RubyGems - web-push - Versions diffs - 3.0.0 → 3.0.2 - Mend

web-push 3.0.0 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +3 -3
data/LICENSE +1 -1
data/README.md +12 -4
data/lib/web_push/encryption.rb +4 -3
data/lib/web_push/version.rb +1 -1
data/lib/web_push.rb +0 -5
data/spec/spec_helper.rb +5 -2
data/spec/web_push/encryption_spec.rb +3 -3
data/spec/web_push_spec.rb +12 -0
data/web-push.gemspec +1 -2
metadata +5 -19

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c8a683629bc333d1f987fc867dd05b4d0af39179e94cc8dc7c9742dbaddd4c45
-  data.tar.gz: 1c86dcbfcbec2791df28c45c2dff656ca8385b5a3fb75d900fb731e7472887f9
+  metadata.gz: 6a90ad96aa12a10002ba31de9ac2b082abcce714bcb3e7b54e97d702cfd12af0
+  data.tar.gz: c04841ffa17ba33182087413b2b6a266ca08f0370510392df635dc040be6f34c
 SHA512:
-  metadata.gz: 8e33057f0c869ea54dd952f5b937fe6ca01c49a7d82549a7563fd4b148a315eba627d791f5c39d844834b2418466b21f7c58ae382c310fdc339b1560be508234
-  data.tar.gz: 813fc19fb5939a5318409ac30651d31050d22e006213305e549899b109cde83ddcc3dfac17a7d1c1abc016ebc6dbb3235f17fd049eff96738be4e2832be55917
+  metadata.gz: c6d24148fb7b252602028ba38200a3b8d156ece2f5b4fafefdaeae61e8c78718fb8e9d70f58dac356d96e7a455007f0a6d5d422062321fe600ee7783b08d6dde
+  data.tar.gz: 451223df83c431f13ed1da1abb3c074c03e57674180f37bd81abc5156309a8e5582380839bbcb5ba3ec23301ae0b7165083ffa15078b788714f09e6eeea92e6f

data/.github/workflows/ci.yml CHANGED Viewed

@@ -9,11 +9,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, ubuntu-22.04]
-        ruby-version: ['3.0', '3.1', '3.2']
+        os: [ubuntu-22.04, ubuntu-24.04]
+        ruby-version: ['3.0', '3.1', '3.2', '3.3', '3.4']
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/LICENSE CHANGED Viewed

@@ -1,5 +1,5 @@
 Copyright (c) 2016 Hiroyuki Sakuraba
-Copyright (c) 2022 Marco Colli, Pushpad (https://pushpad.xyz)
+Copyright (c) 2022-2025 Marco Colli, Pushpad (https://pushpad.xyz)
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md CHANGED Viewed

