Notification::getOrigin Does not handle non standard ports leading to incorrect VAPID JWT aud.

[hectorgrebbell]

As per the VAPID spec (https://tools.ietf.org/html/rfc8292#section-2)

An "aud" (Audience) claim in the token MUST include the Unicode serialization of the origin (Section 6.1 of [RFC6454]) of the push resource URL. This binds the token to a specific push service and ensures that the token is reusable for all push resource URLs that share the same origin.

And as per RFC 6454 (https://tools.ietf.org/html/rfc6454#section-6.1) for non default ports these should be included.

The implementation of getOrigin does not handle this -

https://github.com/web-push-libs/webpush-java/blob/ac647d27e80e7860881c4cbc829bd39779d3a694/src/main/java/nl/martijndwars/webpush/Notification.java#L156

Meaning the VAPID aud can be incorrect.

[martijndwars]

Good catch, I’ll work on a fix. Thanks!