mozilla / fxa

Monorepo for Mozilla Accounts (formerly Firefox Accounts)
https://mozilla.github.io/ecosystem-platform/
Mozilla Public License 2.0
597 stars 210 forks source link

Please verify that the VAPID header has a numeric `exp` field #13675

Closed data-sync-user closed 2 years ago

data-sync-user commented 2 years ago

I understand that the SendTab feature uses the web-push library to VAPID sign the push messages. With the roll out of the new Autopush in Rust canary, the exp field MUST be specified in Numeric format. (e.g.

{
 "sub":"mailto:xyz@example.com",
 "exp": 1234567890,
 "aud": "https://updates.push.services.mozilla.com"
 }

)

While the web-push library generates a numeric by default, it is easy to accidentally introduce a stringified numeric.

Please verify that the generated VAPID assertion that is sent as part of the VAPID Authorization header block contains a numeric value for exp.

┆Issue is synchronized with this Jira Task

data-sync-user commented 2 years ago

➤ Barry Chen commented:

JR Conlin I’ve verified that the web-push library does ensure that the expiration value is an integer.