webPush generating invalid JWT in Authorization header

[JordanJWSmith]

NOTE: Please test in a least two browsers (i.e. Chrome and Firefox). This
helps with diagnosing problems quicker.

Setup

Please provide the following details, the more info you can provide the
better.

Operating System: OS X
Node Version: v16.5.0
web-push Version: 3.4.5

Please select any browsers that you are experiencing problems with:

• [ x] Chrome
• [x ] Firefox

Please list the browsers you are have tested this, including the version
of the browser (i.e. Chrome Beta, Firefox Beta etc).

• [ x] Chrome
• [x ] Firefox

Problem

webPush is generating an invalid JWT in the Authorization header. This throws an error when connecting to the endpoint with webPush.sendNotification(). I tested the JWT object on jwt.io and it shows 'invalid signature'.

I generated a set of VAPID keys and used these to set webPush.setVapidDetails() and as the applicationServerKey during the subscribe() function. I have only used one set of VAPID keys. I also set a GCM API key with webPush.setGCMAPIKey(). The subscription object is correct with valid endpoint, p265dh and auth values.

Using webPush.generateRequestDetails() reveals the Authorization header, which contains an invalid JWT.

Chrome returns 'WebPushError: Received unexpected response code' with statusCode 403 and body ''invalid JWT provided\n'.

Firefox returns 'WebPushError: Received unexpected response code' with statusCode 401 and body '{"code": 401, "errno": 109, "error": "Unauthorized", "more_info": "http://autopush.readthedocs.io/en/latest/http.html#error-codes", "message": "Request did not validate missing authorization header: Missing Authorization Header"}'

Expected

webPush generates correct credentials and connects to the given endpoint to deliver a push notification.

Features Used

• VAPID Support
• GCM API Key
• [x ] Sending with Payload

Example / Reproduce Case

Subscription object:
{
endpoint: 'https://updates.push.services.mozilla.com/wpush/v2/gAAAAABhF878jga8_0MYNA2njtvb1o7-gZxt5wdLSN4hxXJNVe3JZ-bAA5H-Vcp5Nf6Fa7Bt9rxNMG7GGbmKF8eOLu1sak1Xxhb246zcjMp1Orr-NMPbY9ldxi36Tv2NlrMB3FUS6Hv_6x5fl5QbEkX-e68yxWGWCOvw4otUCIfC061BAZ8ovlg',
keys: {
auth: 'bm4Cscagb5dY3OWQxoN8CQ',
p256dh: 'BLy_YKVjyW7D8BkEtsyg-OYePc_F40feoO0y8qF2ddcSZOLP6fvJL-tAcwzZ5aXi2YPd783XHPUnz5nRd732bww'
}
}

webPush headers with invalid Authorization JWT (bold):
{
method: 'POST',
headers: {
TTL: 2419200,
'Content-Length': 171,
'Content-Type': 'application/octet-stream',
'Content-Encoding': 'aes128gcm',
Authorization: 'vapid t=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL2ZjbS5nb29nbGVhcGlzLmNvbSIsImV4cCI6MTYyOTE4MDkxMCwic3ViIjoibWFpbHRvOmpvcmRhbi5zbWl0aC4yMEB1Y2wuYWMudWsifQ._M1RbDubib_iy-IPWfdz6GQb0eua_zsmoyPuLWjg6p88RbMkigsfvgDiBlRSmBn9BW4xiYlgIlU5TOQiPwmjkw, k=BFuaW7LdscFd2-mN_lTvILOlijf9YzTnVcqbq4pgUVPyzOGPpOFoIS5ZyeenRvcz0jZ4ysWynvFfbgjnaDIJQK0'
},
body: <Buffer e7 3b 49 a0 00 7b 44 2d d0 ae db a5 67 5e 16 7e 00 00 10 00 41 04 ba da a2 a3 0a 5e 56 cf d5 f5 e1 72 69 d3 b3 8d fc eb fb 8a c4 8c dc 6f a3 09 51 14 ... 121 more bytes>,
endpoint: 'https://fcm.googleapis.com/fcm/send/cmvOYD_wJug:APA91bEoC0UkXyTBLJHlqWOo-3ZWhK3BWmgOROWeBumIrHpKzWR-cw4R85iqRMegMTadE6b1kKMnmnc8JqgjaiddAbzzxB11LSenVGk62oOVKuFgb-wAoSmCyDGYNUiuOVEVLZYF-gx2'

Other

Please put any remaining notes here.

[AbstractFruitFactory]

Running into this too. Any solution?

[Dxg125]

On my side it was the VAPID Key which was invalid. Double checked with https://vapidkeys.com and replaced the existing keys. It works now.

[Ross-Rawlins]

I changed my keys and I am still getting the bad JWT token issue is there something else I need to do to get it to work with ios?

[msb]

Also getting the same problem

[buffcode]

Double check your subject.

Google/Chrome seems to be forgiving, in my case is sent some.host.com as subject which worked with Chrome Desktop, but the spec requires the format https://some.host.com or mailto:user@example.com so Apple servers rejected my messages.