bug: Do not double-check VAPID aud #772
Conversation
We were currently double-checking the VAPID aud via some legacy code which may produce invalid results if the declared `vapid_aud` setting and the `endpoint_url` did not match. Closes: #770
|
|
||
| let domain = &settings.endpoint_url(); | ||
|
|
||
| if domain != &aud { |
There was a problem hiding this comment.
I gather jsonwebtoken will now do an equivalent check against our settings.vapid_aud (via validation.set_audience()) -- however I don't see us assigning this new AUTOEND__VAPID_AUD setting anywhere, which I think means it's defaulting to incorrect values (not settings.endpoint_url()).
Do we even need settings.vapid_aud -- might we always set something along the lines of validation.set_audience(&[settings.endpoint_url()]) instead?
There was a problem hiding this comment.
and prod's basically endpoint_url() for reference here
There was a problem hiding this comment.
I think the original check we did would be a little more lax with trailing /, since it compared Urls? But that doesn't matter, especially if we already have the jsonwebtoken's validation already occurring on prod (I can't remember if that's the case). Just noting it in case we see more validation errors e.g.
We were currently double-checking the VAPID aud via some legacy code which may produce invalid results if the declared
vapid_audsetting and theendpoint_urldid not match.Closes: #770