FIX: Push notifications could fail with UnauthorizedRegistration

FIX: Push notifications could fail with UnauthorizedRegistration

The webpush gem by default sets the expiration date of the JWT token to exactly 24 hours in the future. That’s not really needed because the token isn’t reused. And it might cause UnauthorizedRegistration if the server’s clock isn’t 100% correct, because the maximum allowed value is 24 hours.

diff --git a/app/services/push_notification_pusher.rb b/app/services/push_notification_pusher.rb
index 39155a7..a7d562f 100644
--- a/app/services/push_notification_pusher.rb
+++ b/app/services/push_notification_pusher.rb
@@ -1,6 +1,8 @@
 require_dependency 'webpush'
 
 class PushNotificationPusher
+  TOKEN_VALID_FOR_SECONDS ||= 5 * 60
+
   def self.push(user, payload)
     message = {
       title: I18n.t(
@@ -82,7 +84,8 @@ class PushNotificationPusher
         vapid: {
           subject: Discourse.base_url,
           public_key: SiteSetting.vapid_public_key,
-          private_key: SiteSetting.vapid_private_key
+          private_key: SiteSetting.vapid_private_key,
+          expiration: TOKEN_VALID_FOR_SECONDS
         }
       )
     rescue Webpush::ExpiredSubscription

GitHub sha: b0862bd1

2 Likes