diff options
| author | Owen Jacobson <owen@grimoire.ca> | 2025-10-24 19:10:29 -0400 |
|---|---|---|
| committer | Owen Jacobson <owen@grimoire.ca> | 2025-11-06 18:59:15 -0500 |
| commit | 1f44cd930cdff94bb8cf04f645a5b035507438d9 (patch) | |
| tree | 0f572a68498c156df4b3a8b0d669c3786c38888d /docs/api/basics.md | |
| parent | e2a851f68aacd74a248e925ab334c3cf9eabba18 (diff) | |
Add an endpoint for creating push subscriptions.
The semantics of this endpoint are somewhat complex, and are incompletely captured in the associated docs change. For posterity, the intended workflow is:
1. Obtain Pilcrow's current VAPID key by connecting (it's in the events, either from boot or from the event stream).
2. Use the browser push APIs to create a push subscription, using that VAPID key.
3. Send Pilcrow the push subscription endpoint and keys, plus the VAPID key the client used to create it so that the server can detect race conditions with key rotation.
4. Wait for messages to arrive.
This commit does not introduce any actual messages, just subscription management endpoints.
When the server's VAPID key is rotated, all existing subscriptions are discarded. Without the VAPID key, the server cannot service those subscriptions. We can't exactly notify the broker to stop processing messages on those subscriptions, so this is an incomplete solution to what to do if the key is being rotated due to a compromise, but it's better than nothing.
The shape of the API endpoint is heavily informed by the [JSON payload][web-push-json] provided by browser Web Push implementations, to ease client development in a browser-based context. The idea is that a client can take that JSON and send it to the server verbatim, without needing to transform it in any way, to submit the subscription to the server for use.
[web-push-json]: https://developer.mozilla.org/en-US/docs/Web/API/PushSubscription/toJSON
Push subscriptions are operationally associated with a specific _user agent_, and have no inherent relationship with a Pilcrow login or token (session). Taken as-is, a subscription created by user A could be reused by user B if they share a user agent, even if user A logs out before user B logs in. Pilcrow therefore _logically_ associates push subscriptions with specific tokens, and abandons those subscriptions when the token is invalidated by
* logging out,
* expiry, or
* changing passwords.
(There are no other token invalidation workflows at this time.)
Stored subscriptions are also abandoned when the server's VAPID key changes.
Diffstat (limited to 'docs/api/basics.md')
| -rw-r--r-- | docs/api/basics.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/docs/api/basics.md b/docs/api/basics.md index ab39570..180880e 100644 --- a/docs/api/basics.md +++ b/docs/api/basics.md @@ -49,3 +49,5 @@ In addition to the documented status codes for each endpoint, any endpoint may r ## Errors When the server returns an error (any response whose status code is 400 or greater), the response body is freeform text (specifically, `text/plain`), which may be shown to the user, logged, or otherwise handled. Programmatic action should rely on the documented status codes, and not on the response body. + +A small number of endpoints deliver errors in other formats. These exceptions are documented with the endpoints they're relevant to. |