fix #209: change app token to jws payload

mozilla-services / push-dev-dashboard

Developer dashboard for the Mozilla web push service

https://dev-dashboard.deis.dev.mozaws.net/

Mozilla Public License 2.0

7 stars 6 forks source link

fix #209: change app token to jws payload #219

Closed groovecoder closed 8 years ago

groovecoder commented 8 years ago

change validation logic to jws.verify

codecov-io commented 8 years ago

Current coverage is 92.26%

Merging #219 into master will decrease coverage by -0.08%

2 files in push were modified. more

@@             master       #219   diff @@
==========================================
  Files            46         46          
  Lines          1077       1085     +8   
  Methods           0          0          
  Messages          0          0          
  Branches         37         36     -1   
==========================================
+ Hits            995       1001     +6   
- Misses           72         75     +3   
+ Partials         10          9     -1

Powered by Codecov. Last updated by 5558e11...930fcbf

jrconlin commented 8 years ago

Looks good, other than removing a bit more hand waving about where the private key comes from in python. Might want to do the same for the js. (if we have to use shovels to find the bar, I'm totally OK with that.)

groovecoder commented 8 years ago

Updated with more explicit code samples:

import ecdsa
from jose import jws

private_key = ecdsa.SigningKey.from_pem("you_vapid_key.pem")
sig = jws.sign(
    '{"aud": "https://developer.services.mozilla.com/42ffaf0f-3f46-4bd6-9671-e83aedfb28d4"}',
    private_key,
    algorithm='ES256'
)
print sig

and

const crypto = require('crypto');
const jws = require('jws');

const curve = crypto.createECDH("prime256v1");
curve.generateKeys()
privateKey = curve.getPrivateKey();

var jwt = jws.sign(
    {
        header: {typ: 'JWT', alg: 'ES256'},
        payload: {"aud": "https://developer.services.mozilla.com/42ffaf0f-3f46-4bd6-9671-e83aedfb28d4"},
        privateKey: privateKey
    }
);

console.log(jwt);

groovecoder commented 8 years ago

@marco-c - this node-jws example code doesn't work because jws.sign wants the privateKey in PEM format. I notice your web-push library does a lot of work for that. Should we have your web-push library export its toPem function and change this example to use your higher-level web-push library instead of the lower-level node-jws?

jrconlin commented 8 years ago

Yeah, this is where things get crappy between languages. PEM is the older format that a lot of older languages want to use (or at least make it really, really damn easy). Javascript (and I'm pretty sure node) want to use the newer "jwk" format, which skips the weird "Base64 of a RIF tagged binary stream" approach for JSON that doesn't make baby Crockford cry.

I'm ok with having a certain level of "hand waving" around this, because moving between PEM and JWK is how you decide to go raise sheep in Vermont instead. Figure for those who have WebCrypto available, they're going to use JWK for key exchange.

groovecoder commented 8 years ago

Okay, I put back some hand-waving privateKeyInPEMFormat in the node-jws sample code. So this is good to merge ... and we'll have to just see how confused users get with the UX. :/