Add support for standard webpush (#33528)

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2025-01-14 10:14:00 +01:00
parent ee4edbb94f
commit 4a2813158d
12 changed files with 167 additions and 46 deletions
--- a/2
+++ b/2
@@ -94,7 +94,7 @@ gem 'twitter-text', '~> 3.1.0'
 gem 'tzinfo-data', '~> 1.2023'
 gem 'webauthn', '~> 3.0'
 gem 'webpacker', '~> 5.4'
-gem 'webpush', github: 'mastodon/webpush', ref: '52725def8baf67e0d645c9d1c6c0bdff69da0c60'
+gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913'

 gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.2'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 GIT
  remote: https://github.com/mastodon/webpush.git
-  revision: 52725def8baf67e0d645c9d1c6c0bdff69da0c60
-  ref: 52725def8baf67e0d645c9d1c6c0bdff69da0c60
+  revision: 9631ac63045cfabddacc69fc06e919b4c13eb913
+  ref: 9631ac63045cfabddacc69fc06e919b4c13eb913
  specs:
    webpush (1.1.0)
      hkdf (~> 0.2)
--- a/app/controllers/api/v1/push/subscriptions_controller.rb
+++ b/app/controllers/api/v1/push/subscriptions_controller.rb
@@ -21,6 +21,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
        endpoint: subscription_params[:endpoint],
        key_p256dh: subscription_params[:keys][:p256dh],
        key_auth: subscription_params[:keys][:auth],
+        standard: subscription_params[:standard] || false,
        data: data_params,
        user_id: current_user.id,
        access_token_id: doorkeeper_token.id
@@ -55,7 +56,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  end

  def subscription_params
-    params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
+    params.require(:subscription).permit(:endpoint, :standard, keys: [:auth, :p256dh])
  end

  def data_params
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@@ -66,7 +66,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  end

  def subscription_params
-    @subscription_params ||= params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
+    @subscription_params ||= params.require(:subscription).permit(:standard, :endpoint, keys: [:auth, :p256dh])
  end

  def web_push_subscription_params
@@ -76,6 +76,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
      endpoint: subscription_params[:endpoint],
      key_auth: subscription_params[:keys][:auth],
      key_p256dh: subscription_params[:keys][:p256dh],
+      standard: subscription_params[:standard] || false,
      user_id: active_session.user_id,
    }
  end
--- a/app/lib/web_push_request.rb
+++ b/app/lib/web_push_request.rb
@@ -2,7 +2,8 @@

 class WebPushRequest
  SIGNATURE_ALGORITHM = 'p256ecdsa'
-  AUTH_HEADER = 'WebPush'
+  LEGACY_AUTH_HEADER = 'WebPush'
+  STANDARD_AUTH_HEADER = 'vapid'
  PAYLOAD_EXPIRATION = 24.hours
  JWT_ALGORITHM = 'ES256'
  JWT_TYPE = 'JWT'
@@ -10,6 +11,7 @@ class WebPushRequest
  attr_reader :web_push_subscription

  delegate(
+    :standard,
    :endpoint,
    :key_auth,
    :key_p256dh,
@@ -24,20 +26,36 @@ class WebPushRequest
    @audience ||= Addressable::URI.parse(endpoint).normalized_site
  end

-  def authorization_header
-    [AUTH_HEADER, encoded_json_web_token].join(' ')
+  def legacy_authorization_header
+    [LEGACY_AUTH_HEADER, encoded_json_web_token].join(' ')
  end

  def crypto_key_header
    [SIGNATURE_ALGORITHM, vapid_key.public_key_for_push_header].join('=')
  end

-  def encrypt(payload)
+  def legacy_encrypt(payload)
    Webpush::Legacy::Encryption.encrypt(payload, key_p256dh, key_auth)
  end

