Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Many thanks, David, for figuring this out! Many thanks, David, for figuring this out! The change is incorporated in the nswebpush module on Bitbucket. Against my own rules, I've updated the just released tar file for the modules naviserver-4.99.27-modules.tar.gz to include this change. all the best! -g On 09.08.23 12:19, David Osborne wrote: Thanks Gustaf - replies inline... On Wed, 9 Aug 2023 at 10:38, Gustaf Neumann wrote: Hi David, We do not have nswebpush somewhere in production. Can you tell more precisely, what "suddenly" means? About lunchtime on 2nd Aug! Does this mean, that you have not changed anything in your environment, but google started to refuse it? Yes exactly... We've worked out what was angering Google - it was a version of this code in our case: https://bitbucket.org/naviserver/nswebpush/src/1e412c76626b29a4573b595a069a8ea10feece8a/webpush-procs.tcl#lines-607 Construction of the json from the claim dict was treating "exp" as a string rather than numeric. Just as an illustration, this quick hack makes the "make test" run cleanly in the nswebpush codebase: proc dictToJson {dict} { # # Serializes a Tcl dict to compact JSON. No testing for # nested dicts or arrays, these will be simply added as a # string the JSON is in compact form, meaning no whitespaces # and newlines between keys/values. set pairs {} dict for {key value} $dict { regsub -all \" $key "\\\"" key regsub -all \" $value "\\\"" value if { $key eq "exp"} { lappend pairs [subst {"$key":$value}] } else { lappend pairs [subst {"$key":"$value"}] } } return "{[join $pairs ,]}" } ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel -- Univ.Prof. Dr. Gustaf Neumann Head of the Institute of Information Systems and New Media of Vienna University of Economics and Business Program Director of MSc "Information Systems" ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Thanks Gustaf - replies inline... On Wed, 9 Aug 2023 at 10:38, Gustaf Neumann wrote: > Hi David, > > We do not have nswebpush somewhere in production. Can you tell more > precisely, what "suddenly" means? > About lunchtime on 2nd Aug! > Does this mean, that you have not changed anything in your environment, > but google started to refuse it? > Yes exactly... We've worked out what was angering Google - it was a version of this code in our case: https://bitbucket.org/naviserver/nswebpush/src/1e412c76626b29a4573b595a069a8ea10feece8a/webpush-procs.tcl#lines-607 Construction of the json from the claim dict was treating "exp" as a string rather than numeric. Just as an illustration, this quick hack makes the "make test" run cleanly in the nswebpush codebase: proc dictToJson {dict} { # # Serializes a Tcl dict to compact JSON. No testing for # nested dicts or arrays, these will be simply added as a # string the JSON is in compact form, meaning no whitespaces # and newlines between keys/values. set pairs {} dict for {key value} $dict { regsub -all \" $key "\\\"" key regsub -all \" $value "\\\"" value if { $key eq "exp"} { lappend pairs [subst {"$key":$value}] } else { lappend pairs [subst {"$key":"$value"}] } } return "{[join $pairs ,]}" } > > ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Hello, Google changed from JWT to OAuth for the FCM HTTP v1 API https://firebase.google.com/docs/cloud-messaging/auth-server?hl=en Have you upgraded from legacy to v1? Best Regards, Georg On 8/9/23 11:37, Gustaf Neumann wrote: Hi David, We do not have nswebpush somewhere in production. Can you tell more precisely, what "suddenly" means? Does this mean, that you have not changed anything in your environment, but google started to refuse it? The implementation in nswebpush uses for JWT the algorithm ES256 (based on elliptic curves), which seems not supported by google cloud endpoints, whereas [2] uses ES256, there is as well support in firebase/php-jwt [3]. Not sure, where to start to look for helping you. -g [1] https://cloud.google.com/endpoints/docs/frameworks/python/troubleshoot-jwt?hl=en [2] https://cloud.google.com/iap/docs/signed-headers-howto?hl=en#securing_iap_headers [3] https://github.com/firebase/php-jwt/blob/main/src/JWT.php On 08.08.23 17:32, David Osborne wrote: Hi there, We have a chat implementation based on the Naviserver nswebpush module which recently stopped working with Google endpoints (eg. https://fcm.googleapis.com/fcm/send...). Suddenly it's complaining about invalid JWTs. We went back to reference the nswebpush code. https://bitbucket.org/naviserver/nswebpush/src/main/ We installed it on a clean Debian Bullseye server with latest Naviserver from bitbucket. When we ran the "make test" we also get a 403 from Google... more specifically, the reply was: Webpush failed with reply status 403 time 0:88018 headers d8 body {invalid JWT provided } https {sslversion TLSv1.3 cipher TLS_AES_256_GCM_SHA384} Is anyone else experiencing this or can make any suggestions as to what has changed? -- *David * ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
