feat!: enforce VAPID subject validation

Added stricter validation for the VAPID 'subject' field to require a valid mailto: email or https: URL.

Author: Rotzbua

src/VAPID.php

@@ -46,12 +46,35 @@ class VAPID
      */
     public static function validate(array $vapid): array
     {
-        if (!isset($vapid['subject'])) {
+        // The subject is optional according to the RFC but no browser vendor accept VAPID without it.
+        // https://www.rfc-editor.org/rfc/rfc8292#section-2.1
+        if (!isset($vapid['subject']) || !is_string($vapid['subject'])) {
+            throw new \ErrorException('[VAPID] You must provide a subject as string that is either a mailto: or a URL.');
+        }
+        $subject = $vapid['subject'];
+        if (str_starts_with($subject, 'mailto:')) {
+            $email = substr($subject, 7);
+            if (false === filter_var($email, FILTER_VALIDATE_EMAIL)) {
+                throw new \ErrorException('[VAPID] subject: mailto email is not valid.');
+            }
+        } elseif (str_starts_with($subject, 'https:')) {
+            if (false === filter_var($subject, FILTER_VALIDATE_URL)) {
+                throw new \ErrorException('[VAPID] subject: url is not valid.');
+            }
+        } else {
             throw new \ErrorException('[VAPID] You must provide a subject that is either a mailto: or a URL.');
         }
 
         if (isset($vapid['pemFile'])) {
-            $vapid['pem'] = file_get_contents($vapid['pemFile']);
+            $filename = $vapid['pemFile'];
+            if (!file_exists($filename)) {
+                throw new \ErrorException('Error loading PEM file: does not exist.');
+            }
+            if (!is_readable($filename)) {
+                throw new \ErrorException('Error loading PEM file: not readable.');
+            }
+
+            $vapid['pem'] = file_get_contents($filename);
 
             if (!$vapid['pem']) {
                 throw new \ErrorException('[VAPID] Error loading PEM file.');
@@ -93,7 +116,7 @@ public static function validate(array $vapid): array
         }
 
         return [
-            'subject' => $vapid['subject'],
+            'subject' => $subject,
             'publicKey' => $publicKey,
             'privateKey' => $privateKey,
         ];

tests/PushServiceTest.php

@@ -26,7 +26,7 @@ final class PushServiceTest extends PHPUnit\Framework\TestCase
     private static int    $portNumber = 9012;
     private static string $testServiceUrl;
     public static array   $vapidKeys  = [
-        'subject' => 'http://test.com',
+        'subject' => 'https://test.com',
         'publicKey' => 'BA6jvk34k6YjElHQ6S0oZwmrsqHdCNajxcod6KJnI77Dagikfb--O_kYXcR2eflRz6l3PcI2r8fPCH3BElLQHDk',
         'privateKey' => '-3CdhFOqjzixgAbUSa0Zv9zi-dwDVmWO7672aBxSFPQ',
     ];

tests/VAPIDTest.php

@@ -13,6 +13,7 @@
 use Minishlink\WebPush\VAPID;
 use PHPUnit\Framework\Attributes\CoversClass;
 use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\TestWith;
 
