FIX: Push notifications could fail with UnauthorizedRegistration

The webpush gem by default sets the expiration date of the JWT token to exactly 24 hours in the future. That's not really needed because the token isn't reused. And it might cause UnauthorizedRegistration if the server's clock isn't 100% correct, because the maximum allowed value is 24 hours.
2025-06-07 09:14:48 +08:00 · 2019-02-15 21:11:44 +01:00
parent 17f1a76570
commit b0862bd15d
1 changed files with 4 additions and 1 deletions
--- a/app/services/push_notification_pusher.rb
+++ b/app/services/push_notification_pusher.rb
@ -1,6 +1,8 @@
 require_dependency 'webpush'

 class PushNotificationPusher
+  TOKEN_VALID_FOR_SECONDS ||= 5 * 60
+
  def self.push(user, payload)
    message = {
      title: I18n.t(
@ -82,7 +84,8 @@ class PushNotificationPusher
        vapid: {
          subject: Discourse.base_url,
          public_key: SiteSetting.vapid_public_key,
-          private_key: SiteSetting.vapid_private_key
+          private_key: SiteSetting.vapid_private_key,
+          expiration: TOKEN_VALID_FOR_SECONDS
        }
      )
    rescue Webpush::ExpiredSubscription