Document the requirement of the JWT `sub` claim in VAPID signatures for web push

[andyblarblar]

Sorry if this is the wrong place for this, but I figured not many people write web-push libraries so I should point this out. Currently, autopush requires a sub claim to be present in the JWT used for VAPID signatures, which is a greater requirement than is documented in the RFC (see section 2.1). This is a problem since not submitting a sub claim will yeild a 401 error, which the docs explain by pointing users to the RFC, which in turn gives an inaccurate explaination.

I consider this worthy of at least documentation, since all other web push services I've tested have allowed ommision of the sub claim, which makes FireFox's error rather difficult to debug.

(The test showing the requirement for sub for refrence): https://github.com/mozilla-services/autopush-rs/blob/fa9109dc155676c1dd2231347d1513d93502d790/autoendpoint/src/extractors/subscription.rs#L535

┆Issue is synchronized with this Jira Task

[jrconlin]

Ah, thanks for this. Yeah, it's complicated because most of the Push providers require VAPID, and then the sub is also very much required. You're right that we should note that we deviate from the RFC in that while the VAPID is optional, we do require the sub to be present.