add VAPID (not working yet)

Author: Minishlink

README.md

@@ -70,24 +70,39 @@ There are several good examples and tutorials on the web:
 * Google's [introduction to push notifications](https://developers.google.com/web/fundamentals/getting-started/push-notifications/) (as of 03-20-2016, it doesn't mention notifications with payload)
 * you may want to take a look at my own implementation: [sw.js](https://github.com/Minishlink/physbook/blob/2ed8b9a8a217446c9747e9191a50d6312651125d/web/service-worker.js) and [app.js](https://github.com/Minishlink/physbook/blob/d6855ca8f485556ab2ee5c047688fbf745367045/app/Resources/public/js/app.js)
 
-### GCM servers notes (Chrome)
-For compatibility reasons, this library detects if the server is a GCM server and appropriately sends the notification.
+### Authentication
+Browsers need to verify your identity. At the moment, some browsers don't force you but you'll have to do it in the future, so why not now?
+GCM (Chrome, Opera, Samsung Mobile) do force you to authenticate using an API key that you can find either on your Google Developer Console or Firebase Console.
+A standard called VAPID can authenticate you for all browsers. You'll need to create and provide a public and private key for your server.
 
-You will need to specify your GCM api key when instantiating WebPush:
+You can specify your authentication details when instantiating WebPush:
 ```php
 <?php
 
 use Minishlink\WebPush\WebPush;
 
 $endpoint = 'https://android.googleapis.com/gcm/send/abcdef...'; // Chrome
-$apiKeys = array(
+
+$auth = array(
     'GCM' => 'MY_GCM_API_KEY',
+    'VAPID' => array(
+        'subject' => 'mailto:[email protected]', // can be a mailto: or your website address
+        'publicKey' => '88 chars', // uncompressed public key P-256
+        'privateKey' => '44 chars', // in fact the secret multiplier of the private key
+    ),
 );
 
-$webPush = new WebPush($apiKeys);
+$webPush = new WebPush($auth);
 $webPush->sendNotification($endpoint, null, null, null, true);
 ```
 
+In order to generate the public and private keys, enter the following in your Linux bash:
+```
+$ openssl ecparam -genkey -name prime256v1 -out private_key.pem
+$ openssl ec -in private_key.pem -pubout -outform DER|tail -c 65|base64 >> public_key.txt
+$ openssl ec -in private_key.pem -outform DER|tail -c +8|head -c 32|base64 >> private_key.txt
+```
+
 ### Notification options
 Each notification can have a specific Time To Live, urgency, and topic.
 You can change the default options with `setDefaultOptions()` or in the constructor:

composer.json

@@ -18,7 +18,8 @@
     "mdanter/ecc": "^0.4.0",
     "lib-openssl": "*",
     "spomky-labs/base64url": "^1.0",
-    "spomky-labs/php-aes-gcm": "^1.0"
+    "spomky-labs/php-aes-gcm": "^1.0",
+    "spomky-labs/jose": "^6.0"
   },
   "require-dev": {
     "phpunit/phpunit": "4.8.*"

phpunit.dist.xml

@@ -23,5 +23,8 @@
         <env name="GCM_USER_PUBLIC_KEY" value="" />
         <env name="GCM_USER_AUTH_TOKEN" value="" />
         <env name="GCM_API_KEY" value="" />
+
+        <env name="VAPID_PUBLIC_KEY" value="" />
+        <env name="VAPID_PRIVATE_KEY" value="" />
     </php>
 </phpunit>

src/VAPID.php

@@ -0,0 +1,107 @@
+<?php
+
+/*
+ * This file is part of the WebPush library.
+ *
+ * (c) Louis Lagrange <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Minishlink\WebPush;
+
+use Base64Url\Base64Url;
+use Jose\Factory\JWKFactory;
+use Jose\Factory\JWSFactory;
+use Jose\Object\JWK;
+use Mdanter\Ecc\Curves\NistCurve;
+use Mdanter\Ecc\EccFactory;
+use Mdanter\Ecc\Serializer\PrivateKey\DerPrivateKeySerializer;
+use Mdanter\Ecc\Serializer\PrivateKey\PemPrivateKeySerializer;
+
+class VAPID
+{
+    /**
+     * @param array $vapid
+     *
+     * @return array
+     *
+     * @throws \ErrorException
+     */
+    public static function validate(array $vapid)
+    {
+        if (!array_key_exists('subject', $vapid)) {
+            throw new \ErrorException('[VAPID] You must provide a subject that is either a mailto: or a URL.');
+        }
+
+        if (!array_key_exists('publicKey', $vapid)) {
+            throw new \ErrorException('[VAPID] You must provide a public key.');
+        }
+
+        $publicKey = Base64Url::decode($vapid['publicKey']);
+
+        if (Utils::safe_strlen($publicKey) !== 65) {
+            throw new \ErrorException('[VAPID] Public key should be 65 bytes long when decoded.');
+        }
+
+        if (!array_key_exists('privateKey', $vapid)) {
+            throw new \ErrorException('[VAPID] You must provide a private key.');
+        }
+
+        $privateKey = Base64Url::decode($vapid['privateKey']);
+
+        if (Utils::safe_strlen($privateKey) !== 32) {
+            throw new \ErrorException('[VAPID] Private key should be 32 bytes long when decoded.');
+        }
+
+        return array(
+            'subject' => $vapid['subject'],
+            'publicKey' => $publicKey,
+            'privateKey' => $privateKey,
+        );
+    }
+
+    /**
+     * This method takes the required VAPID parameters and returns the required
+     * header to be added to a Web Push Protocol Request.
+     *
+     * @param string $audience   This must be the origin of the push service
+     * @param string $subject    This should be a URL or a 'mailto:' email address
+     * @param string $publicKey  The decoded VAPID public key
+     * @param string $privateKey The decoded VAPID private key
+     * @param int    $expiration The expiration of the VAPID JWT. (UNIX timestamp)
+     *
+     * @return array Returns an array with the 'Authorization' and 'Crypto-Key' values to be used as headers
+     */
+    public static function getVapidHeaders($audience, $subject, $publicKey, $privateKey, $expiration = null)
+    {
+        $expirationLimit = time() + 86400;
+        if (!isset($expiration) || $expiration > $expirationLimit) {
+            $expiration = $expirationLimit;
+        }
+
+        $header = array(
+            'typ' => 'JWT',
+            'alg' => 'ES256',
+        );
+
+        $jwtPayload = array(
+            'aud' => $audience,
+            'exp' => $expiration,
+            'sub' => $subject,
+        );
+
+        $generator = EccFactory::getNistCurves()->generator256();
+        $privateKeyObject = $generator->getPrivateKeyFrom(gmp_init(bin2hex($privateKey), 16));
+        $pemSerialize = new PemPrivateKeySerializer(new DerPrivateKeySerializer());
+        $pem = $pemSerialize->serialize($privateKeyObject);
+        $jwk = JWKFactory::createFromKey($pem, null);
+        $jws = JWSFactory::createJWSToCompactJSON($jwtPayload, $jwk, $header);
+
+        return array(
+          'Authorization' => 'WebPush '.$jws,
+          'Crypto-Key' => 'p256ecdsa='.Base64Url::encode($publicKey),
+        );
+    }
+}

src/WebPush.php

@@ -37,45 +37,52 @@ class WebPush
     /** @var bool Automatic padding of payloads, if disabled, trade security for bandwidth */
     private $automaticPadding = true;
 
-    /** @var boolean */
+    /** @var bool */
     private $nativePayloadEncryptionSupport;
 
     /**
      * WebPush constructor.
      *
-     * @param array $auth Some servers needs authentication.
-     * @param array $defaultOptions TTL, urgency, topic
-     * @param int|null $timeout Timeout of POST request
+     * @param array               $auth           Some servers needs authentication
+     * @param array               $defaultOptions TTL, urgency, topic
+     * @param int|null            $timeout        Timeout of POST request
      * @param AbstractClient|null $client
      */
     public function __construct(array $auth = array(), $defaultOptions = array(), $timeout = 30, AbstractClient $client = null)
     {
         $this->auth = $auth;
+
+        if (array_key_exists('VAPID', $auth)) {
+            $auth['VAPID'] = VAPID::validate($auth['VAPID']);
+        }
+
         $this->setDefaultOptions($defaultOptions);
 
         $client = isset($client) ? $client : new MultiCurl();
         $client->setTimeout($timeout);
         $this->browser = new Browser($client);
-        
+
         $this->nativePayloadEncryptionSupport = version_compare(phpversion(), '7.1', '>=');
     }
 