[naviserver-devel] NaviServer 4.99.27 available
Dear all, I am glad to announce that the release of NaviServer 4.99.27 is available at SourceForge [1]. This release is a pure bug-fix and maintenance release, which fixes a bug annoying for some OpenACS users. See below for a summary of the changes. Furthermore, the online documentation at sourceforge https://naviserver.sourceforge.io/n/toc.html is now more mobile-friendly and contains a simple version switcher for the stable release branch (4.99) and the main branch, which will be released as 5.0. All the best! -gustaf neumann [1] https://sourceforge.net/projects/naviserver/files/naviserver/4.99.27/ === NaviServer 4.99.27, released 2023-08-09 === 46 files changed, 739 insertions(+), 172 deletions(-) New Features: - - None Bug Fixes: -- - Bug fix: fixed potential crash when fallbackCharset is not defined in the configuration file (using outdated configuration) - Bug fix for fastpath in connection with "ns_serverrootproc" Earlier versions of NaviServer initialized for fastpath the interpreter with the connection conditionally, and rather late. When "ns_serverrootproc" is configured, the interpreter with its linkage to the connection is needed very early in the request. Now it is ensured, that the interpreted is registered for the connection when the callback is issued. NaviServer 5 will have more changes in this respect. Many thanks to Georg Lehner for reporting this bug and testing. - Fixed various spelling errors in source code and documentation - Documentation: * fixed documentation bugs * modernized examples - Ease debugging, how values for "ns_conn location" are determined Configuration Files: - Added sample section for charset mapping to sample-config.tcl Modules: The following list contains just bug fixes, new features will be documented with NaviServer 5.0. - nsdbpg: * Fixed potential crash in Tcl, when Database contains UTF-8 characters invalid to Tcl 8.6. Crash was observed in "string tolower $var". * Fixed potential crash, when bind variables are passed via explicit "-bind" option, but variable binding was missing - nsoracle: * Reduced verbosity: For debug messages of the driver implementation, use again "Debug" severity to avoid too much verbosity, when looking for slow queries ("Debug(sql)" severity of nsdb). ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
Re: [naviserver-devel] nswebpush & "invalid JWT provided"
Hi David, We do not have nswebpush somewhere in production. Can you tell more precisely, what "suddenly" means? Does this mean, that you have not changed anything in your environment, but google started to refuse it? The implementation in nswebpush uses for JWT the algorithm ES256 (based on elliptic curves), which seems not supported by google cloud endpoints, whereas [2] uses ES256, there is as well support in firebase/php-jwt [3]. Not sure, where to start to look for helping you. -g [1] https://cloud.google.com/endpoints/docs/frameworks/python/troubleshoot-jwt?hl=en [2] https://cloud.google.com/iap/docs/signed-headers-howto?hl=en#securing_iap_headers [3] https://github.com/firebase/php-jwt/blob/main/src/JWT.php On 08.08.23 17:32, David Osborne wrote: Hi there, We have a chat implementation based on the Naviserver nswebpush module which recently stopped working with Google endpoints (eg. https://fcm.googleapis.com/fcm/send...). Suddenly it's complaining about invalid JWTs. We went back to reference the nswebpush code. https://bitbucket.org/naviserver/nswebpush/src/main/ We installed it on a clean Debian Bullseye server with latest Naviserver from bitbucket. When we ran the "make test" we also get a 403 from Google... more specifically, the reply was: Webpush failed with reply status 403 time 0:88018 headers d8 body {invalid JWT provided } https {sslversion TLSv1.3 cipher TLS_AES_256_GCM_SHA384} Is anyone else experiencing this or can make any suggestions as to what has changed? -- *David * ___ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel