What clock attack? You validate the timestamp on the server and reject if the timestamp is too far off. The same request being repeatable within say 30s isn’t a problem in 99% of cases.
I'm referring to threat models where the attacker might be able to manipulate time on the server, either directly or through NTP servers, etc. Personally it's not something I would worry about but I've heard it discussed and was wondering how big a concern it is.