An "aud" (Audience) claim in the token MUST include the Unicode
serialization of the origin (Section 6.1 of [RFC6454]) of the push
resource URL. This binds the token to a specific push service and
ensures that the token is reusable for all push resource URLs that
share the same origin.
As per the VAPID spec (https://tools.ietf.org/html/rfc8292#section-2)
And as per RFC 6454 (https://tools.ietf.org/html/rfc6454#section-6.1) for non default ports these should be included.
The implementation of getOrigin does not handle this -
Meaning the VAPID aud can be incorrect.