I have opened this two pull requests to improve / fix VAPID default values:

• #101
• #100

I think those changes will benefit anyone who is using this gem (as explained inside each pull request).

Hey @zaru, considering that this is now a stable library thats fit for production use at this point, I think it would be a good idea to bump the version to 1.0.0 after #84 gets merged to communicate that. If more people think its a usable library instead of still in development and not ready for production use, we're likely to get more users, some of whom will also help contribute to the project

It looks like a previous commit by @collimarco switched the errors we raise on 410 and 404 in https://github.com/zaru/webpush/blob/master/lib/webpush/request.rb#L29-L32

However according to https://developers.google.com/web/fundamentals/push-notifications/common-issues-and-reporting-bugs#http_status_codes, it was correct initially, with 410 meaning "Subscription No Longer Valid" and 404 meaning "Subscription Expired". RFC 8030 also explicitly says 404 means "Subscription Expired" (410 is more complicated, meaning that the push service couldn't reach the user agent, is done retrying, and won't send anything for this subscription any more)

• From chrome browser
  Webpush::ResponseError (host: fcm.googleapis.com, #<Net::HTTPForbidden 403 Forbidden readbody=true>
  body:
  exp claim MUST NOT be more than 24 hours from the time of the request
  ):

• From Firefox browser
  Webpush::ResponseError (host: updates.push.services.mozilla.com, #<Net::HTTPUnauthorized 401 Unauthorized readbody=true>
  body:
  {"code": 401, "errno": 109, "error": "Unauthorized", "more_info": "http://autopush.readthedocs.io/en/latest/http.html#error-codes", "message": "Request did not validate Invalid bearer token: Auth > 24 hours in the future"}):

@rossta I tried to send payload on chrome but I am getting below mentioned error:
NoMethodError: undefined method auth_tag=' for #<OpenSSL::Cipher:0x00000006510d28> from .rvm/gems/ruby-1.9.3-p551@test/gems/webpush-0.2.1/lib/webpush/encryption.rb:63:in encrypt_payload' from .rvm/gems/ruby-1.9.3-p551@test/gems/webpush-0.2.1/lib/webpush/encryption.rb:33:in encrypt' from .rvm/gems/ruby-1.9.3-p551@test/gems/webpush-0.2.1/lib/webpush.rb:42:in build_payload' from .rvm/gems/ruby-1.9.3-p551@test/gems/webpush-0.2.1/lib/webpush.rb:32:in payload_send' from (irb):2
I am using ruby 1.9.3 and I tried to hit Webpush.payload_send method via rails console but getting auth tag issue.

We see a few delivery errors (Webpush::ResponseError) from our logs for the Windows Push Notification Services (WNS):

host: wns2-sg2p.notify.windows.com, #<Net::HTTPNotAcceptable 406 Not Acceptable readbody=true>
body:

All the browsers that we have tested on Windows 11 (including Edge - v105) work properly. The notifications are delivered successfully and no exception is raised.

This is probably some misconfiguration in a specific server of WNS, some transient errors on WNS or some strange browser version that doesn't work properly (e.g. returning wrong push subscriptions that create an anomalous response from WNS).

In any case I open this issue in case anyone can reproduce this problem or has more information.

I've been getting some 404 responses for Firefox endpoints recently. 410 means the user unsubscribed, but I'm not sure what 404 means or how to handle it. It seems to be happening for some older subscriptions, perhaps they've expired and need to be renewed or something?

We should catch this error and raise an appropriate exception, the same way we raise InvalidSubscription exceptions for 410 responses.

I'm getting this error message randomly. The code looks simple enough, so I don't immediately see what could be causing it. The endpoint param is this format:

https://android.googleapis.com/gcm/send/eDD5G1tIe9...

But it doesn't seem to be isolated to android URLs.

want to implement support safari

Currently its necessary to open the rails console in order to generate a new key for a new environment. This makes it more difficult to script new environments since theres no rake task that can produce a new public and private key.

Maybe something like this? (first is public and second is private)

$ rake webpush:generate_key
BOuA6thueNgTtxIxt0ZoQb6nhCwzeKXPIZDrT461vm9rCaE328vKOa5wODA9w6G_R4pqK4fIlg1THXLG679JLQs=
2LjsdvOo6tUvQdQ50V0FD4bn9jAkgddllSPPWYfoHoI=

I have been testing on Chrome Android, Opera & Firefox all latest versions to this date. When I first subscribe, everything goes fine but after 2-4 notifications I get Webpush::ExpiredSubscription, even that I haven't unsubscribed and when I check my browser I still see in browser settings that I have "allowed" notifications.