+  def standard_authorization_header
+    [STANDARD_AUTH_HEADER, standard_vapid_value].join(' ')
+  end
+
+  def standard_encrypt(payload)
+    Webpush::Encryption.encrypt(payload, key_p256dh, key_auth)
+  end
+
+  def legacy
+    !standard
+  end
+
  private

+  def standard_vapid_value
+    "t=#{encoded_json_web_token},k=#{vapid_key.public_key_for_push_header}"
+  end
+
  def encoded_json_web_token
    JWT.encode(
      web_token_payload,
--- a/app/models/web/push_subscription.rb
+++ b/app/models/web/push_subscription.rb
@@ -5,10 +5,11 @@
 # Table name: web_push_subscriptions
 #
 #  id              :bigint(8)        not null, primary key
-#  endpoint        :string           not null
-#  key_p256dh      :string           not null
-#  key_auth        :string           not null
 #  data            :json
+#  endpoint        :string           not null
+#  key_auth        :string           not null
+#  key_p256dh      :string           not null
+#  standard        :boolean          default(FALSE), not null
 #  created_at      :datetime         not null
 #  updated_at      :datetime         not null
 #  access_token_id :bigint(8)
--- a/app/serializers/rest/web_push_subscription_serializer.rb
+++ b/app/serializers/rest/web_push_subscription_serializer.rb
@@ -1,7 +1,9 @@
 # frozen_string_literal: true

 class REST::WebPushSubscriptionSerializer < ActiveModel::Serializer
-  attributes :id, :endpoint, :alerts, :server_key, :policy
+  attributes :id, :endpoint, :standard, :alerts, :server_key, :policy
+
+  delegate :standard, to: :object

  def alerts
    (object.data&.dig('alerts') || {}).each_with_object({}) { |(k, v), h| h[k] = ActiveModel::Type::Boolean.new.cast(v) }
--- a/app/validators/web_push_key_validator.rb
+++ b/app/validators/web_push_key_validator.rb
@@ -3,7 +3,7 @@
 class WebPushKeyValidator < ActiveModel::Validator
  def validate(subscription)
    begin
-      Webpush::Legacy::Encryption.encrypt('validation_test', subscription.key_p256dh, subscription.key_auth)
+      Webpush::Encryption.encrypt('validation_test', subscription.key_p256dh, subscription.key_auth)
    rescue ArgumentError, OpenSSL::PKey::EC::Point::Error
      subscription.errors.add(:base, I18n.t('crypto.errors.invalid_key'))
    end
--- a/app/workers/web/push_notification_worker.rb
+++ b/app/workers/web/push_notification_worker.rb
@@ -19,7 +19,19 @@ class Web::PushNotificationWorker
    # in the meantime, so we have to double-check before proceeding
    return unless @notification.activity.present? && @subscription.pushable?(@notification)

-    payload = web_push_request.encrypt(push_notification_json)
+    if web_push_request.legacy
+      perform_legacy_request
+    else
+      perform_standard_request
+    end
+  rescue ActiveRecord::RecordNotFound
+    true
+  end
+
+  private
+
+  def perform_legacy_request
+    payload = web_push_request.legacy_encrypt(push_notification_json)

    request_pool.with(web_push_request.audience) do |http_client|
      request = Request.new(:post, web_push_request.endpoint, body: payload.fetch(:ciphertext), http_client: http_client)
@@ -31,10 +43,35 @@ class Web::PushNotificationWorker
        'Content-Encoding' => 'aesgcm',
        'Encryption' => "salt=#{Webpush.encode64(payload.fetch(:salt)).delete('=')}",
        'Crypto-Key' => "dh=#{Webpush.encode64(payload.fetch(:server_public_key)).delete('=')};#{web_push_request.crypto_key_header}",
-        'Authorization' => web_push_request.authorization_header,
+        'Authorization' => web_push_request.legacy_authorization_header,
        'Unsubscribe-URL' => subscription_url
      )

