mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-01-30 20:56:55 +01:00
5b765d734e
* Update push subscription API model to be Mastodon 4.0 compatible * Add webpush-go dependency # Conflicts: # go.sum * Single-row table for storing instance's VAPID key pair * Generate VAPID key pair during startup * Add VAPID public key to instance info API * Return VAPID public key when registering an app * Store Web Push subscriptions in DB * Add Web Push sender (similar to email sender) * Add no-op push senders to most processor tests * Test Web Push notifications from workers * Delete Web Push subscriptions when account is deleted * Implement push subscription API * Linter fixes * Update Swagger * Fix enum to int migration * Fix GetVAPIDKeyPair * Create web push subscriptions table with indexes * Log Web Push server error messages * Send instance URL as Web Push JWT subject * Accept any 2xx code as a success * Fix malformed VAPID sub claim * Use packed notification flags * Remove unused date columns * Add notification type for update notifications Not used yet * Make GetVAPIDKeyPair idempotent and remove PutVAPIDKeyPair * Post-rebase fixes * go mod tidy * Special-case 400 errors other than 408/429 Most client errors should remove the subscription. * Improve titles, trim body to reasonable length * Disallow cleartext HTTP for Web Push servers * Fix lint * Remove redundant index on unique column Also removes redundant unique and notnull tags on ID column since these are implied by pk * Make realsender.go more readable * Use Tobi's style for wrapping errors * Restore treating all 5xx codes as temporary problems * Always load target account settings * Stub `policy` and `standard` * webpush.Sender: take type converter as ctor param * Move webpush.MockSender and noopSender into testrig
117 lines
2.4 KiB
Go
117 lines
2.4 KiB
Go
package webpush
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"math/big"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt"
|
|
)
|
|
|
|
// GenerateVAPIDKeys will create a private and public VAPID key pair
|
|
func GenerateVAPIDKeys() (privateKey, publicKey string, err error) {
|
|
// Get the private key from the P256 curve
|
|
curve := elliptic.P256()
|
|
|
|
private, x, y, err := elliptic.GenerateKey(curve, rand.Reader)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
public := elliptic.Marshal(curve, x, y)
|
|
|
|
// Convert to base64
|
|
publicKey = base64.RawURLEncoding.EncodeToString(public)
|
|
privateKey = base64.RawURLEncoding.EncodeToString(private)
|
|
|
|
return
|
|
}
|
|
|
|
// Generates the ECDSA public and private keys for the JWT encryption
|
|
func generateVAPIDHeaderKeys(privateKey []byte) *ecdsa.PrivateKey {
|
|
// Public key
|
|
curve := elliptic.P256()
|
|
px, py := curve.ScalarMult(
|
|
curve.Params().Gx,
|
|
curve.Params().Gy,
|
|
privateKey,
|
|
)
|
|
|
|
pubKey := ecdsa.PublicKey{
|
|
Curve: curve,
|
|
X: px,
|
|
Y: py,
|
|
}
|
|
|
|
// Private key
|
|
d := &big.Int{}
|
|
d.SetBytes(privateKey)
|
|
|
|
return &ecdsa.PrivateKey{
|
|
PublicKey: pubKey,
|
|
D: d,
|
|
}
|
|
}
|
|
|
|
// getVAPIDAuthorizationHeader
|
|
func getVAPIDAuthorizationHeader(
|
|
endpoint,
|
|
subscriber,
|
|
vapidPublicKey,
|
|
vapidPrivateKey string,
|
|
expiration time.Time,
|
|
) (string, error) {
|
|
// Create the JWT token
|
|
subURL, err := url.Parse(endpoint)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{
|
|
"aud": fmt.Sprintf("%s://%s", subURL.Scheme, subURL.Host),
|
|
"exp": expiration.Unix(),
|
|
"sub": fmt.Sprintf("mailto:%s", subscriber),
|
|
})
|
|
|
|
// Decode the VAPID private key
|
|
decodedVapidPrivateKey, err := decodeVapidKey(vapidPrivateKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
privKey := generateVAPIDHeaderKeys(decodedVapidPrivateKey)
|
|
|
|
// Sign token with private key
|
|
jwtString, err := token.SignedString(privKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Decode the VAPID public key
|
|
pubKey, err := decodeVapidKey(vapidPublicKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return fmt.Sprintf(
|
|
"vapid t=%s, k=%s",
|
|
jwtString,
|
|
base64.RawURLEncoding.EncodeToString(pubKey),
|
|
), nil
|
|
}
|
|
|
|
// Need to decode the vapid private key in multiple base64 formats
|
|
// Solution from: https://github.com/SherClockHolmes/webpush-go/issues/29
|
|
func decodeVapidKey(key string) ([]byte, error) {
|
|
bytes, err := base64.URLEncoding.DecodeString(key)
|
|
if err == nil {
|
|
return bytes, nil
|
|
}
|
|
|
|
return base64.RawURLEncoding.DecodeString(key)
|
|
}
|