diff options
| author |  Vyr Cossont <VyrCossont@users.noreply.github.com> | 2025-01-23 16:47:30 -0800 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2025-01-23 16:47:30 -0800 |
| commit | 5b765d734ee70f0a8a0790444d60969a727567f8 (patch) | |
| tree | f76e05a6e5b22df17160be595c40e964bdbe5f22 /vendor/github.com/SherClockHolmes/webpush-go/vapid.go | |
| parent | [feature] Serve bot accounts over AP as Service instead of Person (#3672) (diff) | |
| download | gotosocial-5b765d734ee70f0a8a0790444d60969a727567f8.tar.xz | |
[feature] Push notifications (#3587)
* Update push subscription API model to be Mastodon 4.0 compatible
* Add webpush-go dependency
# Conflicts:
# go.sum
* Single-row table for storing instance's VAPID key pair
* Generate VAPID key pair during startup
* Add VAPID public key to instance info API
* Return VAPID public key when registering an app
* Store Web Push subscriptions in DB
* Add Web Push sender (similar to email sender)
* Add no-op push senders to most processor tests
* Test Web Push notifications from workers
* Delete Web Push subscriptions when account is deleted
* Implement push subscription API
* Linter fixes
* Update Swagger
* Fix enum to int migration
* Fix GetVAPIDKeyPair
* Create web push subscriptions table with indexes
* Log Web Push server error messages
* Send instance URL as Web Push JWT subject
* Accept any 2xx code as a success
* Fix malformed VAPID sub claim
* Use packed notification flags
* Remove unused date columns
* Add notification type for update notifications
Not used yet
* Make GetVAPIDKeyPair idempotent
and remove PutVAPIDKeyPair
* Post-rebase fixes
* go mod tidy
* Special-case 400 errors other than 408/429
Most client errors should remove the subscription.
* Improve titles, trim body to reasonable length
* Disallow cleartext HTTP for Web Push servers
* Fix lint
* Remove redundant index on unique column
Also removes redundant unique and notnull tags on ID column since these are implied by pk
* Make realsender.go more readable
* Use Tobi's style for wrapping errors
* Restore treating all 5xx codes as temporary problems
* Always load target account settings
* Stub `policy` and `standard`
* webpush.Sender: take type converter as ctor param
* Move webpush.MockSender and noopSender into testrig
Diffstat (limited to 'vendor/github.com/SherClockHolmes/webpush-go/vapid.go')
| -rw-r--r-- | vendor/github.com/SherClockHolmes/webpush-go/vapid.go | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/vendor/github.com/SherClockHolmes/webpush-go/vapid.go b/vendor/github.com/SherClockHolmes/webpush-go/vapid.go new file mode 100644 index 000000000..fe2c580a6 --- /dev/null +++ b/vendor/github.com/SherClockHolmes/webpush-go/vapid.go @@ -0,0 +1,117 @@ +package webpush + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "encoding/base64" + "fmt" + "math/big" + "net/url" + "time" + + "github.com/golang-jwt/jwt" +) + +// GenerateVAPIDKeys will create a private and public VAPID key pair +func GenerateVAPIDKeys() (privateKey, publicKey string, err error) { + // Get the private key from the P256 curve + curve := elliptic.P256() + + private, x, y, err := elliptic.GenerateKey(curve, rand.Reader) + if err != nil { + return + } + + public := elliptic.Marshal(curve, x, y) + + // Convert to base64 + publicKey = base64.RawURLEncoding.EncodeToString(public) + privateKey = base64.RawURLEncoding.EncodeToString(private) + + return +} + +// Generates the ECDSA public and private keys for the JWT encryption +func generateVAPIDHeaderKeys(privateKey []byte) *ecdsa.PrivateKey { + // Public key + curve := elliptic.P256() + px, py := curve.ScalarMult( + curve.Params().Gx, + curve.Params().Gy, + privateKey, + ) + + pubKey := ecdsa.PublicKey{ + Curve: curve, + X: px, + Y: py, + } + + // Private key + d := &big.Int{} + d.SetBytes(privateKey) + + return &ecdsa.PrivateKey{ + PublicKey: pubKey, + D: d, + } +} + +// getVAPIDAuthorizationHeader +func getVAPIDAuthorizationHeader( + endpoint, + subscriber, + vapidPublicKey, + vapidPrivateKey string, + expiration time.Time, +) (string, error) { + // Create the JWT token + subURL, err := url.Parse(endpoint) + if err != nil { + return "", err + } + + token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{ + "aud": fmt.Sprintf("%s://%s", subURL.Scheme, subURL.Host), + "exp": expiration.Unix(), + "sub": fmt.Sprintf("mailto:%s", subscriber), + }) + + // Decode the VAPID private key + decodedVapidPrivateKey, err := decodeVapidKey(vapidPrivateKey) + if err != nil { + return "", err + } + + privKey := generateVAPIDHeaderKeys(decodedVapidPrivateKey) + + // Sign token with private key + jwtString, err := token.SignedString(privKey) + if err != nil { + return "", err + } + + // Decode the VAPID public key + pubKey, err := decodeVapidKey(vapidPublicKey) + if err != nil { + return "", err + } + + return fmt.Sprintf( + "vapid t=%s, k=%s", + jwtString, + base64.RawURLEncoding.EncodeToString(pubKey), + ), nil +} + +// Need to decode the vapid private key in multiple base64 formats +// Solution from: https://github.com/SherClockHolmes/webpush-go/issues/29 +func decodeVapidKey(key string) ([]byte, error) { + bytes, err := base64.URLEncoding.DecodeString(key) + if err == nil { + return bytes, nil + } + + return base64.RawURLEncoding.DecodeString(key) +} |