feat(amsg): 单用户 Worker 暴露 VAPID 公钥端点,供前端跨源订阅#16
Conversation
单用户 Worker 新增 GET /vapid-public-key,返回本 worker 自己的 VAPID_PUBLIC_KEY,供前端创建 Web Push 订阅时作 applicationServerKey。 各自部署的 worker 各有各的 VAPID,公钥在运行时从 worker 拉取,不编译进前端。 未配置 VAPID 时返回 503 VAPID_NOT_CONFIGURED。鉴权与 CORS 跟其它端点一条路: 配了 serverToken 就要求 X-Client-Token,OPTIONS 预检放行头含 X-Client-Token。 client 新增 ReiClient.getVapidPublicKey(),GET 该端点、复用 _withServerToken 带 token,返回公钥字符串。 回归测试断言端点返回值 == 定时推送实际签名用的公钥(两者分别取自 cfg.vapid 与 cfg.webpush 两个独立字段,钉死一致,防将来配歪导致推送 403)。 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011i899noy7xuyaVcJwPq7R1
There was a problem hiding this comment.
Code Review
This pull request introduces a new GET /vapid-public-key endpoint to the single-user worker (amsg-server) and a corresponding getVapidPublicKey() method to the client (amsg-client). This allows the frontend to dynamically fetch the worker's VAPID public key at runtime for Web Push subscriptions. Comprehensive tests and documentation updates are also included. The review feedback highlights a potential bug in the VAPID public key handler where effectiveHeaders could incorrectly evaluate to a string instead of an object when headers is undefined, and provides a robust suggestion to resolve it.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
改了什么
单用户 Cloudflare Worker(
single-user-worker.js)此前只有 6 个路由,现在多一个GET /vapid-public-key。VAPID_PUBLIC_KEY200 { success: true, publicKey: "<env.VAPID_PUBLIC_KEY 原样 base64url>" }503 { success: false, error: { code: "VAPID_NOT_CONFIGURED" } }前端(各自部署的 worker 各有各的 VAPID)在运行时拉这个公钥,作为创建 Web Push 订阅的
applicationServerKey,不再把公钥编译进前端。resolveTenant——配了serverToken就要求X-Client-Token(缺/错 401);OPTIONS 预检和X-Client-Token放行头走现有通用 CORS 逻辑,自动覆盖新路径。ReiClient.getVapidPublicKey(),GET 该端点、复用_withServerToken带 token,返回公钥字符串。回归测试(先红后绿)
k=:端点读cfg.vapid、推送签名读cfg.webpush,是两个独立字段,配歪会导致订阅用错公钥、推送 403——这条把两者钉死一致。serverToken:对的 token → 200,缺/错 → 401;新路由并入原有「全端点鉴权守卫」列表。VAPID_NOT_CONFIGURED。X-Client-Token,GET 回显 origin。server 123 / client 69 测试全绿,两包 build 通过。
发版
changeset
amsg-vapid-public-key.md(@rei-standard/amsg-server+@rei-standard/amsg-client均 minor)。合并后next预发布线上一档:@rei-standard/amsg-server→2.6.0-next.1@rei-standard/amsg-client→2.9.0-next.1🤖 Generated with Claude Code