This is the error I get when I test send:
host: fcm.googleapis.com, #<Net::HTTPGone 410 NotRegistered readbody=true> body: <HTML> <HEAD> <TITLE>NotRegistered</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" TEXT="#000000"> <H1>NotRegistered</H1> <H2>Error 410</H2> </BODY> </HTML>

I'm not sure why this is still happening and I have tested with several devices with the same result.

Does anyone have any clue about this? I appreciate any help and thanks in advance!

Just since the last few days, I've been getting a lot of temporary 401 HTML responses from just Google, however retrying a few minutes later works with no issue. the fact that its an HTML response makes me think it might be a glitch on Google's end? here's an example response:

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 401 (Unauthorized)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/logos/errorpage/error_logo-150x54.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/logos/errorpage/error_logo-150x54-2x.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/logos/errorpage/error_logo-150x54-2x.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/logos/errorpage/error_logo-150x54-2x.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>401.</b> <ins>That’s an error.</ins>
  <p>  <ins>That’s all we know.</ins>

If you guys agree this is just some kind of temporary glitch, perhaps we shouldn't be raising an Unauthorized error at https://github.com/zaru/webpush/blob/master/lib/webpush/request.rb#L33 that would cause the receiver to think that the registration token is no longer valid?

HI there!

I've generated VAPID keys as follows

web-push generate-vapid-keys --json

and save it to a json file.

Then, on my node app, I serve the public key to auth clients:

  getPublicKey() {
    return Buffer.from(config.publicKey).toString('base64');
  }

Then on the client I use this function from firebase-sdk:

const base64ToArrayBuffer = (base64String) => {
  const padding = '='.repeat((4 - base64String.length % 4) % 4);
  const base64 = (base64String + padding)
    .replace(/\-/g, '+')
    .replace(/_/g, '/');

  const rawData = atob(base64);
  const outputArray = new Uint8Array(rawData.length);

  for (let i = 0; i < rawData.length; ++i) {
    outputArray[i] = rawData.charCodeAt(i);
  }
  return outputArray;
}

However I have this error over and over :|

Unable to subscribe to push. DOMException: Failed to execute 'subscribe' on 'PushManager': The provided applicationServerKey is not valid.

What im doing wrong?? :\

Thanks!

Safari 16 on MacOS now supports the Push API (instead of the legacy APNs protocol).

Unfortunately we see that all messages sent with this gem fail with this error:

400 Bad Request
{"reason":"BadUrgency"}

This seems a bug related to the Apple push service (since "normal", "high", etc. are valid values), however I report it here since it also affects this gem.

You can also use https://feedbackassistant.apple.com/ to report this bug (as we already did), so that they will prioritize this issue.

When i am trigerring push notifications, in case of chrome they are delievering successfully but in case of firefox they are always giving invalid base64 erro,. after this

 Webpush.payload_send(
        endpoint: device.endpoint,
        p256dh: device.p256dh,
        auth: device.auth,
        cert_store: OpenSSL::X509::Store.new.tap(&:set_default_paths),
        message: message_json(notification),

        api_key: ENV["GCM_KEY"]
      )

Please suggest some solution.

It looks like every time we send out a push, we are generating new public and private keys, and then immediately overwriting them at https://github.com/zaru/webpush/blob/master/lib/webpush/vapid_key.rb#L10-L12

From what I understand, generating keys is relatively expensive, no? If so perhaps this would use unnecessary CPU for high-volume users? I don't have much experience dealing directly with OpenSSL, but I'm guessing there's a way to recreate the OpenSSL::PKey::EC object without having to generate a throwaway set of keys first, @rossta just checking was there a reason for this I'm missing before I dig into this further?

Hey, i was able to send multiple notifications by passing an array of registration ids in single request. it's not ideal to perform so many requests i want to perform multiple notifications

Docs says

# Save these in your application server settings
vapid_key.public_key
vapid_key.private_key

can you clarify like put in application.rb or what?

Is there a business admin panel or project? something like : https://onesignal.com
Or do you have idea for develop something like that?
tnx

I successfully installed and used this gem in my local env but when pushing to heroku i get the error below:
Heroku is running Ruby 2.4.4, I tried forking the gem and using just the "decode64" vs the url_safe one but nothing doing.
See screenshots with all info.

Tested it on heroku console:

Keys:

Keys to test:
p256dh: "BHvZT7egzCyP6kABrWw4MzddvWfpnHmgis41VoAJdHxPf0L9VwUV4wrBTG0CK_PKHirthgdXQViwNNdTs_qQ8E4="
auth: "TCiIvtlR3snOu80-E-60fQ=="

Hello, thank you for such a fantastic gem that is so easy to use!

I was wondering if there are any known strategies for testing with RSpec - to write request tests that can report if a Webpush notification was in fact sent. Forgive me if this is inherently obvious to others.

Only in the last month or so, I've intermittently been getting Webpush::Unauthorized errors, with message invalid push subscription endpoint for Chrome users. It only affects 2-3 users, keeps up for about a day for every message sent to those 2-3 users, and then without me changing anything messages to those users start going through without issue. But then a different 2-3 users start having the problem for about a day.

Anybody else experiencing this? Any idea what could be going on?

How do we handle errors when payload_send() fails?

I've built my own platform for internal usage and imported all of my users from OneSignal over to my application, but when I sent any notification to any of them, I get: Webpush::Unauthorized exception & Net::HTTPForbidden 403 MismatchSenderId

Webpush::Unauthorized in PushSenderController#push_tester_sender

host: gcm-http.googleapis.com, #<Net::HTTPBadRequest 400 UnauthorizedRegistration readbody=true> body: <HTML> <HEAD> <TITLE>UnauthorizedRegistration</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" TEXT="#000000"> <H1>UnauthorizedRegistration</H1> <H2>Error 400</H2> </BODY> </HTML>

Anyone knows how I can solve this?

I appreciate any help and thanks in advance! 💯

From time to time we're getting this error:

vendor/bundle/ruby/2.4.0/gems/webpush-0.3.4/lib/webpush/request.rb:39:in `perform': host: fcm.googleapis.com, #<Net::HTTPBadRequest 400 InvalidTokenFormat readbody=true>
body:
<HTML>
<HEAD>
<TITLE>InvalidTokenFormat</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>InvalidTokenFormat</H1>
<H2>Error 400</H2>
</BODY>
</HTML>
 (Webpush::ResponseError)
    from vendor/bundle/ruby/2.4.0/gems/webpush-0.3.4/lib/webpush.rb:42:in `payload_send'

Any reason why this isn't handled as Webpush::InvalidSubscription by the gem?

The to_pem method is broken in all the new Ruby versions due to upstream changes in the OpenSSL library.

@zaru @rossta @mohamedhafez can someone please merge my pull request in order to fix the issue? It also improves test coverage for PEM.

Here's the pull request:
#97

Thanks

Or the more broad question is:
what is a proper way to send a push notification to many users efficiently?

I was looking into writing a webpush ruby implementation and came across your gem. Nice work!

In my research I can across another gem, ece, that abstracts the HTTP encrypted content protocol.

Would you be interested in a PR to introduce ece as a dependency to extract the encryption logic in your gem?

Right now, when a request fails, nothing happens and the only way the user would know is by inspecting the response object returned from Webpush::Request#perform. The user could parse the response to figure out why the failure happened, but I think this should be taken care of by the gem.

I've got a patch to detect when the failure is because the subscription/endpoint is no longer valid and then raise a InvalidSubscription error, and then if the request fails for any other reason a ResponseError error is raised, and the only way the method would return without raising an exception is if the request went through. If that sounds good to everyone I'll issue a pull request

The jwt gem was just updated to version 2.0.0 and that version causes webpush to no longer send push messages to Chrome.

I had to downgrade jwt to version 1.5.6 for Chrome to start working again so it would be nice to include that in the Gemfile of webpush for now. I can create a PR if you agree.

I've been unable to make the endpoint work the way it is stated on the read me. It says:

"Imagine a Ruby app endpoint that responds to the request by triggering notification through the webpush gem."

And the code itself says it should go on app.rb but so far I've had errors on server start up by placing the code inside application.rb

I also tried creating a route and executing the code inside a controller but I get the following error:

NoMethodError in DemoController#push
undefined method `gsub' for nil:NilClass

I'm using rails 4.2.6

What am I missing to make this work?

I'm getting this 400 error when sending notifications to Chrome, but on firefox everything works as expected.

Is there some additional parameters that need to be send on chrome? My request is sent using:

    Webpush.payload_send(
      message: message,
      endpoint: endpoint_url,
      p256dh: p256dh,
      auth: auth,
      vapid: {
        public_key: vapid_keypair['public_key'],
        private_key: vapid_keypair['private_key']
      }
    )

My webpush doesn't work on AWS server and got this error: "403 forbidden, exp claim must not more than 24 hours from the time of the request". But it works fine on local console.
My code:

Webpush.payload_send(
  endpoint: s.end_point,
  message: {
    title: message_body,
    url: url.to_s
  }.to_json,
  p256dh: s.p256dh,
  auth: s.auth,
  ttl: 24 * 60 * 60,
  vapid: {
    subject: "mailto:[email protected]",
    public_key: Rails.application.secrets.WEB_PUSH_PUBLIC_KEY,
    private_key: Rails.application.secrets.WEB_PUSH_PRIVATE_KEY
  }
)

Is it because I miss something in the payload_send method for authentication or should I add exp at somewhere

If I want to fire off notifications each time a sale is made, how would I do that since the notifications involve two separate service workers? One is registered to the seller and one is registered to the buyer - As far as I can tell, to send a notification they must both be registered the same service worker.

Hello,

I have opened some issues and pull requests over a year ago for this repository.

I see that you are probably busy or focused on other projects at the moment. @zaru

Currently I use a fork of this gem with various improvements.

I was wondering if you are interested in merging the changes or maybe if you are looking for a new maintainer.

I would be really happy to contribute / maintain this project - since I actively use it. In case, let me know.

I have created a simple web push demo. So far, I can send notification to firefox without problem.

However, I can only do it once for chrome for some unknown reasons.

The way I have setup:

• by generating VAPID public and private keys to send notification to chrome (v73, mac os)
• adding api_key to webpush from backend
• adding project number (obtained from google console) which is also known as gcm_sender_id to manifest.json

Here is the dashboard from google console, in case it helps

Also, there was an issue mentioned about the gem would not work with jwt above v2? It would be great if anyone can clarify about this.

Hi

I'm making a first venture in push notifications using gcm and your timely gem.

I'm suffering from the error above, even when I send without payload.

Double and triple checked, 1) the id in manifest.json 2) the endpoint, the keys 3) the apikey.

I'm getting everything back from the service worker as I expect but I'm failing on this bit:

Webpush.payload_send( message: JSON.generate(message), endpoint: endpoint, p256dh: p256dh, auth: auth, api_key: api_key)

Any ideas of further things I could try? I'm kind of stuck.

Thanks!

Tom

Hi. I managed to setup this gem with my Rails application & I can send push notifications to both Chrome and Firefox now. (Yeah!)

However, unfortunately, push notifications to Safari (version 16.4 on Mac OS Ventura) are still (silently!) failing.

When I send a test message from the console, I get always get a success message like this...

#<Net::HTTPCreated 201 Created readbody=true>

...even when sending to Safari. However, the message then never pops up in Safari, despite having notifications enabled all over the place (in Safari settings, Mac OS settings, etc.).

What am I missing here?

Some days ago i noticed all my pushes have been rejected by server. But a week ago all was OK.

Webpush.payload_send(message:  JSON.generate(message),
                             endpoint: sub.gcm_url,
                             p256dh:   sub.key_p,
                             auth:     sub.key_a,
                             api_key:  GOOGLE_API_KEY)

returns me #<Net::HTTPBadRequest 400 UnauthorizedRegistration readbody=true>

May be google have made any changes in GCM?

Chrome 52 and Firefox 48, both currently in beta and due to be released late July / early August, are both implementing VAPID, are there any plans to update this library to support that?

First off, thanks for this library.

RFC 8188 has been out for a while, and services will soon start deprecating the "aesgcm" encoding type. The differences aren't that much (the salt is included in the data prefix, and the nonce phrases changed to reflect the new content encoding schema).

Thanks!

I have followed the instructions and i have success implemented it, (i got the push notification). But, there is a problem i faced right now when i have received my push notification.