+      send(request)
+    end
+  end
+
+  def perform_standard_request
+    payload = web_push_request.standard_encrypt(push_notification_json)
+
+    request_pool.with(web_push_request.audience) do |http_client|
+      request = Request.new(:post, web_push_request.endpoint, body: payload, http_client: http_client)
+
+      request.add_headers(
+        'Content-Type' => 'application/octet-stream',
+        'Ttl' => TTL.to_s,
+        'Urgency' => URGENCY,
+        'Content-Encoding' => 'aes128gcm',
+        'Authorization' => web_push_request.standard_authorization_header,
+        'Unsubscribe-URL' => subscription_url,
+        'Content-Length' => payload.length.to_s
+      )
+
+      send(request)
+    end
+  end
+
+  def send(request)
    request.perform do |response|
      # If the server responds with an error in the 4xx range
      # that isn't about rate-limiting or timeouts, we can
@@ -48,11 +85,6 @@ class Web::PushNotificationWorker
      end
    end
  end
-  rescue ActiveRecord::RecordNotFound
-    true
-  end
-
-  private

  def web_push_request
    @web_push_request || WebPushRequest.new(@subscription)
--- a/db/migrate/20250108111200_add_standard_to_push_subscription.rb
+++ b/db/migrate/20250108111200_add_standard_to_push_subscription.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddStandardToPushSubscription < ActiveRecord::Migration[8.0]
+  def change
+    add_column :web_push_subscriptions, :standard, :boolean, null: false, default: false
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,9 +10,9 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.2].define(version: 2024_12_16_224825) do
+ActiveRecord::Schema[8.0].define(version: 2025_01_08_111200) do
  # These are extensions that must be enabled in order to support this database
-  enable_extension "plpgsql"
+  enable_extension "pg_catalog.plpgsql"

  create_table "account_aliases", force: :cascade do |t|
    t.bigint "account_id", null: false
@@ -1202,6 +1202,7 @@ ActiveRecord::Schema[7.2].define(version: 2024_12_16_224825) do
    t.datetime "updated_at", precision: nil, null: false
    t.bigint "access_token_id"
    t.bigint "user_id"
+    t.boolean "standard", default: false, null: false
    t.index ["access_token_id"], name: "index_web_push_subscriptions_on_access_token_id", where: "(access_token_id IS NOT NULL)"
    t.index ["user_id"], name: "index_web_push_subscriptions_on_user_id"
  end
--- a/spec/workers/web/push_notification_worker_spec.rb
+++ b/spec/workers/web/push_notification_worker_spec.rb
@@ -5,21 +5,36 @@ require 'rails_helper'
 RSpec.describe Web::PushNotificationWorker do
  subject { described_class.new }

