Skip to content

Web push: dev-only VAPID fallback + restore Intel macOS in lockfile#108

Merged
HamptonMakes merged 1 commit into
mainfrom
hampton/web-push-codex-fixes
May 11, 2026
Merged

Web push: dev-only VAPID fallback + restore Intel macOS in lockfile#108
HamptonMakes merged 1 commit into
mainfrom
hampton/web-push-codex-fixes

Conversation

@HamptonMakes
Copy link
Copy Markdown
Collaborator

@HamptonMakes HamptonMakes commented May 11, 2026

Follow-up to #107 — addresses two Codex findings that didn't make it into the merge.

P1 (security): VAPID fallback key is dev-only

#107 landed with ENV["COPLAN_VAPID_PRIVATE_KEY"] || "<hardcoded key>". That means any deployment that forgets to set the env var silently signs push messages with a key that's now in the public commit history — anyone who learns a subscription endpoint could forge push notifications that appear to come from the app.

Fix: fallback only applies in Rails.env.development?. In any other env, missing COPLAN_VAPID_* leaves the config nil and web_push_configured? returns false — so the meta tags, subscription endpoints, and Settings card all stay quiet rather than running with a public key.

Also rotated the dev fallback to a fresh keypair since the prior values are in commit history.

⚠️ Operators: if you've deployed main from #107 without setting COPLAN_VAPID_*, your production app is currently signing with the publicly-known key. Set your own VAPID keypair (generate with bundle exec rake coplan:web_push:generate_keys) and merge this PR to make the fallback dev-only.

P2: Restore Intel macOS in Gemfile.lock

#107 dropped arm64-darwin and x86_64-darwin (an artifact of bundle install running on this arm64-darwin-25 machine), which breaks frozen bundle install for Intel macOS contributors and CI.

Fix: bundle lock --add-platform x86_64-darwin arm64-darwin — both back in the lockfile.

Verification

  • bundle exec rspec → 814 examples, 0 failures.

Generated with Amp

@HamptonMakes @ampcode-com
Address Codex review on PR #107
0e526ba 
- Fail closed on missing VAPID keys outside development. The checked-in
  fallback keypair only applies in Rails.env.development?; production
  with unset COPLAN_VAPID_* simply disables web push (per
  web_push_configured?) instead of silently signing with a public key.
  Rotated the dev fallback keys since the previous values are now in
  commit history.
- Restore arm64-darwin and x86_64-darwin in Gemfile.lock so Intel macOS
  contributors and CI can install with a frozen lockfile.

Generated with Amp

Amp-Thread-ID: https://ampcode.com/threads/T-019df459-b110-726a-97e2-ff15e2903435
Co-authored-by: Amp <amp@ampcode.com>
@HamptonMakes HamptonMakes marked this pull request as ready for review May 11, 2026 20:56
@HamptonMakes HamptonMakes merged commit b01617c into main May 11, 2026
5 checks passed
@HamptonMakes HamptonMakes deleted the hampton/web-push-codex-fixes branch May 11, 2026 21:04
@HamptonMakes HamptonMakes mentioned this pull request May 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HamptonMakes