@@ -5,6 +5,8 @@
 This gem makes it possible to send push messages to web browsers from Ruby backends using the [Web Push Protocol](https://datatracker.ietf.org/doc/html/rfc8030). It supports [Message Encryption for Web Push](https://datatracker.ietf.org/doc/html/rfc8291) and [VAPID](https://datatracker.ietf.org/doc/html/rfc8292).
+**Note**: This is an open source gem for Web Push. If you want to send web push notifications from Ruby using Pushpad, you need to use another gem ([pushpad gem](https://github.com/pushpad/pushpad-ruby)).
 ## Installation
 Add this line to the Gemfile:
@@ -53,10 +55,16 @@ navigator.serviceWorker.register('/service-worker.js')
 ### Subscribing to push notifications
-The VAPID public key you generated earlier is made available to the client as a `UInt8Array`. To do this, one way would be to expose the urlsafe-decoded bytes from Ruby to JavaScript when rendering the HTML template.
+The VAPID public key that you generated earlier needs to be made available to JavaScript, which can be done in many ways, for example with a fetch request or when rendering the HTML template in Ruby:
-```javascript
-window.vapidPublicKey = new Uint8Array(<%= Base64.urlsafe_decode64(ENV['VAPID_PUBLIC_KEY']).bytes %>);
+```erb
+<script>
+// Make the VAPID public key available to the client as a Uint8Array
+window.vapidPublicKey = new Uint8Array(<%= Base64.urlsafe_decode64(ENV['VAPID_PUBLIC_KEY']).bytes %>)
+// Or you can pass it as a string if you prefer
+window.vapidPublicKey = "<%= ENV['VAPID_PUBLIC_KEY'].delete('=') %>"
+</script>
 ```
 Your JavaScript code uses the `pushManager` interface to subscribe to push notifications, passing the VAPID public key to the subscription settings.
@@ -178,7 +186,7 @@ WebPush.payload_send(
   p256dh: "BO/aG9nYXNkZmFkc2ZmZHNmYWRzZmFl...",
   auth: "aW1hcmthcmFpa3V6ZQ==",
   vapid: {
-    subject: "mailto:sender@example.com"
+    subject: "mailto:sender@example.com",
     pem: ENV['VAPID_KEYS']
   }
 )

data/lib/web_push/encryption.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module WebPush
       assert_arguments(message, p256dh, auth)
       group_name = 'prime256v1'
+      hash = 'SHA256'
       salt = Random.new.bytes(16)
       server = OpenSSL::PKey::EC.generate(group_name)
@@ -25,11 +26,11 @@ module WebPush
       content_encryption_key_info = "Content-Encoding: aes128gcm\0"
       nonce_info = "Content-Encoding: nonce\0"
-      prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).read(32)
+      prk = OpenSSL::KDF.hkdf(shared_secret, salt: client_auth_token, info: info, hash: hash, length: 32)
-      content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).read(16)
+      content_encryption_key = OpenSSL::KDF.hkdf(prk, salt: salt, info: content_encryption_key_info, hash: hash, length: 16)
-      nonce = HKDF.new(prk, salt: salt, info: nonce_info).read(12)
+      nonce = OpenSSL::KDF.hkdf(prk, salt: salt, info: nonce_info, hash: hash, length: 12)
       ciphertext = encrypt_payload(message, content_encryption_key, nonce)

data/lib/web_push/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module WebPush
-  VERSION = '3.0.0'.freeze
+  VERSION = '3.0.2'.freeze
 end

data/lib/web_push.rb CHANGED Viewed

@@ -2,7 +2,6 @@
 require 'openssl'
 require 'base64'
-require 'hkdf'
 require 'jwt'
 require 'uri'
 require 'net/http'
@@ -57,10 +56,6 @@ module WebPush
     end
     def decode64(str)
-      # For Ruby < 2.3, Base64.urlsafe_decode64 strict decodes and will raise errors if encoded value is not properly padded
-      # Implementation: http://ruby-doc.org/stdlib-2.3.0/libdoc/base64/rdoc/Base64.html#method-i-urlsafe_decode64
-      str = str.ljust((str.length + 3) & ~3, '=') if !str.end_with?('=') && str.length % 4 != 0
       Base64.urlsafe_decode64(str)
     end

data/spec/spec_helper.rb CHANGED Viewed

@@ -1,9 +1,12 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter '/spec/'
+end
 require 'web_push'
 require 'webmock/rspec'
-require 'simplecov'
 WebMock.disable_net_connect!(allow_localhost: true)
-SimpleCov.start
 def vapid_options
   {

data/spec/web_push/encryption_spec.rb CHANGED Viewed

@@ -65,10 +65,10 @@ describe WebPush::Encryption do
       content_encryption_key_info = "Content-Encoding: aes128gcm\0"
       nonce_info = "Content-Encoding: nonce\0"
-      prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).read(32)
+      prk = OpenSSL::KDF.hkdf(shared_secret, salt: client_auth_token, info: info, hash: 'SHA256', length: 32)
-      content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).read(16)
-      nonce = HKDF.new(prk, salt: salt, info: nonce_info).read(12)
+      content_encryption_key = OpenSSL::KDF.hkdf(prk, salt: salt, info: content_encryption_key_info, hash: 'SHA256', length: 16)
+      nonce = OpenSSL::KDF.hkdf(prk, salt: salt, info: nonce_info, hash: 'SHA256', length: 12)
       decrypt_ciphertext(ciphertext, content_encryption_key, nonce)
     end

data/spec/web_push_spec.rb CHANGED Viewed

@@ -5,6 +5,18 @@ describe WebPush do
     expect(WebPush::VERSION).not_to be nil
   end
+  describe '.decode64' do
+    let(:a_padded_key) { "YWJjZGU=" }
+    it 'urlsafe decodes padded base64 string' do
+      expect(WebPush.decode64(a_padded_key)).to eq("abcde")
+    end
+    it 'urlsafe decodes unpadded base64 string' do
+      expect(WebPush.decode64(a_padded_key.delete("="))).to eq("abcde")
+    end
+  end
   shared_examples 'web push protocol standard error handling' do
     it 'raises InvalidSubscription if the API returns a 404 Error' do
       stub_request(:post, expected_endpoint)

data/web-push.gemspec CHANGED Viewed

@@ -14,8 +14,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 3.0'
-  spec.add_dependency 'hkdf', '~> 1.0'
-  spec.add_dependency 'jwt', '~> 2.0'
+  spec.add_dependency 'jwt', '~> 3.0'
   spec.add_dependency 'openssl', '~> 3.0'
   spec.add_development_dependency 'rspec', '~> 3.0'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: web-push
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.2
 platform: ruby
 authors:
 - zaru
@@ -9,36 +9,22 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-05 00:00:00.000000000 Z
+date: 2025-06-29 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: hkdf
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -139,7 +125,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Web Push library for Ruby (RFC8030)