Skip to content

Commit 3e12e49

Browse files
sw1tchdevsw1tchdev
authored
Validate VAPID keys are URL safe Base64 (#657)
Fixes #656
1 parent e716efb commit 3e12e49

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

src/vapid-helper.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,10 @@ function validatePublicKey(publicKey) {
9393
+ 'encoded string.');
9494
}
9595

96+
if (!urlBase64.validate(publicKey)) {
97+
throw new Error('Vapid public key must be a URL safe Base 64 (without "=")');
98+
}
99+
96100
publicKey = urlBase64.decode(publicKey);
97101

98102
if (publicKey.length !== 65) {
@@ -110,6 +114,10 @@ function validatePrivateKey(privateKey) {
110114
+ 'encoded string.');
111115
}
112116

117+
if (!urlBase64.validate(privateKey)) {
118+
throw new Error('Vapid private key must be a URL safe Base 64 (without "=")');
119+
}
120+
113121
privateKey = urlBase64.decode(privateKey);
114122

115123
if (privateKey.length !== 32) {

test/test-vapid-helper.js

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ const VALID_AUDIENCE = 'https://example.com';
1212
const VALID_SUBJECT_MAILTO = 'mailto: [email protected]';
1313
const VALID_SUBJECT_URL = 'https://exampe.com/contact';
1414
const VALID_PUBLIC_KEY = urlBase64.encode(Buffer.alloc(65));
15+
const VALID_UNSAFE_BASE64_PUBLIC_KEY = Buffer.alloc(65).toString('base64');
1516
const VALID_PRIVATE_KEY = urlBase64.encode(Buffer.alloc(32));
17+
const VALID_UNSAFE_BASE64_PRIVATE_KEY = Buffer.alloc(32).toString('base64');
1618
const VALID_CONTENT_ENCODING = webPush.supportedContentEncodings.AES_GCM;
1719
const VALID_EXPIRATION = Math.floor(Date.now() / 1000) + (60 * 60 * 12);
1820

@@ -123,6 +125,14 @@ suite('Test Vapid Helpers', function() {
123125
function() {
124126
vapidHelper.getVapidHeaders(VALID_AUDIENCE, VALID_SUBJECT_MAILTO, VALID_PUBLIC_KEY, VALID_PRIVATE_KEY, 'invalid encoding type');
125127
},
128+
function () {
129+
// Public key with unsafe base64
130+
vapidHelper.getVapidHeaders(VALID_AUDIENCE, VALID_SUBJECT_MAILTO, VALID_UNSAFE_BASE64_PUBLIC_KEY, VALID_PRIVATE_KEY, VALID_CONTENT_ENCODING);
131+
},
132+
function () {
133+
// Private key with unsafe base64
134+
vapidHelper.getVapidHeaders(VALID_AUDIENCE, VALID_SUBJECT_MAILTO, VALID_PUBLIC_KEY, VALID_UNSAFE_BASE64_PRIVATE_KEY, VALID_CONTENT_ENCODING);
135+
},
126136
function () {
127137
// String with text, is not accepted as a valid expiration value
128138
vapidHelper.getVapidHeaders(VALID_AUDIENCE, VALID_SUBJECT_MAILTO, VALID_PUBLIC_KEY, VALID_PRIVATE_KEY, VALID_CONTENT_ENCODING, 'Not valid expiration: Must be a number, this is a string with text');

0 commit comments

Comments
 (0)