New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notification::getOrigin Does not handle non standard ports leading to incorrect VAPID JWT aud. #153

Open

hectorgrebbell opened this issue Jan 14, 2021 · 1 comment

hectorgrebbell commented Jan 14, 2021

As per the VAPID spec (https://tools.ietf.org/html/rfc8292#section-2)

An "aud" (Audience) claim in the token MUST include the Unicode
serialization of the origin (Section 6.1 of [RFC6454]) of the push
resource URL. This binds the token to a specific push service and
ensures that the token is reusable for all push resource URLs that
share the same origin.

And as per RFC 6454 (https://tools.ietf.org/html/rfc6454#section-6.1) for non default ports these should be included.

The implementation of getOrigin does not handle this -

webpush-java/src/main/java/nl/martijndwars/webpush/Notification.java

Line 156 in ac647d2

public String getOrigin() throws MalformedURLException {

Meaning the VAPID aud can be incorrect.

Member

martijndwars commented Jan 18, 2021

Good catch, I’ll work on a fix. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment