Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Many thanks, David, for figuring this out!
Many thanks, David, for figuring this out!
The change is incorporated in the nswebpush module on Bitbucket.
Against my own rules, I've updated the just released tar file for the
modules
naviserver-4.99.27-modules.tar.gz
to include this change.
all the best!
-g
On 09.08.23 12:19, David Osborne wrote:
Thanks Gustaf - replies inline...
On Wed, 9 Aug 2023 at 10:38, Gustaf Neumann wrote:
Hi David,
We do not have nswebpush somewhere in production. Can you tell
more precisely, what "suddenly" means?
About lunchtime on 2nd Aug!
Does this mean, that you have not changed anything in your
environment, but google started to refuse it?
Yes exactly...
We've worked out what was angering Google - it was a version of this
code in our case:
https://bitbucket.org/naviserver/nswebpush/src/1e412c76626b29a4573b595a069a8ea10feece8a/webpush-procs.tcl#lines-607
Construction of the json from the claim dict was treating "exp" as a
string rather than numeric.
Just as an illustration, this quick hack makes the "make test" run
cleanly in the nswebpush codebase:
proc dictToJson {dict} {
#
# Serializes a Tcl dict to compact JSON. No testing for
# nested dicts or arrays, these will be simply added as a
# string the JSON is in compact form, meaning no whitespaces
# and newlines between keys/values.
set pairs {}
dict for {key value} $dict {
regsub -all \" $key "\\\"" key
regsub -all \" $value "\\\"" value
if { $key eq "exp"} {
lappend pairs [subst {"$key":$value}]
} else {
lappend pairs [subst {"$key":"$value"}]
}
}
return "{[join $pairs ,]}"
}
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
--
Univ.Prof. Dr. Gustaf Neumann
Head of the Institute of Information Systems and New Media
of Vienna University of Economics and Business
Program Director of MSc "Information Systems"
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Thanks Gustaf - replies inline...
On Wed, 9 Aug 2023 at 10:38, Gustaf Neumann wrote:
> Hi David,
>
> We do not have nswebpush somewhere in production. Can you tell more
> precisely, what "suddenly" means?
>
About lunchtime on 2nd Aug!
> Does this mean, that you have not changed anything in your environment,
> but google started to refuse it?
>
Yes exactly...
We've worked out what was angering Google - it was a version of this code
in our case:
https://bitbucket.org/naviserver/nswebpush/src/1e412c76626b29a4573b595a069a8ea10feece8a/webpush-procs.tcl#lines-607
Construction of the json from the claim dict was treating "exp" as a string
rather than numeric.
Just as an illustration, this quick hack makes the "make test" run cleanly
in the nswebpush codebase:
proc dictToJson {dict} {
#
# Serializes a Tcl dict to compact JSON. No testing for
# nested dicts or arrays, these will be simply added as a
# string the JSON is in compact form, meaning no whitespaces
# and newlines between keys/values.
set pairs {}
dict for {key value} $dict {
regsub -all \" $key "\\\"" key
regsub -all \" $value "\\\"" value
if { $key eq "exp"} {
lappend pairs [subst {"$key":$value}]
} else {
lappend pairs [subst {"$key":"$value"}]
}
}
return "{[join $pairs ,]}"
}
>
>
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Hello,
Google changed from JWT to OAuth for the FCM HTTP v1 API
https://firebase.google.com/docs/cloud-messaging/auth-server?hl=en
Have you upgraded from legacy to v1?
Best Regards,
Georg
On 8/9/23 11:37, Gustaf Neumann wrote:
Hi David,
We do not have nswebpush somewhere in production. Can you tell more
precisely, what "suddenly" means?
Does this mean, that you have not changed anything in your
environment, but google started to refuse it?
The implementation in nswebpush uses for JWT the algorithm ES256
(based on elliptic curves), which seems not supported by google cloud
endpoints, whereas [2] uses ES256, there is as well support in
firebase/php-jwt [3]. Not sure, where to start to look for helping you.
-g
[1]
https://cloud.google.com/endpoints/docs/frameworks/python/troubleshoot-jwt?hl=en
[2]
https://cloud.google.com/iap/docs/signed-headers-howto?hl=en#securing_iap_headers
[3] https://github.com/firebase/php-jwt/blob/main/src/JWT.php
On 08.08.23 17:32, David Osborne wrote:
Hi there,
We have a chat implementation based on the Naviserver nswebpush
module which recently stopped working with Google endpoints (eg.
https://fcm.googleapis.com/fcm/send...).
Suddenly it's complaining about invalid JWTs.
We went back to reference the nswebpush code.
https://bitbucket.org/naviserver/nswebpush/src/main/
We installed it on a clean Debian Bullseye server with
latest Naviserver from bitbucket.
When we ran the "make test" we also get a 403 from Google... more
specifically, the reply was:
Webpush failed with reply status 403 time 0:88018 headers d8 body
{invalid JWT provided } https {sslversion TLSv1.3 cipher
TLS_AES_256_GCM_SHA384}
Is anyone else experiencing this or can make any suggestions as to
what has changed?
--
*David
*
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
[naviserver-devel] NaviServer 4.99.27 available
Dear all,
I am glad to announce that the release of NaviServer 4.99.27 is
available at SourceForge [1]. This release is a pure bug-fix and
maintenance release, which fixes a bug annoying for some OpenACS users.
See below for a summary of the changes.
Furthermore, the online documentation at sourceforge
https://naviserver.sourceforge.io/n/toc.html
is now more mobile-friendly and contains a simple version switcher for the
stable release branch (4.99) and the main branch, which will be released
as 5.0.
All the best!
-gustaf neumann
[1] https://sourceforge.net/projects/naviserver/files/naviserver/4.99.27/
===
NaviServer 4.99.27, released 2023-08-09
===
46 files changed, 739 insertions(+), 172 deletions(-)
New Features:
-
- None
Bug Fixes:
--
- Bug fix: fixed potential crash when fallbackCharset is not defined
in the configuration file (using outdated configuration)
- Bug fix for fastpath in connection with "ns_serverrootproc"
Earlier versions of NaviServer initialized for fastpath the
interpreter with the connection conditionally, and rather late.
When "ns_serverrootproc" is configured, the interpreter with its
linkage to the connection is needed very early in the request. Now
it is ensured, that the interpreted is registered for the
connection when the callback is issued.
NaviServer 5 will have more changes in this respect.
Many thanks to Georg Lehner for reporting this bug and testing.
- Fixed various spelling errors in source code and documentation
- Documentation:
* fixed documentation bugs
* modernized examples
- Ease debugging, how values for "ns_conn location" are determined
Configuration Files:
- Added sample section for charset mapping to sample-config.tcl
Modules:
The following list contains just bug fixes, new features will
be documented with NaviServer 5.0.
- nsdbpg:
* Fixed potential crash in Tcl, when Database contains UTF-8
characters invalid to Tcl 8.6. Crash was observed in
"string tolower $var".
* Fixed potential crash, when bind variables are passed via
explicit "-bind" option, but variable binding was missing
- nsoracle:
* Reduced verbosity: For debug messages of the driver
implementation, use again "Debug" severity to avoid too much
verbosity, when looking for slow queries ("Debug(sql)" severity
of nsdb).
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Hi David,
We do not have nswebpush somewhere in production. Can you tell more
precisely, what "suddenly" means?
Does this mean, that you have not changed anything in your environment,
but google started to refuse it?
The implementation in nswebpush uses for JWT the algorithm ES256 (based
on elliptic curves), which seems not supported by google cloud
endpoints, whereas [2] uses ES256, there is as well support in
firebase/php-jwt [3]. Not sure, where to start to look for helping you.
-g
[1]
https://cloud.google.com/endpoints/docs/frameworks/python/troubleshoot-jwt?hl=en
[2]
https://cloud.google.com/iap/docs/signed-headers-howto?hl=en#securing_iap_headers
[3] https://github.com/firebase/php-jwt/blob/main/src/JWT.php
On 08.08.23 17:32, David Osborne wrote:
Hi there,
We have a chat implementation based on the Naviserver nswebpush module
which recently stopped working with Google endpoints (eg.
https://fcm.googleapis.com/fcm/send...).
Suddenly it's complaining about invalid JWTs.
We went back to reference the nswebpush code.
https://bitbucket.org/naviserver/nswebpush/src/main/
We installed it on a clean Debian Bullseye server with
latest Naviserver from bitbucket.
When we ran the "make test" we also get a 403 from Google... more
specifically, the reply was:
Webpush failed with reply status 403 time 0:88018 headers d8 body
{invalid JWT provided } https {sslversion TLSv1.3 cipher
TLS_AES_256_GCM_SHA384}
Is anyone else experiencing this or can make any suggestions as to
what has changed?
--
*David
*
___
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
