forked from jmug/stoatchat
feat(pushd): Guard against malformed vapid web pushes.
This commit is contained in:
@@ -55,11 +55,24 @@ impl AsyncConsumer for VapidOutboundConsumer {
|
|||||||
|
|
||||||
let config = revolt_config::config().await;
|
let config = revolt_config::config().await;
|
||||||
|
|
||||||
|
// A VAPID web push payload must carry the subscription endpoint and the
|
||||||
|
// p256dh public key in `extras`. Dropped malformed requests instead
|
||||||
|
// of panicking.
|
||||||
|
let (Some(endpoint), Some(p256dh)) =
|
||||||
|
(payload.extras.get("endpoint"), payload.extras.get("p256dh"))
|
||||||
|
else {
|
||||||
|
log::warn!(
|
||||||
|
"Dropping VAPID push for session {}: payload missing endpoint/p256dh in extras.",
|
||||||
|
payload.session_id
|
||||||
|
);
|
||||||
|
return;
|
||||||
|
};
|
||||||
|
|
||||||
let subscription = SubscriptionInfo {
|
let subscription = SubscriptionInfo {
|
||||||
endpoint: payload.extras.get("endpoint").unwrap().clone(),
|
endpoint: endpoint.clone(),
|
||||||
keys: SubscriptionKeys {
|
keys: SubscriptionKeys {
|
||||||
auth: payload.token,
|
auth: payload.token,
|
||||||
p256dh: payload.extras.get("p256dh").unwrap().clone(),
|
p256dh: p256dh.clone(),
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user