Removed deps

Author: colecrouter

package-lock.json

@@ -1,11 +1,8 @@
 {
   "name": "web-push-browser",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Minimal library for sending notifications via the browser Push API",
   "main": "build/index.js",
-  "dependencies": {
-    "jose": "^5.8.0"
-  },
   "devDependencies": {
     "typescript": "^5.5.4"
   },

package.json

@@ -1,4 +1,4 @@
-import { SignJWT } from "jose";
+import { toBase64Url } from "../utils/base64url";
 
 /**
  * Generate and sign a JWT token.
@@ -18,11 +18,44 @@ export async function createJWT(
 	const exp = Math.floor(Date.now() / 1000) + 12 * 60 * 60; // 12 hours from now
 	const sub = `mailto:${email}`;
 
-	return await new SignJWT({
-		aud,
-		exp,
-		sub,
-	})
-		.setProtectedHeader({ alg: "ES256", typ: "JWT" })
-		.sign(privateVapidKey);
+	return await signJWT(
+		{ alg: "ES256", typ: "JWT" },
+		{
+			aud,
+			exp,
+			sub,
+		},
+		privateVapidKey,
+	);
+}
+
+async function signJWT(
+	header: object,
+	payload: object,
+	privateKey: CryptoKey,
+): Promise<string> {
+	const encoder = new TextEncoder();
+
+	// Encode header and payload
+	const encodedHeader = toBase64Url(encoder.encode(JSON.stringify(header)));
+	const encodedPayload = toBase64Url(encoder.encode(JSON.stringify(payload)));
+
+	// Create the content to be signed
+	const content = `${encodedHeader}.${encodedPayload}`;
+
+	// Sign the content
+	const signature = await crypto.subtle.sign(
+		{
+			name: "ECDSA",
+			hash: { name: "SHA-256" },
+		},
+		privateKey,
+		encoder.encode(content),
+	);
+
+	// Convert the signature to base64url
+	const encodedSignature = toBase64Url(signature);
+
+	// Combine all parts to form the JWT
+	return `${content}.${encodedSignature}`;
 }

src/crypto/jwt.ts

@@ -1,5 +1,5 @@
 import type { PushNotificationSubscription } from "../types.js";
-import { fromBase64Url } from "../utils/base64url.js";
+import { fromBase64Url, toBase64Url } from "../utils/base64url.js";
 
 type EncryptionOptions = {
 	algorithm: "aesgcm" | "aes128gcm";
@@ -100,22 +100,19 @@ export async function encryptPayload(
 	let encrypted: ArrayBuffer;
 
 	if (options.algorithm === "aes128gcm") {
-		const header = new Uint8Array([
-			...salt,
-			...new Uint8Array(4),
-			...serverPublicKeyBytes,
-		]);
-
-		const message = new Uint8Array([
-			...header,
-			...new Uint8Array(encryptedPayload),
-		]);
-
-		const recordSize = new Uint32Array([encryptedPayload.byteLength]);
-		new Uint8Array(message.buffer, 16, 4).set(
-			new Uint8Array(recordSize.buffer),
-		);
-		encrypted = message.buffer;
+		// AES128GCM header format:
+		// Salt (16 bytes) || RS (4 bytes) || IdLen (1 byte) || PublicKey (65 bytes)
+		const recordSize = 4096; // You can adjust this value
+		const idLen = 65; // Length of the public key
+
+		const header = new Uint8Array(16 + 4 + 1 + 65);
+		header.set(salt, 0); // Correctly setting the salt here
+		new DataView(header.buffer).setUint32(16, recordSize, false);
+		header[20] = idLen;
+		header.set(serverPublicKeyBytes, 21);
+
+		encrypted = new Uint8Array([...header, ...new Uint8Array(encryptedPayload)])
+			.buffer;
 	} else {
 		// For 'aesgcm', we don't include the header in the encrypted payload
 		encrypted = encryptedPayload;