autopush
autopush copied to clipboard
Verify that RFC vapid keys are being properly handled
While trying to work out an issue with the Vapid python library, I noted that I am getting a 401 "Request did not validate missing authorization header" when using an RFC VAPID header. This error is generated by autopush.web.webpush.WebPushSubscriptionSchema.extract_subscription()
whenever there is any VAPID error, which isn't super helpful.
Unit tests show that this should be working ok. Will need to do some work to remember incantation to get an endpoint I can test against locally and work out what's going on.
Potentially related to https://github.com/mozilla-services/autopush/issues/1418 and https://github.com/mozilla-services/autopush/issues/1417
Returning 401 for invalid keys is wrong according to the proposed RFC 8292 Voluntary Application Server Identification (VAPID) for Web Push:
A 401 (Unauthorized) status code might be used if the authentication is absent; a 403 (Forbidden) status code might be used if authentication is invalid.
The potential problem I'm seeing is that some libraries rely on the 403 error code
to automatically remove the invalid endpoints. Thus, returning 401 means those users won't get removed, which ends up in multiple failed messages to invalid endpoints hammering the push server. I don't know if it could end up with the publishers being banned but that could be possible as well. This doesn't happen with Chrome Push API though, which indeed returns 403 for those invalid endpoints.