-  let(:p256dh) { 'BN4GvZtEZiZuqFxSKVZfSfluwKBD7UxHNBmWkfiZfCtgDE8Bwh-_MtLXbBxTBAWH9r7IPKL0lhdcaqtL1dfxU5E=' }
-  let(:auth) { 'Q2BoAjC09xH3ywDLNJr-dA==' }
  let(:endpoint) { 'https://updates.push.services.mozilla.com/push/v1/subscription-id' }
  let(:user) { Fabricate(:user) }
  let(:notification) { Fabricate(:notification) }
-  let(:subscription) { Fabricate(:web_push_subscription, user_id: user.id, key_p256dh: p256dh, key_auth: auth, endpoint: endpoint, data: { alerts: { notification.type => true } }) }
  let(:vapid_public_key) { 'BB37UCyc8LLX4PNQSe-04vSFvpUWGrENubUaslVFM_l5TxcGVMY0C3RXPeUJAQHKYlcOM2P4vTYmkoo0VZGZTM4=' }
  let(:vapid_private_key) { 'OPrw1Sum3gRoL4-DXfSCC266r-qfFSRZrnj8MgIhRHg=' }
  let(:vapid_key) { Webpush::VapidKey.from_keys(vapid_public_key, vapid_private_key) }
  let(:contact_email) { 'sender@example.com' }
-  let(:ciphertext) { "+\xB8\xDBT}\x13\xB6\xDD.\xF9\xB0\xA7\xC8\xD2\x80\xFD\x99#\xF7\xAC\x83\xA4\xDB,\x1F\xB5\xB9w\x85>\xF7\xADr" }
-  let(:salt) { "X\x97\x953\xE4X\xF8_w\xE7T\x95\xC51q\xFE" }
-  let(:server_public_key) { "\x04\b-RK9w\xDD$\x16lFz\xF9=\xB4~\xC6\x12k\xF3\xF40t\xA9\xC1\fR\xC3\x81\x80\xAC\f\x7F\xE4\xCC\x8E\xC2\x88 n\x8BB\xF1\x9C\x14\a\xFA\x8D\xC9\x80\xA1\xDDyU\\&c\x01\x88#\x118Ua" }
-  let(:shared_secret) { "\t\xA7&\x85\t\xC5m\b\xA8\xA7\xF8B{1\xADk\xE1y'm\xEDE\xEC\xDD\xEDj\xB3$s\xA9\xDA\xF0" }
-  let(:payload) { { ciphertext: ciphertext, salt: salt, server_public_key: server_public_key, shared_secret: shared_secret } }
+
+  # Legacy values
+  let(:p256dh) { 'BN4GvZtEZiZuqFxSKVZfSfluwKBD7UxHNBmWkfiZfCtgDE8Bwh-_MtLXbBxTBAWH9r7IPKL0lhdcaqtL1dfxU5E=' }
+  let(:auth) { 'Q2BoAjC09xH3ywDLNJr-dA==' }
+  let(:legacy_subscription) { Fabricate(:web_push_subscription, user_id: user.id, key_p256dh: p256dh, key_auth: auth, endpoint: endpoint, data: { alerts: { notification.type => true } }) }
+  let(:legacy_payload) do
+    {
+      ciphertext: "+\xB8\xDBT}\x13\xB6\xDD.\xF9\xB0\xA7\xC8\xD2\x80\xFD\x99#\xF7\xAC\x83\xA4\xDB,\x1F\xB5\xB9w\x85>\xF7\xADr",
+      salt: "X\x97\x953\xE4X\xF8_w\xE7T\x95\xC51q\xFE",
+      server_public_key: "\x04\b-RK9w\xDD$\x16lFz\xF9=\xB4~\xC6\x12k\xF3\xF40t\xA9\xC1\fR\xC3\x81\x80\xAC\f\x7F\xE4\xCC\x8E\xC2\x88 n\x8BB\xF1\x9C\x14\a\xFA\x8D\xC9\x80\xA1\xDDyU\\&c\x01\x88#\x118Ua",
+      shared_secret: "\t\xA7&\x85\t\xC5m\b\xA8\xA7\xF8B{1\xADk\xE1y'm\xEDE\xEC\xDD\xEDj\xB3$s\xA9\xDA\xF0",
+    }
+  end
+
+  # Standard values, from RFC8291
+  let(:std_p256dh) { 'BCVxsr7N_eNgVRqvHtD0zTZsEc6-VV-JvLexhqUzORcxaOzi6-AYWXvTBHm4bjyPjs7Vd8pZGH6SRpkNtoIAiw4' }
+  let(:std_auth) { 'BTBZMqHH6r4Tts7J_aSIgg' }
+  let(:std_as_public) { 'BP4z9KsN6nGRTbVYI_c7VJSPQTBtkgcy27mlmlMoZIIgDll6e3vCYLocInmYWAmS6TlzAC8wEqKK6PBru3jl7A8' }
+  let(:std_as_private) { 'yfWPiYE-n46HLnH0KqZOF1fJJU3MYrct3AELtAQ-oRw' }
+  let(:std_salt) { 'DGv6ra1nlYgDCS1FRnbzlw' }
+  let(:std_subscription) { Fabricate(:web_push_subscription, user_id: user.id, key_p256dh: std_p256dh, key_auth: std_auth, endpoint: endpoint, standard: true, data: { alerts: { notification.type => true } }) }
+  let(:std_input) { 'When I grow up, I want to be a watermelon' }
+  let(:std_ciphertext) { 'DGv6ra1nlYgDCS1FRnbzlwAAEABBBP4z9KsN6nGRTbVYI_c7VJSPQTBtkgcy27mlmlMoZIIgDll6e3vCYLocInmYWAmS6TlzAC8wEqKK6PBru3jl7A_yl95bQpu6cVPTpK4Mqgkf1CXztLVBSt2Ks3oZwbuwXPXLWyouBWLVWGNWQexSgSxsj_Qulcy4a-fN' }

