Skip to content

feat(amsg): 单用户 Worker 暴露 VAPID 公钥端点,供前端跨源订阅#16

Merged
Tosd0 merged 1 commit into
mainfrom
feat/amsg-single-user-cloudflare
Jul 2, 2026
Merged

feat(amsg): 单用户 Worker 暴露 VAPID 公钥端点,供前端跨源订阅#16
Tosd0 merged 1 commit into
mainfrom
feat/amsg-single-user-cloudflare

Conversation

@Tosd0

@Tosd0 Tosd0 commented Jul 2, 2026

Copy link
Copy Markdown
Owner

改了什么

单用户 Cloudflare Worker(single-user-worker.js)此前只有 6 个路由,现在多一个 GET /vapid-public-key

场景 返回
配了 VAPID_PUBLIC_KEY 200 { success: true, publicKey: "<env.VAPID_PUBLIC_KEY 原样 base64url>" }
未配置 503 { success: false, error: { code: "VAPID_NOT_CONFIGURED" } }

前端(各自部署的 worker 各有各的 VAPID)在运行时拉这个公钥,作为创建 Web Push 订阅的 applicationServerKey,不再把公钥编译进前端。

  • 鉴权 / CORS 跟其它端点一条路:新 handler 先走 resolveTenant——配了 serverToken 就要求 X-Client-Token(缺/错 401);OPTIONS 预检和 X-Client-Token 放行头走现有通用 CORS 逻辑,自动覆盖新路径。
  • client:新增 ReiClient.getVapidPublicKey(),GET 该端点、复用 _withServerToken 带 token,返回公钥字符串。

回归测试(先红后绿)

  • 端点返回配置的公钥,且断言它 == 定时推送实际签名用的 k=:端点读 cfg.vapid、推送签名读 cfg.webpush,是两个独立字段,配歪会导致订阅用错公钥、推送 403——这条把两者钉死一致。
  • serverToken:对的 token → 200,缺/错 → 401;新路由并入原有「全端点鉴权守卫」列表。
  • 没配公钥 → 503 VAPID_NOT_CONFIGURED
  • CORS:OPTIONS 预检允许头含 X-Client-Token,GET 回显 origin。
  • client:带/不带 token、非成功响应抛错。

server 123 / client 69 测试全绿,两包 build 通过。

发版

changeset amsg-vapid-public-key.md@rei-standard/amsg-server + @rei-standard/amsg-client 均 minor)。合并后 next 预发布线上一档:

  • @rei-standard/amsg-server2.6.0-next.1
  • @rei-standard/amsg-client2.9.0-next.1

🤖 Generated with Claude Code

单用户 Worker 新增 GET /vapid-public-key,返回本 worker 自己的
VAPID_PUBLIC_KEY,供前端创建 Web Push 订阅时作 applicationServerKey。
各自部署的 worker 各有各的 VAPID,公钥在运行时从 worker 拉取,不编译进前端。
未配置 VAPID 时返回 503 VAPID_NOT_CONFIGURED。鉴权与 CORS 跟其它端点一条路:
配了 serverToken 就要求 X-Client-Token,OPTIONS 预检放行头含 X-Client-Token。

client 新增 ReiClient.getVapidPublicKey(),GET 该端点、复用 _withServerToken
带 token,返回公钥字符串。

回归测试断言端点返回值 == 定时推送实际签名用的公钥(两者分别取自
cfg.vapid 与 cfg.webpush 两个独立字段,钉死一致,防将来配歪导致推送 403)。

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011i899noy7xuyaVcJwPq7R1

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new GET /vapid-public-key endpoint to the single-user worker (amsg-server) and a corresponding getVapidPublicKey() method to the client (amsg-client). This allows the frontend to dynamically fetch the worker's VAPID public key at runtime for Web Push subscriptions. Comprehensive tests and documentation updates are also included. The review feedback highlights a potential bug in the VAPID public key handler where effectiveHeaders could incorrectly evaluate to a string instead of an object when headers is undefined, and provides a robust suggestion to resolve it.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@Tosd0 Tosd0 merged commit 255682b into main Jul 2, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant