Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If change VAPID keys and in DB already have users registered with other keys, than practically these users are like losts? #58

Closed
yourchoice opened this issue Nov 14, 2016 · 6 comments
Closed

If change VAPID keys and in DB already have users registered with other keys, than practically these users are like losts? #58

yourchoice opened this issue Nov 14, 2016 · 6 comments

Comments

@yourchoice
Copy link

If change VAPID keys (generated by VAPID::createVapidKeys()) and in DB already have users registered with other keys, than practically these users are like losts?

In this case I saw that user can unregister, but notification push not working.

Maybe better to store somewhere VAPID pub, priv keys and associate with regisitered users in DB.

In this case, maybe method $webPush->sendNotification() need a new param to rewrite VAPID keys if exists.

It's true ?
@Minishlink
Copy link
Member

Hi, you should not change the VAPID keys ever. That's your identity for browser vendors. It's like forgetting your PGP keys. Thus, the createVapidKeys() function must be called only once in the lifetime of your project.

Now, if you do change the VAPID keys. Next time the user will be on your website, the Javascript API subscription will subscribe your user with the new VAPID public key that you provided, so that either the existing subscription is updated or a new subscription is created (I don't know which behavior but it ends up the same). It is true that until the user goes to your website, the browser's server will not know that your VAPID keys are changed, and thus the user won't receive notifications.

That being said, I reckon that there is still a possibility that people lose their keys, and that push notifications may be critical if it's the entry point of your website... For this use case, I'll implement an option or a setAuth method.

@yourchoice
Copy link
Author

10x

@Minishlink
Copy link
Member

Ok, so you can specify a custom auth for each notification with the last parameter of sendNotification:
sendNotification($endpoint, $payload = null, $userPublicKey = null, $userAuthToken = null, $flush = false, $options = array(), $auth = array())

@yourchoice
Copy link
Author

I will try to keep same vapid keys. But maybe this is a good thing for future if appear new changes regarding auth and need support for old auth.

10x

@collimarco
Copy link

@Minishlink Your answer is incorrect. If you use different VAPID keys an error will be raised when you visit the website, but unfortunately the VAPID key is not replaced automatically. Some time ago I asked to improve the subscribe method to automatically replace the key, but nothing changed. You can read more here: w3c/push-api#291

@Tejas-cloud
Copy link

If you change Vapid keys , then

  1. go to browser setting ,
  2. search notification setting.
  3. check which sites are allowed to send notification,
    4.remove your site . and add your site again.
    so this time browser will give you permission for considering your new vapid keys and you can get notification.
    THis must be done on host browser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Minishlink @collimarco @yourchoice @Tejas-cloud