[feature] Push notifications (#3587)

* Update push subscription API model to be Mastodon 4.0 compatible * Add webpush-go dependency # Conflicts: # go.sum * Single-row table for storing instance's VAPID key pair * Generate VAPID key pair during startup * Add VAPID public key to instance info API * Return VAPID public key when registering an app * Store Web Push subscriptions in DB * Add Web Push sender (similar to email sender) * Add no-op push senders to most processor tests * Test Web Push notifications from workers * Delete Web Push subscriptions when account is deleted * Implement push subscription API * Linter fixes * Update Swagger * Fix enum to int migration * Fix GetVAPIDKeyPair * Create web push subscriptions table with indexes * Log Web Push server error messages * Send instance URL as Web Push JWT subject * Accept any 2xx code as a success * Fix malformed VAPID sub claim * Use packed notification flags * Remove unused date columns * Add notification type for update notifications Not used yet * Make GetVAPIDKeyPair idempotent and remove PutVAPIDKeyPair * Post-rebase fixes * go mod tidy * Special-case 400 errors other than 408/429 Most client errors should remove the subscription. * Improve titles, trim body to reasonable length * Disallow cleartext HTTP for Web Push servers * Fix lint * Remove redundant index on unique column Also removes redundant unique and notnull tags on ID column since these are implied by pk * Make realsender.go more readable * Use Tobi's style for wrapping errors * Restore treating all 5xx codes as temporary problems * Always load target account settings * Stub `policy` and `standard` * webpush.Sender: take type converter as ctor param * Move webpush.MockSender and noopSender into testrig
2025-06-05 21:59:39 +02:00 · 2025-01-23 16:47:30 -08:00
parent 9333bbc4d0
commit 5b765d734e
134 changed files with 21525 additions and 125 deletions
--- a/vendor/github.com/SherClockHolmes/webpush-go/vapid.go
+++ b/vendor/github.com/SherClockHolmes/webpush-go/vapid.go
@ -0,0 +1,117 @@
+package webpush
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"net/url"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+)
+
+// GenerateVAPIDKeys will create a private and public VAPID key pair
+func GenerateVAPIDKeys() (privateKey, publicKey string, err error) {
+	// Get the private key from the P256 curve
+	curve := elliptic.P256()
+
+	private, x, y, err := elliptic.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return
+	}
+
+	public := elliptic.Marshal(curve, x, y)
+
+	// Convert to base64
+	publicKey = base64.RawURLEncoding.EncodeToString(public)
+	privateKey = base64.RawURLEncoding.EncodeToString(private)
+
+	return
+}
+
+// Generates the ECDSA public and private keys for the JWT encryption
+func generateVAPIDHeaderKeys(privateKey []byte) *ecdsa.PrivateKey {
+	// Public key
+	curve := elliptic.P256()
+	px, py := curve.ScalarMult(
+		curve.Params().Gx,
+		curve.Params().Gy,
+		privateKey,
+	)
+
+	pubKey := ecdsa.PublicKey{
+		Curve: curve,
+		X:     px,
+		Y:     py,
+	}
+
+	// Private key
+	d := &big.Int{}
+	d.SetBytes(privateKey)
+
+	return &ecdsa.PrivateKey{
+		PublicKey: pubKey,
+		D:         d,
+	}
+}
+
+// getVAPIDAuthorizationHeader
+func getVAPIDAuthorizationHeader(
+	endpoint,
+	subscriber,
+	vapidPublicKey,
+	vapidPrivateKey string,
+	expiration time.Time,
+) (string, error) {
+	// Create the JWT token
+	subURL, err := url.Parse(endpoint)
+	if err != nil {
+		return "", err
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{
+		"aud": fmt.Sprintf("%s://%s", subURL.Scheme, subURL.Host),
+		"exp": expiration.Unix(),
+		"sub": fmt.Sprintf("mailto:%s", subscriber),
+	})
+
+	// Decode the VAPID private key
+	decodedVapidPrivateKey, err := decodeVapidKey(vapidPrivateKey)
+	if err != nil {
+		return "", err
+	}
+
+	privKey := generateVAPIDHeaderKeys(decodedVapidPrivateKey)
+
+	// Sign token with private key
+	jwtString, err := token.SignedString(privKey)
+	if err != nil {
+		return "", err
+	}
+
+	// Decode the VAPID public key
+	pubKey, err := decodeVapidKey(vapidPublicKey)
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf(
+		"vapid t=%s, k=%s",
+		jwtString,
+		base64.RawURLEncoding.EncodeToString(pubKey),
+	), nil
+}
+
+// Need to decode the vapid private key in multiple base64 formats
+// Solution from: https://github.com/SherClockHolmes/webpush-go/issues/29
+func decodeVapidKey(key string) ([]byte, error) {
+	bytes, err := base64.URLEncoding.DecodeString(key)
+	if err == nil {
+		return bytes, nil
+	}
+
+	return base64.RawURLEncoding.DecodeString(key)
+}