diff --git a/Gemfile b/Gemfile index f112e5ea5fc..2abdae151fe 100644 --- a/Gemfile +++ b/Gemfile @@ -94,7 +94,7 @@ gem 'twitter-text', '~> 3.1.0' gem 'tzinfo-data', '~> 1.2023' gem 'webauthn', '~> 3.0' gem 'webpacker', '~> 5.4' -gem 'webpush', github: 'mastodon/webpush', ref: '52725def8baf67e0d645c9d1c6c0bdff69da0c60' +gem 'webpush', github: 'mastodon/webpush', ref: '9631ac63045cfabddacc69fc06e919b4c13eb913' gem 'json-ld' gem 'json-ld-preloaded', '~> 3.2' diff --git a/Gemfile.lock b/Gemfile.lock index 596ed7bf521..89739f9053d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ GIT remote: https://github.com/mastodon/webpush.git - revision: 52725def8baf67e0d645c9d1c6c0bdff69da0c60 - ref: 52725def8baf67e0d645c9d1c6c0bdff69da0c60 + revision: 9631ac63045cfabddacc69fc06e919b4c13eb913 + ref: 9631ac63045cfabddacc69fc06e919b4c13eb913 specs: webpush (1.1.0) hkdf (~> 0.2) diff --git a/app/controllers/api/v1/push/subscriptions_controller.rb b/app/controllers/api/v1/push/subscriptions_controller.rb index e1ad89ee3e0..d74b5d958fe 100644 --- a/app/controllers/api/v1/push/subscriptions_controller.rb +++ b/app/controllers/api/v1/push/subscriptions_controller.rb @@ -21,6 +21,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController endpoint: subscription_params[:endpoint], key_p256dh: subscription_params[:keys][:p256dh], key_auth: subscription_params[:keys][:auth], + standard: subscription_params[:standard] || false, data: data_params, user_id: current_user.id, access_token_id: doorkeeper_token.id @@ -55,7 +56,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController end def subscription_params - params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh]) + params.require(:subscription).permit(:endpoint, :standard, keys: [:auth, :p256dh]) end def data_params diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb index f5159614278..7eb51c68462 100644 --- a/app/controllers/api/web/push_subscriptions_controller.rb +++ b/app/controllers/api/web/push_subscriptions_controller.rb @@ -66,7 +66,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController end def subscription_params - @subscription_params ||= params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh]) + @subscription_params ||= params.require(:subscription).permit(:standard, :endpoint, keys: [:auth, :p256dh]) end def web_push_subscription_params @@ -76,6 +76,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController endpoint: subscription_params[:endpoint], key_auth: subscription_params[:keys][:auth], key_p256dh: subscription_params[:keys][:p256dh], + standard: subscription_params[:standard] || false, user_id: active_session.user_id, } end diff --git a/app/lib/web_push_request.rb b/app/lib/web_push_request.rb index 91227ed4602..85e8ab6bb51 100644 --- a/app/lib/web_push_request.rb +++ b/app/lib/web_push_request.rb @@ -2,7 +2,8 @@ class WebPushRequest SIGNATURE_ALGORITHM = 'p256ecdsa' - AUTH_HEADER = 'WebPush' + LEGACY_AUTH_HEADER = 'WebPush' + STANDARD_AUTH_HEADER = 'vapid' PAYLOAD_EXPIRATION = 24.hours JWT_ALGORITHM = 'ES256' JWT_TYPE = 'JWT' @@ -10,6 +11,7 @@ class WebPushRequest attr_reader :web_push_subscription delegate( + :standard, :endpoint, :key_auth, :key_p256dh, @@ -24,20 +26,36 @@ class WebPushRequest @audience ||= Addressable::URI.parse(endpoint).normalized_site end - def authorization_header - [AUTH_HEADER, encoded_json_web_token].join(' ') + def legacy_authorization_header + [LEGACY_AUTH_HEADER, encoded_json_web_token].join(' ') end def crypto_key_header [SIGNATURE_ALGORITHM, vapid_key.public_key_for_push_header].join('=') end - def encrypt(payload) + def legacy_encrypt(payload) Webpush::Legacy::Encryption.encrypt(payload, key_p256dh, key_auth) end + def standard_authorization_header + [STANDARD_AUTH_HEADER, standard_vapid_value].join(' ') + end + + def standard_encrypt(payload) + Webpush::Encryption.encrypt(payload, key_p256dh, key_auth) + end + + def legacy + !standard + end + private + def standard_vapid_value + "t=#{encoded_json_web_token},k=#{vapid_key.public_key_for_push_header}" + end + def encoded_json_web_token JWT.encode( web_token_payload, diff --git a/app/models/web/push_subscription.rb b/app/models/web/push_subscription.rb index 656040d2cec..12d843cd09d 100644 --- a/app/models/web/push_subscription.rb +++ b/app/models/web/push_subscription.rb @@ -5,10 +5,11 @@ # Table name: web_push_subscriptions # # id :bigint(8) not null, primary key -# endpoint :string not null -# key_p256dh :string not null -# key_auth :string not null # data :json +# endpoint :string not null +# key_auth :string not null +# key_p256dh :string not null +# standard :boolean default(FALSE), not null # created_at :datetime not null # updated_at :datetime not null # access_token_id :bigint(8) diff --git a/app/serializers/rest/web_push_subscription_serializer.rb b/app/serializers/rest/web_push_subscription_serializer.rb index 674a2d5a86e..4cb980bb933 100644 --- a/app/serializers/rest/web_push_subscription_serializer.rb +++ b/app/serializers/rest/web_push_subscription_serializer.rb @@ -1,7 +1,9 @@ # frozen_string_literal: true class REST::WebPushSubscriptionSerializer < ActiveModel::Serializer - attributes :id, :endpoint, :alerts, :server_key, :policy + attributes :id, :endpoint, :standard, :alerts, :server_key, :policy + + delegate :standard, to: :object def alerts (object.data&.dig('alerts') || {}).each_with_object({}) { |(k, v), h| h[k] = ActiveModel::Type::Boolean.new.cast(v) } diff --git a/app/validators/web_push_key_validator.rb b/app/validators/web_push_key_validator.rb index 25914d59ebc..a8ad5c9c6bb 100644 --- a/app/validators/web_push_key_validator.rb +++ b/app/validators/web_push_key_validator.rb @@ -3,7 +3,7 @@ class WebPushKeyValidator < ActiveModel::Validator def validate(subscription) begin - Webpush::Legacy::Encryption.encrypt('validation_test', subscription.key_p256dh, subscription.key_auth) + Webpush::Encryption.encrypt('validation_test', subscription.key_p256dh, subscription.key_auth) rescue ArgumentError, OpenSSL::PKey::EC::Point::Error subscription.errors.add(:base, I18n.t('crypto.errors.invalid_key')) end diff --git a/app/workers/web/push_notification_worker.rb b/app/workers/web/push_notification_worker.rb index 3629904fa7f..32279a9e74d 100644 --- a/app/workers/web/push_notification_worker.rb +++ b/app/workers/web/push_notification_worker.rb @@ -19,7 +19,19 @@ class Web::PushNotificationWorker # in the meantime, so we have to double-check before proceeding return unless @notification.activity.present? && @subscription.pushable?(@notification) - payload = web_push_request.encrypt(push_notification_json) + if web_push_request.legacy + perform_legacy_request + else + perform_standard_request + end + rescue ActiveRecord::RecordNotFound + true + end + + private + + def perform_legacy_request + payload = web_push_request.legacy_encrypt(push_notification_json) request_pool.with(web_push_request.audience) do |http_client| request = Request.new(:post, web_push_request.endpoint, body: payload.fetch(:ciphertext), http_client: http_client) @@ -31,28 +43,48 @@ class Web::PushNotificationWorker 'Content-Encoding' => 'aesgcm', 'Encryption' => "salt=#{Webpush.encode64(payload.fetch(:salt)).delete('=')}", 'Crypto-Key' => "dh=#{Webpush.encode64(payload.fetch(:server_public_key)).delete('=')};#{web_push_request.crypto_key_header}", - 'Authorization' => web_push_request.authorization_header, + 'Authorization' => web_push_request.legacy_authorization_header, 'Unsubscribe-URL' => subscription_url ) - request.perform do |response| - # If the server responds with an error in the 4xx range - # that isn't about rate-limiting or timeouts, we can - # assume that the subscription is invalid or expired - # and must be removed - - if (400..499).cover?(response.code) && ![408, 429].include?(response.code) - @subscription.destroy! - elsif !(200...300).cover?(response.code) - raise Mastodon::UnexpectedResponseError, response - end - end + send(request) end - rescue ActiveRecord::RecordNotFound - true end - private + def perform_standard_request + payload = web_push_request.standard_encrypt(push_notification_json) + + request_pool.with(web_push_request.audience) do |http_client| + request = Request.new(:post, web_push_request.endpoint, body: payload, http_client: http_client) + + request.add_headers( + 'Content-Type' => 'application/octet-stream', + 'Ttl' => TTL.to_s, + 'Urgency' => URGENCY, + 'Content-Encoding' => 'aes128gcm', + 'Authorization' => web_push_request.standard_authorization_header, + 'Unsubscribe-URL' => subscription_url, + 'Content-Length' => payload.length.to_s + ) + + send(request) + end + end + + def send(request) + request.perform do |response| + # If the server responds with an error in the 4xx range + # that isn't about rate-limiting or timeouts, we can + # assume that the subscription is invalid or expired + # and must be removed + + if (400..499).cover?(response.code) && ![408, 429].include?(response.code) + @subscription.destroy! + elsif !(200...300).cover?(response.code) + raise Mastodon::UnexpectedResponseError, response + end + end + end def web_push_request @web_push_request || WebPushRequest.new(@subscription) diff --git a/db/migrate/20250108111200_add_standard_to_push_subscription.rb b/db/migrate/20250108111200_add_standard_to_push_subscription.rb new file mode 100644 index 00000000000..eb72f9c62e4 --- /dev/null +++ b/db/migrate/20250108111200_add_standard_to_push_subscription.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AddStandardToPushSubscription < ActiveRecord::Migration[8.0] + def change + add_column :web_push_subscriptions, :standard, :boolean, null: false, default: false + end +end diff --git a/db/schema.rb b/db/schema.rb index 49b10cb7bd1..13abd5c0cd6 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,9 +10,9 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[7.2].define(version: 2024_12_16_224825) do +ActiveRecord::Schema[8.0].define(version: 2025_01_08_111200) do # These are extensions that must be enabled in order to support this database - enable_extension "plpgsql" + enable_extension "pg_catalog.plpgsql" create_table "account_aliases", force: :cascade do |t| t.bigint "account_id", null: false @@ -1202,6 +1202,7 @@ ActiveRecord::Schema[7.2].define(version: 2024_12_16_224825) do t.datetime "updated_at", precision: nil, null: false t.bigint "access_token_id" t.bigint "user_id" + t.boolean "standard", default: false, null: false t.index ["access_token_id"], name: "index_web_push_subscriptions_on_access_token_id", where: "(access_token_id IS NOT NULL)" t.index ["user_id"], name: "index_web_push_subscriptions_on_user_id" end diff --git a/spec/workers/web/push_notification_worker_spec.rb b/spec/workers/web/push_notification_worker_spec.rb index 88d88f2f3de..6ee8ae53f8e 100644 --- a/spec/workers/web/push_notification_worker_spec.rb +++ b/spec/workers/web/push_notification_worker_spec.rb @@ -5,21 +5,36 @@ require 'rails_helper' RSpec.describe Web::PushNotificationWorker do subject { described_class.new } - let(:p256dh) { 'BN4GvZtEZiZuqFxSKVZfSfluwKBD7UxHNBmWkfiZfCtgDE8Bwh-_MtLXbBxTBAWH9r7IPKL0lhdcaqtL1dfxU5E=' } - let(:auth) { 'Q2BoAjC09xH3ywDLNJr-dA==' } let(:endpoint) { 'https://updates.push.services.mozilla.com/push/v1/subscription-id' } let(:user) { Fabricate(:user) } let(:notification) { Fabricate(:notification) } - let(:subscription) { Fabricate(:web_push_subscription, user_id: user.id, key_p256dh: p256dh, key_auth: auth, endpoint: endpoint, data: { alerts: { notification.type => true } }) } let(:vapid_public_key) { 'BB37UCyc8LLX4PNQSe-04vSFvpUWGrENubUaslVFM_l5TxcGVMY0C3RXPeUJAQHKYlcOM2P4vTYmkoo0VZGZTM4=' } let(:vapid_private_key) { 'OPrw1Sum3gRoL4-DXfSCC266r-qfFSRZrnj8MgIhRHg=' } let(:vapid_key) { Webpush::VapidKey.from_keys(vapid_public_key, vapid_private_key) } let(:contact_email) { 'sender@example.com' } - let(:ciphertext) { "+\xB8\xDBT}\x13\xB6\xDD.\xF9\xB0\xA7\xC8\xD2\x80\xFD\x99#\xF7\xAC\x83\xA4\xDB,\x1F\xB5\xB9w\x85>\xF7\xADr" } - let(:salt) { "X\x97\x953\xE4X\xF8_w\xE7T\x95\xC51q\xFE" } - let(:server_public_key) { "\x04\b-RK9w\xDD$\x16lFz\xF9=\xB4~\xC6\x12k\xF3\xF40t\xA9\xC1\fR\xC3\x81\x80\xAC\f\x7F\xE4\xCC\x8E\xC2\x88 n\x8BB\xF1\x9C\x14\a\xFA\x8D\xC9\x80\xA1\xDDyU\\&c\x01\x88#\x118Ua" } - let(:shared_secret) { "\t\xA7&\x85\t\xC5m\b\xA8\xA7\xF8B{1\xADk\xE1y'm\xEDE\xEC\xDD\xEDj\xB3$s\xA9\xDA\xF0" } - let(:payload) { { ciphertext: ciphertext, salt: salt, server_public_key: server_public_key, shared_secret: shared_secret } } + + # Legacy values + let(:p256dh) { 'BN4GvZtEZiZuqFxSKVZfSfluwKBD7UxHNBmWkfiZfCtgDE8Bwh-_MtLXbBxTBAWH9r7IPKL0lhdcaqtL1dfxU5E=' } + let(:auth) { 'Q2BoAjC09xH3ywDLNJr-dA==' } + let(:legacy_subscription) { Fabricate(:web_push_subscription, user_id: user.id, key_p256dh: p256dh, key_auth: auth, endpoint: endpoint, data: { alerts: { notification.type => true } }) } + let(:legacy_payload) do + { + ciphertext: "+\xB8\xDBT}\x13\xB6\xDD.\xF9\xB0\xA7\xC8\xD2\x80\xFD\x99#\xF7\xAC\x83\xA4\xDB,\x1F\xB5\xB9w\x85>\xF7\xADr", + salt: "X\x97\x953\xE4X\xF8_w\xE7T\x95\xC51q\xFE", + server_public_key: "\x04\b-RK9w\xDD$\x16lFz\xF9=\xB4~\xC6\x12k\xF3\xF40t\xA9\xC1\fR\xC3\x81\x80\xAC\f\x7F\xE4\xCC\x8E\xC2\x88 n\x8BB\xF1\x9C\x14\a\xFA\x8D\xC9\x80\xA1\xDDyU\\&c\x01\x88#\x118Ua", + shared_secret: "\t\xA7&\x85\t\xC5m\b\xA8\xA7\xF8B{1\xADk\xE1y'm\xEDE\xEC\xDD\xEDj\xB3$s\xA9\xDA\xF0", + } + end + + # Standard values, from RFC8291 + let(:std_p256dh) { 'BCVxsr7N_eNgVRqvHtD0zTZsEc6-VV-JvLexhqUzORcxaOzi6-AYWXvTBHm4bjyPjs7Vd8pZGH6SRpkNtoIAiw4' } + let(:std_auth) { 'BTBZMqHH6r4Tts7J_aSIgg' } + let(:std_as_public) { 'BP4z9KsN6nGRTbVYI_c7VJSPQTBtkgcy27mlmlMoZIIgDll6e3vCYLocInmYWAmS6TlzAC8wEqKK6PBru3jl7A8' } + let(:std_as_private) { 'yfWPiYE-n46HLnH0KqZOF1fJJU3MYrct3AELtAQ-oRw' } + let(:std_salt) { 'DGv6ra1nlYgDCS1FRnbzlw' } + let(:std_subscription) { Fabricate(:web_push_subscription, user_id: user.id, key_p256dh: std_p256dh, key_auth: std_auth, endpoint: endpoint, standard: true, data: { alerts: { notification.type => true } }) } + let(:std_input) { 'When I grow up, I want to be a watermelon' } + let(:std_ciphertext) { 'DGv6ra1nlYgDCS1FRnbzlwAAEABBBP4z9KsN6nGRTbVYI_c7VJSPQTBtkgcy27mlmlMoZIIgDll6e3vCYLocInmYWAmS6TlzAC8wEqKK6PBru3jl7A_yl95bQpu6cVPTpK4Mqgkf1CXztLVBSt2Ks3oZwbuwXPXLWyouBWLVWGNWQexSgSxsj_Qulcy4a-fN' } describe 'perform' do around do |example| @@ -35,20 +50,40 @@ RSpec.describe Web::PushNotificationWorker do before do Setting.site_contact_email = contact_email - allow(Webpush::Legacy::Encryption).to receive(:encrypt).and_return(payload) allow(JWT).to receive(:encode).and_return('jwt.encoded.payload') stub_request(:post, endpoint).to_return(status: 201, body: '') end - it 'calls the relevant service with the correct headers' do - subject.perform(subscription.id, notification.id) + it 'Legacy push calls the relevant service with the legacy headers' do + allow(Webpush::Legacy::Encryption).to receive(:encrypt).and_return(legacy_payload) - expect(web_push_endpoint_request) + subject.perform(legacy_subscription.id, notification.id) + + expect(legacy_web_push_endpoint_request) .to have_been_made end - def web_push_endpoint_request + # We allow subject stub to encrypt the same input than the RFC8291 example + # rubocop:disable RSpec/SubjectStub + it 'Standard push calls the relevant service with the standard headers' do + # Mock server keys to match RFC example + allow(OpenSSL::PKey::EC).to receive(:generate).and_return(std_as_keys) + # Mock the random salt to match RFC example + rand = Random.new + allow(Random).to receive(:new).and_return(rand) + allow(rand).to receive(:bytes).and_return(Webpush.decode64(std_salt)) + # Mock input to match RFC example + allow(subject).to receive(:push_notification_json).and_return(std_input) + + subject.perform(std_subscription.id, notification.id) + + expect(standard_web_push_endpoint_request) + .to have_been_made + end + # rubocop:enable RSpec/SubjectStub + + def legacy_web_push_endpoint_request a_request( :post, endpoint @@ -66,5 +101,28 @@ RSpec.describe Web::PushNotificationWorker do body: "+\xB8\xDBT}\u0013\xB6\xDD.\xF9\xB0\xA7\xC8Ҁ\xFD\x99#\xF7\xAC\x83\xA4\xDB,\u001F\xB5\xB9w\x85>\xF7\xADr" ) end + + def standard_web_push_endpoint_request + a_request( + :post, + endpoint + ).with( + headers: { + 'Content-Encoding' => 'aes128gcm', + 'Content-Type' => 'application/octet-stream', + 'Ttl' => '172800', + 'Urgency' => 'normal', + 'Authorization' => "vapid t=jwt.encoded.payload,k=#{vapid_public_key.delete('=')}", + 'Unsubscribe-URL' => %r{/api/web/push_subscriptions/}, + }, + body: Webpush.decode64(std_ciphertext) + ) + end + + def std_as_keys + # VapidKey contains a method to retrieve EC keypair from + # B64 raw keys, the keypair is stored in curve field + Webpush::VapidKey.from_keys(std_as_public, std_as_private).curve + end end end