 #[CoversClass(VAPID::class)]
 final class VAPIDTest extends PHPUnit\Framework\TestCase
@@ -23,24 +24,24 @@ public static function vapidProvider(): array
             [
                 'http://push.com',
                 [
-                    'subject' => 'http://test.com',
+                    'subject' => 'https://test.com',
                     'publicKey' => 'BA6jvk34k6YjElHQ6S0oZwmrsqHdCNajxcod6KJnI77Dagikfb--O_kYXcR2eflRz6l3PcI2r8fPCH3BElLQHDk',
                     'privateKey' => '-3CdhFOqjzixgAbUSa0Zv9zi-dwDVmWO7672aBxSFPQ',
                 ],
                 ContentEncoding::aesgcm,
                 1475452165,
-                'WebPush eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwOi8vcHVzaC5jb20iLCJleHAiOjE0NzU0NTIxNjUsInN1YiI6Imh0dHA6Ly90ZXN0LmNvbSJ9.4F3ZKjeru4P9XM20rHPNvGBcr9zxhz8_ViyNfe11_xcuy7A9y7KfEPt6yuNikyW7eT9zYYD5mQZubDGa-5H2cA',
+                'WebPush eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwOi8vcHVzaC5jb20iLCJleHAiOjE0NzU0NTIxNjUsInN1YiI6Imh0dHBzOi8vdGVzdC5jb20ifQ.JFr6qZp7_1tXtAbkdEFjZtGYAeAyQvQPOJQu7FQcbuvA2JwHsb65YlMUOFPG2qGImaESrHdO-G7blkUP5XHOYw',
                 'p256ecdsa=BA6jvk34k6YjElHQ6S0oZwmrsqHdCNajxcod6KJnI77Dagikfb--O_kYXcR2eflRz6l3PcI2r8fPCH3BElLQHDk',
             ], [
                 'http://push.com',
                 [
-                    'subject' => 'http://test.com',
+                    'subject' => 'https://test.com',
                     'publicKey' => 'BA6jvk34k6YjElHQ6S0oZwmrsqHdCNajxcod6KJnI77Dagikfb--O_kYXcR2eflRz6l3PcI2r8fPCH3BElLQHDk',
                     'privateKey' => '-3CdhFOqjzixgAbUSa0Zv9zi-dwDVmWO7672aBxSFPQ',
                 ],
                 ContentEncoding::aes128gcm,
                 1475452165,
-                'vapid t=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwOi8vcHVzaC5jb20iLCJleHAiOjE0NzU0NTIxNjUsInN1YiI6Imh0dHA6Ly90ZXN0LmNvbSJ9.4F3ZKjeru4P9XM20rHPNvGBcr9zxhz8_ViyNfe11_xcuy7A9y7KfEPt6yuNikyW7eT9zYYD5mQZubDGa-5H2cA, k=BA6jvk34k6YjElHQ6S0oZwmrsqHdCNajxcod6KJnI77Dagikfb--O_kYXcR2eflRz6l3PcI2r8fPCH3BElLQHDk',
+                'vapid t=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwOi8vcHVzaC5jb20iLCJleHAiOjE0NzU0NTIxNjUsInN1YiI6Imh0dHBzOi8vdGVzdC5jb20ifQ.kXXd2JaK1583Le1mheFKEKSF1I4rYFKvF0HKNXO8et-w2UYSc3d0pbsbN_sP17PvcsO_zT8XJZ-gbKWlCOGksw, k=BA6jvk34k6YjElHQ6S0oZwmrsqHdCNajxcod6KJnI77Dagikfb--O_kYXcR2eflRz6l3PcI2r8fPCH3BElLQHDk',
                 null,
             ],
         ];
@@ -89,4 +90,20 @@ public function testCreateVapidKeys(): void
         $this->assertGreaterThanOrEqual(86, strlen($keys['publicKey']));
         $this->assertGreaterThanOrEqual(42, strlen($keys['privateKey']));
     }
+
+    #[TestWith([[]])]
+    #[TestWith([['subject' => '']])]
+    #[TestWith([['subject' => 'test']])]
+    #[TestWith([['subject' => 'mailto:']])]
+    #[TestWith([['subject' => 'mailto:localhost']])]
+    #[TestWith([['subject' => 'https://']])]
+    #[TestWith([['subject' => 'https://example.com', 'pemFile' => '']])]
+    #[TestWith([['subject' => 'https://example.com', 'pemFile' => 'abc.pem']])]
+    #[TestWith([['subject' => 'https://example.com', 'pem' => '']])]
+    #[TestWith([['subject' => 'https://example.com', 'publicKey' => '']])]
+    public function testValidateException(array $vapid): void
+    {
+        $this->expectException(Exception::class);
+        VAPID::validate($vapid);
+    }
 }