-
-
Notifications
You must be signed in to change notification settings - Fork 14
[bug]: [JMAP] [PushSubscription/set] issues #55
Comments
For example, the MS Graph API does not create a subscription if the push server does not return a validationToken. JMAP goes a step further by requiring a validationCode to pass through APSN/GCM, and accordingly, the client activates it on the server. This should protect the JMAP server from DDoS attacks. |
Thanks for the report @zvasilev . I am currently working on the anti-spam module but I'll take a look at this issue as soon as the new version is released. |
One more update. In the attached file is the response from Stalwart. You can see there are a lot of subscriptions.
|
This has now been fixed, thanks.
Stalwart validates the URL immediately after it is created, if you are not seeing the request please set the debug level to
The example in the RFC is creating the entry and then updating it with the verification code. If you do not create the entry first and obtain its
Stalwart does not treat this as an error because the remote push server is only contacted once. Updating the |
I've updated to version 0.4.2, and now "created" returns the full JSON object: {"created":{"1d44":{"expires":"2023-11-10T12:50:39Z","id":"a","keys":null}}}. Although the JMAP RFC doesn't explicitly state it, I think it's a good idea for the HTTP request to return a callback to the request to the push proxy server from "PushSubscription/set". If the HTTP code is 200/201, then save it and return "created." In case of an error timeout or an HTTP error code, return "notCreated." I'm still investigating why Stalwart cannot connect to my push server. |
I was able to call my push server from Stalwart by just creating a new user. |
That is correct, unless the server updates a field that the client did not request to change on the set request, the right response is to return
Yes, only one request is made to the end point in order to prevent denial of service attacks as per RFC8620:
|
What happened?
Hello Mauro,
It seems that "PushSubscription/set" is not fully implemented.
When I call it for the first time:
Stalwart returns:
It should be:
Two issues here. Stalwart should call the "app push service" via the "url" property. If it doesn't respond or returns an error, an entry in Stalwart should not be created. Instead, report that push notification creation is not possible. This way, the client can communicate with the user and fallback to fetch. It will also be easier for self-hosted users to troubleshoot.
According to my reading of the RFC, Stalwart should communicate with the Push Service, then Apple APNS/Google GCM (assuming this is the correct device-id for the given app). If each service returns okay to the caller, Stalwart will know that the client will have a verificationCode, and then it makes sense to save that entry for subsequent activation.
For the test, I called "PushSubscription/set" with an update containing only the "expires" property. The returned result was:
Two issues here. Stalwart should call the "app push service" via the "url" property. If it doesn't respond or returns an error, an entry in Stalwart should not be created. Instead, report that push notification creation is not possible. This way, the client can communicate with the user and fallback to fetch. It will also be easier for self-hosted users to troubleshoot.
According to my reading of the RFC, Stalwart should communicate with the Push Service, then Apple APNS/Google GCM (assuming this is the correct device-id for the given app). If each service returns okay to the caller, Stalwart will know that the client will have a verificationCode, and then it makes sense to save that entry for subsequent activation.
For the test, I called "PushSubscription/set" with an update containing only the "expires" property. The returned result was:
In my opinion, if "PushSubscription/set" with an update without "verificationCode" hasn't passed, it should return an error?
How can we reproduce the problem?
I can reproduce the problem by doing the following steps:
"PushSubscription/set" create
"PushSubscription/set" update
Version
v0.3.x
What database are you using?
SQLite
What blob storage are you using?
Local
Where is your directory located?
SQLite
What operating system are you using?
Linux
Relevant log output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: