web-push icon indicating copy to clipboard operation
web-push copied to clipboard

Published 20 hours ago verified publisher icon web-push-libs

Remove support for the GCM protocol when it's no longer needed

Open marco-c opened this issue 8 years ago • 9 comments

I'm not sure when the standard Web Push service for Chrome is going to be available, but when it is, we should remove support for the GCM proprietary protocol.

marco-c avatar Mar 22 '16 21:03 marco-c

I'll put together a test for Chrome's vapid -> web push protocol support so you can see how it'll work and see when gcm is no longer needed.

gauntface avatar May 28 '16 10:05 gauntface

Sooooo I've put together the initial work for this BUT there is a little problem.

I can't get the VAPID JWT signing to work with the web-push library.

If you checkout simple-push-demo I've got it working: https://github.com/gauntface/simple-push-demo/blob/master/src/scripts/encryption/encryption-factory.js#L438

You can see where I'm current at here: https://github.com/gauntface/web-push/commit/f245bd839c378bfb58dec12780254d3617940951

The only thing I can think of is that the private key to PEM conversion is wrong. If you compare jwkToPem vs toPEM methods, you get quite different results, neither of which works.

Try running nodemon ./test/helpers/cli-run-server.js and copy the URL it gives you into Chrome Beta or Canary and you'll be able to see the endpoint change to FCM, which requires VAPID and uses web push protocol, but no matter what I do, I can't get a message sent. Any thoughts / ideas?

gauntface avatar Jun 07 '16 17:06 gauntface

Interesting... It does work correctly with the Firefox push service (which does verify the token as far as I know). Maybe there's some difference in the VAPID implementation between GCM and Autopush?

marco-c avatar Jun 07 '16 23:06 marco-c

@gauntface do you know if Opera and Samsung Internet Browser still require GCM?

marco-c avatar Jan 26 '18 10:01 marco-c

I did a personal assessment the other day where it appeared to me that Opera updated to a version of Chromium that should support VAPID (52) for opera 39 (8/2016). It seems like maybe Samsung more recently did as well in 10/2017? Of course, a non-trivial percentage of those browsers' users are not on those versions yet (https://caniuse.com/usage-table).

froodian avatar Jan 26 '18 17:01 froodian

cc @torgo do you know who could confirm Samsung support.

gauntface avatar Jan 29 '18 20:01 gauntface

Can someone explain to me why the GCM key is necessary in the first place — (Im new to notification sending)

theswerd avatar Oct 27 '22 18:10 theswerd

It's not really at this point. There was a time when chromium-based browsers required it in order to send web push - in order to ensure that the sender is authorized to send push to the given recipient - that time basically ended once almost all users in the wild upgraded their chromium-based browsers past chromium 52. On modern browsers, sender authorization is instead ensured via the VAPID protocol, and the GCM key isn't used. I believe that once Google removed the GCM servers (due to FCM taking over their push platforms), web push probably stopped working on any older browsers in the wild that still relied on the GCM key, so that at this point it truly does nothing.

froodian avatar Oct 28 '22 20:10 froodian

I don't know if support for old browsers using GCM key has happened (i.e. I wouldn't be surprised if the old API endpoints still work).

But I'd say that the usage should be incredibly low if not non-existent, so dropping support at this point wouldn't be a bad thing.

gauntface avatar Nov 08 '22 18:11 gauntface