search

mozilla-services / push-dev-dashboard

Developer dashboard for the Mozilla web push service
https://dev-dashboard.deis.dev.mozaws.net/
Mozilla Public License 2.0
7 stars 6 forks source link

The dashboard expects a base64 encoding with padding, but the padding is actually optional #187

Closed marco-c closed 8 years ago

marco-c commented 8 years ago

While validating, there was an "Incorrect padding" error, for the VAPID key at first, and then for the encrypted token. I tried the non-urlsafe base64 encoding out of curiosity, and it worked (well, at least I think, since I don't see "Incorrect padding" anymore, but I see "Error communicating with Push Messages API: Status: 201; Content: ").

marco-c commented 8 years ago

Now it was correctly validated (using the non-urlsafe encoding).

marco-c commented 8 years ago

screen

As you can see, the VAPID key is in the non-urlsafe base64 encoding.

groovecoder commented 8 years ago

I actually think I fixed the verification yesterday in a separate change: https://github.com/mozilla-services/push-dev-dashboard/pull/184

And I just now pushed a fix for the Error communicating with Push Messages API: Status: 201; Content: "). issue. Though it will still give another error right now: https://github.com/mozilla-services/push-dev-dashboard/issues/185

groovecoder commented 8 years ago

I'll leave this open to investigate after I fix #185

groovecoder commented 8 years ago

Okay, I went thru https://mozilla-services.github.io/WebPushDataTestPage/ to generate the VAPID key pair. I copied the public key value in "Push Dashboard" area, which I think is a url-safe, base64-encoded version of the key? Then I signed the token value that I got from the dashboard, and I copied the signed token value from the WebPushDataTestPage, which, again, I think is a url-safe, base64-encoded version of the signed token.

@jrconlin: is that accurate?

marco-c commented 8 years ago

The public key value on https://mozilla-services.github.io/WebPushDataTestPage/ doesn't look like the urlsafe variant, it contains == at the end.

marco-c commented 8 years ago

Same as the signed token.

jrconlin commented 8 years ago

'==' is just padding. URL safe generally has '-' and '_' instead of '+' and '/' Padding is optional and can be stripped.

marco-c commented 8 years ago

'==' is just padding. URL safe generally has '-' and '_' instead of '+' and '/' Padding is optional and can be stripped.

Oh, ok, all the URL safe libraries that I used removed padding, so I assumed it was always removed. So the problem on the dashboard is that it only accepts values with padding, while the URL safe base64 sometimes doesn't have it.