g5 i am moaking more changes to this as got addition info on this code types from zandre.. making this PR to draft for a time being

[shubham1g5]

no need to send the token separately if you are seding the whole response and implementations can get token directly from the response instead.

[pm-dimagi]

924bd6c

[shubham1g5]

looks like this should not wait for the startConfiguration call but we should be able to parse the tokenResponse even before we make the startConfiguration call.

[pm-dimagi]

We get the error codes in the configuartion api only according to this doc and we cannot parse the tokenresponse at android level server can only do that

[pm-dimagi]

@shubham1g5 just need a suggestion in above commit i have passed session data in BaseApiCallback which is making it tightly coupled , instead a suggestion can we send failure code in baseApiHandler.onFailure(

[OrangeAndGreen]

Just a typo to fix

[OrangeAndGreen]

Check spelling, missing an 'n' in integrityTokeResponse

[pm-dimagi]

d58e41a

[OrangeAndGreen]

Typo on "Fialed"

[pm-dimagi]

d58e41a

[shubham1g5]

can sessionData be null here ?

[pm-dimagi]

yes earlier it can be due to credentials api which dosent need session data but now this field is removed

[pm-dimagi]

261c6e3

[shubham1g5]

agree on not using sessionData in base callback but we should instead override this in createCallback and do all error code processing there instead.

[pm-dimagi]

261c6e3

[shubham1g5]

• do we always get a subcode in integrity error from server ?
• Also the requireNonNull call should be inside the handleIntegritySubError instead.

[pm-dimagi]

If there is integrity error there will always be a subcode only in error code INTEGRITY_SERVICE_UNAVAILABLE sub code will not be available

[pm-dimagi]

261c6e3

[shubham1g5]

this should only happen when ther errors are of type listed in here and nothing else. I will reverse the if/else logic here to only make the call when the error code is of type where we can do a resolution and otherwise default to calling onConfigurationFailure

[pm-dimagi]

The logic what i take here is INTEGRITY_ERROR code will always have teh sub error which are as follows : UNLICENSED_APP_ERROR,APP_INTEGRITY_ERROR, INTEGRITY_REQUEST_ERROR, DEVICE_INTEGRITY_ERROR
for first three we have to show the dialog type 1 because there is mismatch in the package name so it would allow the user to download the app from the play store ... and in only 1 case DEVICE_INTEGRITY we have to show onConfigurationFailure thats why i have put reverse condition

[shubham1g5]

for first three we have to show the dialog type 1 because there is mismatch in the package name

What makes you say they are all due to mismatch in package name ?

Also we should add dialog type 2 and 3 as well from here - https://developer.android.com/google/play/integrity/remediation and have server send that info if it's not already.

[pm-dimagi]

eb9c91b

[pm-dimagi]

1279dfc

[Jignesh-dimagi]

@pm-dimagi Ideally, we need this function asBaseApiCallback is used by personalId configuration api call, PersonalId other api calls, and connect api calls. We might need to grab sub_code in any of these calls. Instead we need some mechanism to pass the sub_code to calling fragment/activity, which will be of great help going forward for many api calls which might be requiring sub_code

The easiest way to handle sub_code I can see is that declare
var subErrorparams = mapOf<String,Any>() in PersonalIdOrConnectApiErrorCodes

Use this in BaseApiCallback like
val integrityError= PersonalIdOrConnectApiErrorCodes.INTEGRITY_ERROR
integrityError.subErrorparams = mapOf("sub_code" to "UNLICENSED_APP_ERROR")
return onFailure(PersonalIdOrConnectApiErrorCodes.INTEGRITY_ERROR, null);

In calling Fragment, check for PersonalIdOrConnectApiErrorCodes.INTEGRITY_ERROR, and its subErrorparams.
For this case, In PersonalIdPhoneFragment fragment and onFailure method of it can have access this using failureCode.subErrorparams

This method has currently limitation if 2 calls are made simultaneously and both same error, their sub codes can mix. But I guess that possibility is very rare to come.

@shubham1g5 @OrangeAndGreen any thoughts?

[shubham1g5]

@Jignesh-dimagi I am not sure I understand, why would we check for integrity errors in a general purpose callback ?

[Jignesh-dimagi]

@shubham1g5 so that personalId configuration apis, personalId apis and connect apis can use the concept of sub_code for all future work.

[shubham1g5]

yeah that concept makes sense to me, just not sure on what code change you are suggesting to maintain that. Are you suggesting that we maintain knowledge of all possible error codes across all APIs in BaseApiCallback ?

[Jignesh-dimagi]

It's actually map object which we are returning, so yeah as and when required, we should keep adding the error codes in BaseApiCallback. This will make this code single source of truth for error code instead of defining at each ApiHandler.

[shubham1g5]

Hmm lets revisit it later if required, but I think the error codes across personal ID and Connect would be quite different to make sense to maintain them together.

[Jignesh-dimagi]

@shubham1g5 Agree and correct but we can keep adding knowledge for error_code, fragment/activity can use whichever is required on their side.

[shubham1g5]

not needed.

[pm-dimagi]

8809e72