If i didn't open/closed my previous notification, i couldn't get any new push notification until i closed my previous notification, i have tried to shorten the ttl (expiration time), but it won't closed by itself after the expiration time is expired (it didn't happen anything)

Webpush.payload_send( message: params[:message], endpoint: admin.subscription[:endpoint], p256dh: admin.subscription[:keys][:p256dh], auth: admin.subscription[:keys][:auth], ttl: 10, //10 seconds based on documentation vapid: { subject: 'mailto:[email protected]', public_key: ENV['VAPID_PUBLIC_KEY'], private_key: ENV['VAPID_PRIVATE_KEY'] } )

it looks like the google docs say just trust them for 24h? so if a user got a token he only gets web push notifications for 24h and have to revisit my page to get new tokens?

I am using webpush gem to send web push to GCM, its really easy to use, but I found that when I got some errors, I can not get the response details from Webpush. payload_send, so I am wondering if PR #10 is welcome to make it return the raw http response or raise a error when an unexpected error happened?

This is the correct code:

 if resp.is_a?(Net::HTTPNotFound) # 404
   raise InvalidSubscription.new(resp, uri.host)
 elsif resp.is_a?(Net::HTTPGone) # 410
    raise ExpiredSubscription.new(resp, uri.host)

Basically in your current code you have inverted Net::HTTPNotFound and Net::HTTPGone.

I am sure about this because I have run a push service for many years and we remove expired subscriptions when they return 410. The code 404 is very rare and you never see it in normal conditions.

I would also move Net::HTTPBadRequest (UnauthorizedRegistration) to a different exception since it is caused by an authentication error (for example wrong vapid keys):

elsif resp.is_a?(Net::HTTPUnauthorized) || # Mozilla autopush
  resp.is_a?(Net::HTTPBadRequest) && resp.message == "UnauthorizedRegistration" # Google FCM
  raise Unauthorized(resp, uri.host)

I would be happy to provide a pull request if you agree with the above changes.

Hi there. I'm trying to implement VAPID, but it works very strange: some pushes has been received, and some pushed raising an error (Webpush::InvalidSubscription: #<Net::HTTPBadRequest 400 UnauthorizedRegistration readbody=true> or Webpush::InvalidSubscription: #<Net::HTTPGone 410 NotRegistered readbody=true>). Why does FCM rejecting 50% of pushes? Thanks in advance

This line https://github.com/zaru/webpush/blob/master/lib/webpush/request.rb#L134 is producing warning when run on Ruby 2.7:
/home/wojtek/.asdf/installs/ruby/2.7.1/lib/ruby/gems/2.7.0/gems/webpush-1.0.0/lib/webpush/request.rb:134: warning: Using the last argument as keyword parameters is deprecated; maybe ** should be added to the call

I guess adding **subscription.fetch(:keys) should be enough to fix it

First of all, great gem 🥇

In my application, I ran a loop over subscribers in my controller and send a notification to them.

subscribers.each do |sub|
  begin
    Webpush.payload_send(
      endpoint: sub.endpoint,
      message: JSON.generate(data),
      p256dh: sub.p256dh_key,
      auth: sub.auth_key,
      vapid: {
        subject: 'https://my-site.com',
        public_key: 'vapid_public',
        private_key: 'vapid_private'
      }
    )
  rescue Webpush::Unauthorized
    sub.update(status: 0)
    next
  rescue OpenSSL::PKey::EC::Point::Error
    sub.update(status: 0)
    next
  end
end

I'm now suing rescue for Webpush::Unauthorized & OpenSSL::PKey::EC::Point::Error for updating sunscriber's status.

PS: I got Webpush::Unauthorized when I inserted wrong endpoint and OpenSSL::PKey::EC::Point::Error when p256dh was wrong

I'm not sure if there are other exceptions/rescue I can add or a better way to add rescue so the loop doesn't stop and can continue in case any user data is not correct.

Any help is appreciated and thanks in advance! 🍻

I have an app on heroku and when i try to do a payload_send it fails but in my local environment it works fine.

Apparently it is because the implementation of the generate_key method of the Encryption module is no longer supported. And I get the following error: /webpush/encryption.rb:15:in generate_key!': pkeys are immutable on OpenSSL 3.0 (OpenSSL::PKey::PKeyError)

In my local environment:

irb>> OpenSSL::OPENSSL_VERSION
=> "OpenSSL 1.1.1n 15 Mar 2022"

In production on Heroku:

irb>> OpenSSL::OPENSSL_VERSION
=> "OpenSSL 3.0.1 14 Dec 2021"