  describe 'perform' do
    around do |example|
@@ -35,20 +50,40 @@ RSpec.describe Web::PushNotificationWorker do
    before do
      Setting.site_contact_email = contact_email

-      allow(Webpush::Legacy::Encryption).to receive(:encrypt).and_return(payload)
      allow(JWT).to receive(:encode).and_return('jwt.encoded.payload')

      stub_request(:post, endpoint).to_return(status: 201, body: '')
    end

-    it 'calls the relevant service with the correct headers' do
-      subject.perform(subscription.id, notification.id)
+    it 'Legacy push calls the relevant service with the legacy headers' do
+      allow(Webpush::Legacy::Encryption).to receive(:encrypt).and_return(legacy_payload)

-      expect(web_push_endpoint_request)
+      subject.perform(legacy_subscription.id, notification.id)
+
+      expect(legacy_web_push_endpoint_request)
        .to have_been_made
    end

-    def web_push_endpoint_request
+    # We allow subject stub to encrypt the same input than the RFC8291 example
+    # rubocop:disable RSpec/SubjectStub
+    it 'Standard push calls the relevant service with the standard headers' do
+      # Mock server keys to match RFC example
+      allow(OpenSSL::PKey::EC).to receive(:generate).and_return(std_as_keys)
+      # Mock the random salt to match RFC example
+      rand = Random.new
+      allow(Random).to receive(:new).and_return(rand)
+      allow(rand).to receive(:bytes).and_return(Webpush.decode64(std_salt))
+      # Mock input to match RFC example
+      allow(subject).to receive(:push_notification_json).and_return(std_input)
+
+      subject.perform(std_subscription.id, notification.id)
+
+      expect(standard_web_push_endpoint_request)
+        .to have_been_made
+    end
+    # rubocop:enable RSpec/SubjectStub
+
+    def legacy_web_push_endpoint_request
      a_request(
        :post,
        endpoint
@@ -66,5 +101,28 @@ RSpec.describe Web::PushNotificationWorker do
        body: "+\xB8\xDBT}\u0013\xB6\xDD.\xF9\xB0\xA7\xC8Ҁ\xFD\x99#\xF7\xAC\x83\xA4\xDB,\u001F\xB5\xB9w\x85>\xF7\xADr"
      )
    end
+
+    def standard_web_push_endpoint_request
+      a_request(
+        :post,
+        endpoint
+      ).with(
+        headers: {
+          'Content-Encoding' => 'aes128gcm',
+          'Content-Type' => 'application/octet-stream',
+          'Ttl' => '172800',
+          'Urgency' => 'normal',
+          'Authorization' => "vapid t=jwt.encoded.payload,k=#{vapid_public_key.delete('=')}",
+          'Unsubscribe-URL' => %r{/api/web/push_subscriptions/},
+        },
+        body: Webpush.decode64(std_ciphertext)
+      )
+    end
+
+    def std_as_keys
+      # VapidKey contains a method to retrieve EC keypair from
+      # B64 raw keys, the keypair is stored in curve field
+      Webpush::VapidKey.from_keys(std_as_public, std_as_private).curve
+    end
  end
 end