     /**
      * Send a notification.
      *
-     * @param string $endpoint
-     * @param string|null $payload If you want to send an array, json_encode it.
+     * @param string      $endpoint
+     * @param string|null $payload       If you want to send an array, json_encode it
      * @param string|null $userPublicKey
      * @param string|null $userAuthToken
-     * @param bool $flush If you want to flush directly (usually when you send only one notification)
-     * @param array $options Array with several options tied to this notification. If not set, will use the default options that you can set in the WebPush object.
+     * @param bool        $flush         If you want to flush directly (usually when you send only one notification)
+     * @param array       $options       Array with several options tied to this notification. If not set, will use the default options that you can set in the WebPush object
+     *
      * @return array|bool Return an array of information if $flush is set to true and the queued requests has failed.
-     *                    Else return true.
+     *                    Else return true
+     *
      * @throws \ErrorException
      */
     public function sendNotification($endpoint, $payload = null, $userPublicKey = null, $userAuthToken = null, $flush = false, $options = array())
     {
-        if(isset($payload)) {
+        if (isset($payload)) {
             if (Utils::safe_strlen($payload) > Encryption::MAX_PAYLOAD_LENGTH) {
                 throw new \ErrorException('Size of payload must not be greater than '.Encryption::MAX_PAYLOAD_LENGTH.' octets.');
             }
@@ -109,7 +116,7 @@ public function sendNotification($endpoint, $payload = null, $userPublicKey = nu
      *
      * @return array|bool If there are no errors, return true.
      *                    If there were no notifications in the queue, return false.
-     *                    Else return an array of information for each notification sent (success, statusCode, headers, content).
+     *                    Else return an array of information for each notification sent (success, statusCode, headers, content)
      *
      * @throws \ErrorException
      */
@@ -214,6 +221,27 @@ private function prepareAndSend(array $notifications)
                     throw new \ErrorException('No GCM/FCM API Key specified.');
                 }
             }
+            // if VAPID
+            elseif (array_key_exists('VAPID', $this->auth)) {
+                $vapid = $this->auth['VAPID'];
+
+                $audience = parse_url($endpoint, PHP_URL_SCHEME).'//'.parse_url($endpoint, PHP_URL_HOST);
+
+                if (!parse_url($audience)) {
+                    throw new \ErrorException('Audience "'.$audience.'"" could not be generated.');
+                }
+
+                $vapidHeaders = VAPID::getVapidHeaders($audience, $vapid['subject'], $vapid['publicKey'], $vapid['privateKey']);
+
+                $headers['Authorization'] = 'key='.$vapidHeaders['Authorization'];
+
+                if (array_key_exists('Crypto-Key', $headers)) {
+                    // FUTURE replace ';' with ','
+                    $headers['Crypto-Key'] .= ';'.$vapidHeaders['Crypto-Key'];
+                } else {
+                    $headers['Crypto-Key'] = $vapidHeaders['Crypto-Key'];
+                }
+            }
 
             $responses[] = $this->sendRequest($endpoint, $headers, $content);
         }
@@ -260,15 +288,15 @@ public function setBrowser($browser)
     }
 
     /**
-     * @return boolean
+     * @return bool
      */
     public function isAutomaticPadding()
     {
         return $this->automaticPadding;
     }
 
     /**
-     * @param boolean $automaticPadding
+     * @param bool $automaticPadding
      *
      * @return WebPush
      */

tests/WebPushTest.php

@@ -32,7 +32,7 @@ protected function checkRequirements()
             $this->markTestSkipped('This test does not run on Travis.');
         }
     }
-    
+
     public static function setUpBeforeClass()
     {
         self::$endpoints = array(
@@ -53,7 +53,14 @@ public static function setUpBeforeClass()
 
     public function setUp()
     {
-        $this->webPush = new WebPush(array('GCM' => getenv('GCM_API_KEY')));
+        $this->webPush = new WebPush(array(
+            'GCM' => getenv('GCM_API_KEY'),
+            'VAPID' => array(
+                'subject' => 'https://github.com/Minishlink/web-push',
+                'publicKey' => getenv('VAPID_PUBLIC_KEY'),
+                'privateKey' => getenv('VAPID_PRIVATE_KEY'),
+            ),
+        ));
         $this->webPush->setAutomaticPadding(false); // disable automatic padding in tests to speed these up
     }