[FIX] support both single and multiple GCP nonces in attestation

[Scratch-net]

Summary by CodeRabbit

• Bug Fixes
  • Improved GCP attestation validation to handle multiple nonce formats with enhanced error reporting for better reliability.

[coderabbitai]

Warning

Rate limit exceeded

@Scratch-net has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 39 minutes and 43 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 39 minutes and 43 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5acdf755-4a01-4090-a2c3-620aafa54d34

📥 Commits

Reviewing files that changed from the base of the PR and between 90e0d19 and 05b3b9e.

📒 Files selected for processing (1)

• src/server/utils/gcp-attestation.ts

📝 Walkthrough

Walkthrough

The pull request updates gcp-attestation.ts to handle eat_nonce as either a single string or an array of strings. The validation function now normalizes arrays to their first element, validates the normalized value, and uses it consistently throughout error handling and regex parsing.

Changes

Cohort / File(s)	Summary
GCP Attestation Nonce Handling src/server/utils/gcp-attestation.ts	Updated JwtPayload.eat_nonce type to accept string | string[]. Modified validateGcpAttestationAndExtractKey() to normalize array values to the first element, validate the normalized nonce, and use it for all subsequent operations including regex parsing and error messages.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A nonce arrived in curious dress,
One form or many—oh what a mess!
Our rabbit hops quick to the first in line,
Validates it clean, so neat and fine,
Now logic flows smooth—no more distress! 🐰

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: supporting both single and multiple GCP nonces in attestation, which aligns with the updated JwtPayload interface and validateGcpAttestationAndExtractKey() function modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch gcp-multi-nonce

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/server/utils/gcp-attestation.ts`:
- Around line 363-365: Replace the positional assumption when reading
payload.eat_nonce: instead of taking payload.eat_nonce[0], if payload.eat_nonce
is an array iterate through its elements and pick the first entry that matches
the expected public-key nonce pattern (the same pattern used later to validate
tee_[kt]_public_key:0x...); assign that matching value to eatNonce and handle
the case where no match is found (e.g., throw/log an error or treat as invalid
token) so downstream validation that uses eatNonce works reliably regardless of
array ordering.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3d44243c-1ada-40ce-8f20-3749d536bc67

📥 Commits

Reviewing files that changed from the base of the PR and between 2969333 and 90e0d19.

📒 Files selected for processing (1)

• src/server/utils/gcp-attestation.ts