1
0
Fork 0
mirror of https://github.com/imjasonh/webpush synced 2026-07-06 23:52:25 +00:00

Use SHA-256 hash for key ID to prevent collisions

Co-authored-by: imjasonh <210737+imjasonh@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2025-11-27 21:35:52 +00:00
parent ddf38bc4ba
commit d30c4b1906

View file

@ -10,8 +10,10 @@ package main
import (
"context"
"crypto/sha256"
"embed"
"encoding/base64"
"encoding/hex"
"encoding/json"
"io/fs"
"net/http"
@ -174,11 +176,14 @@ func isGone(err error) bool {
func handleVAPIDPublicKey(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
publicKeyB64 := base64.RawURLEncoding.EncodeToString(signer.PublicKey())
// Use SHA-256 hash of the public key for a collision-resistant key ID
hash := sha256.Sum256(signer.PublicKey())
keyId := hex.EncodeToString(hash[:])[:16]
json.NewEncoder(w).Encode(map[string]string{
"publicKey": publicKeyB64,
// Include a truncated key ID that clients can use to detect key rotation
// Include a key ID that clients can use to detect key rotation
// When this changes, clients know they need to resubscribe
"keyId": publicKeyB64[:16],
"keyId": keyId,
})
}