Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Push Notifications: Add Support for: VAPID / WebPush Subscriptions #1752

Open
AdamBien opened this issue Mar 19, 2024 · 0 comments
Open

Push Notifications: Add Support for: VAPID / WebPush Subscriptions #1752

AdamBien opened this issue Mar 19, 2024 · 0 comments
Labels
A-Push improvement An idea/future MSC for the spec

Comments

@AdamBien
Copy link

Problem:

Missing endpoint to retrieve public key to create VAPID subscription for WebPush

Context:

The above diagram shows the flow of push notifications being sent to a handset where push notifications are submitted via the handset vendor, such as Apple’s APNS or Google’s GCM. This happens as follows:

The client app signs in to a homeserver.
The client app registers with its vendor’s Push Provider and obtains a routing token of some kind.
The mobile app uses the Client/Server API to add a ‘pusher’, providing the URL of a specific Push Gateway which is configured for that application. It also provides the routing token it has acquired from the Push Provider.
The homeserver starts sending HTTP requests to the Push Gateway using the supplied URL. The Push Gateway relays this notification to the Push Provider, passing the routing token along with any necessary private credentials the provider requires to send push notifications.

The Push Provider sends the notification to the device.

from: https://spec.matrix.org/v1.9/client-server-api/#push-notifications

The flow in the VAPID specification requires a endpoint to retrieve the server's public key:

4.1. Creating a Restricted Push Message Subscription

A user agent that wishes to create a restricted subscription includes
the public key of the application server when requesting the creation
of a push message subscription. This restricts use of the resulting
subscription to application servers that are able to provide a valid
JWT signed by the corresponding private key.

The user agent then adds the public key to the request to create a
push message subscription. The push message subscription request is
extended to include a body. The body of the request is a JSON object
as described in [RFC7159]. The user agent adds a "vapid" member to
this JSON object that contains a public key on the P-256 curve,
encoded in the uncompressed form [X9.62] and base64url encoded
[RFC7515]. The media type of the body is set to "application/
webpush-options+json" (see Section 6.3 for registration of this media
type).

https://www.rfc-editor.org/rfc/rfc8292.html#page-8

A public key is required by the browser to create a push subscription:
https://developer.mozilla.org/en-US/docs/Web/API/PushManager/subscribe#applicationserverkey
Matrix spec does not foresee a way to retrieve the public key from the server.

Proposal:

Introduce a public endpoint for key retrieval:

Request:
GET: /push/keys/public

Response: https://developer.mozilla.org/en-US/docs/Web/API/PushManager/subscribe#applicationserverkey
@richvdh richvdh added A-Push improvement An idea/future MSC for the spec labels Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Push improvement An idea/future MSC for the spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AdamBien @richvdh