Use config_for for VAPID key storage (#34845)

.rubocop_todo.yml

@@ -40,7 +40,6 @@ Style/FetchEnvVar:
     - 'config/initializers/cache_buster.rb'
     - 'config/initializers/devise.rb'
     - 'config/initializers/paperclip.rb'
-    - 'config/initializers/vapid.rb'
     - 'lib/tasks/repo.rake'
 
 # This cop supports safe autocorrection (--autocorrect).

app/lib/web_push_request.rb

@@ -79,8 +79,8 @@ class WebPushRequest
 
   def vapid_key
     @vapid_key ||= Webpush::VapidKey.from_keys(
-      Rails.configuration.x.vapid_public_key,
-      Rails.configuration.x.vapid_private_key
+      Rails.configuration.x.vapid.public_key,
+      Rails.configuration.x.vapid.private_key
     )
   end
 

app/serializers/rest/application_serializer.rb

@@ -18,6 +18,6 @@ class REST::ApplicationSerializer < ActiveModel::Serializer
   end
 
   def vapid_key
-    Rails.configuration.x.vapid_public_key
+    Rails.configuration.x.vapid.public_key
   end
 end

app/serializers/rest/instance_serializer.rb

@@ -65,7 +65,7 @@ class REST::InstanceSerializer < ActiveModel::Serializer
       },
 
       vapid: {
-        public_key: Rails.configuration.x.vapid_public_key,
+        public_key: Rails.configuration.x.vapid.public_key,
       },
 
       accounts: {

app/serializers/rest/web_push_subscription_serializer.rb

@@ -10,7 +10,7 @@ class REST::WebPushSubscriptionSerializer < ActiveModel::Serializer
   end
 
   def server_key
-    Rails.configuration.x.vapid_public_key
+    Rails.configuration.x.vapid.public_key
   end
 
   def policy

app/views/shared/_web_app.html.haml

@@ -3,7 +3,7 @@
   - if user_signed_in?
     %meta{ name: 'initialPath', content: request.path }
 
-  %meta{ name: 'applicationServerKey', content: Rails.configuration.x.vapid_public_key }
+  %meta{ name: 'applicationServerKey', content: Rails.configuration.x.vapid.public_key }
 
   = render_initial_state
   = vite_typescript_tag 'application.ts', crossorigin: 'anonymous'

config/application.rb

@@ -106,6 +106,7 @@ module Mastodon
     config.x.captcha = config_for(:captcha)
     config.x.mastodon = config_for(:mastodon)
     config.x.translation = config_for(:translation)
+    config.x.vapid = config_for(:vapid)
 
     if ENV.fetch('QUERY_LOG_TAGS_ENABLED', 'false') == 'true'
       config.active_record.query_log_tags_enabled = ENV.fetch('QUERY_LOG_TAGS_ENABLED', 'false') == 'true'

config/environments/development.rb

@@ -40,10 +40,10 @@ Rails.application.configure do
   # Override default file logging in favor of STDOUT logging in dev environment
   config.logger = ActiveSupport::TaggedLogging.logger($stdout, formatter: config.log_formatter)
 
-  # Generate random VAPID keys
+  # Generate random VAPID keys when needed
   Webpush.generate_key.tap do |vapid_key|
-    config.x.vapid_private_key = vapid_key.private_key
-    config.x.vapid_public_key = vapid_key.public_key
+    config.x.vapid.private_key ||= vapid_key.private_key
+    config.x.vapid.public_key ||= vapid_key.public_key
   end
 
   # Don't care if the mailer can't send.

config/environments/test.rb

@@ -48,10 +48,11 @@ Rails.application.configure do
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 
-  # Generate random VAPID keys
-  vapid_key = Webpush.generate_key
-  config.x.vapid_private_key = vapid_key.private_key
-  config.x.vapid_public_key = vapid_key.public_key
+  # Generate random VAPID keys when needed
+  Webpush.generate_key.tap do |vapid_key|
+    config.x.vapid.private_key ||= vapid_key.private_key
+    config.x.vapid.public_key ||= vapid_key.public_key
+  end
 
   # Raise exceptions when a reorder occurs in in_batches
   config.active_record.error_on_ignored_order = true

config/initializers/vapid.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-Rails.application.configure do
-  # You can generate the keys using the following command (first is the private key, second is the public one)
-  # You should only generate this once per instance. If you later decide to change it, all push subscription will
-  # be invalidated, requiring the users to access the website again to resubscribe.
-  #
-  # Generate with `bundle exec rails mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web bundle exec rails mastodon:webpush:generate_vapid_key` if you use docker compose)
-  #
-  # For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
-
-  if Rails.env.production?
-    config.x.vapid_private_key = ENV['VAPID_PRIVATE_KEY']
-    config.x.vapid_public_key = ENV['VAPID_PUBLIC_KEY']
-  end
-end

config/vapid.yml

@@ -0,0 +1,17 @@
+# You can generate the private and public keys using the following task. You
+# should only generate this once per instance. If you later decide to change it,
+# all push subscriptions will be invalidated, requiring users to access the
+# website again to resubscribe.
+#
+# Generate on the CLI:
+# `bundle exec rails mastodon:webpush:generate_vapid_key`
+#
+# Generate via Docker Compose:
+# `docker-compose run --rm web bundle exec rails mastodon:webpush:generate_vapid_key`
+#
+# For more information visit
+# https://rossta.net/blog/using-the-web-push-api-with-vapid.html
+#
+shared:
+  private_key: <%= ENV.fetch('VAPID_PRIVATE_KEY', nil) %>
+  public_key: <%= ENV.fetch('VAPID_PUBLIC_KEY', nil) %>

spec/requests/api/v1/apps/credentials_spec.rb

@@ -29,7 +29,7 @@ RSpec.describe 'Credentials' do
             redirect_uris: token.application.redirect_uris,
             # Deprecated properties as of 4.3:
             redirect_uri: token.application.redirect_uri.split.first,
-            vapid_key: Rails.configuration.x.vapid_public_key
+            vapid_key: Rails.configuration.x.vapid.public_key
           )
         )
       end
@@ -69,7 +69,7 @@ RSpec.describe 'Credentials' do
             redirect_uris: token.application.redirect_uris,
             # Deprecated properties as of 4.3:
             redirect_uri: token.application.redirect_uri.split.first,
-            vapid_key: Rails.configuration.x.vapid_public_key
+            vapid_key: Rails.configuration.x.vapid.public_key
           )
         )
       end

spec/requests/api/v1/apps_spec.rb

@@ -49,7 +49,7 @@ RSpec.describe 'Apps' do
             redirect_uris: redirect_uris,
             # Deprecated properties as of 4.3:
             redirect_uri: redirect_uri,
-            vapid_key: Rails.configuration.x.vapid_public_key
+            vapid_key: Rails.configuration.x.vapid.public_key
           )
         )
       end

spec/serializers/rest/instance_serializer_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe REST::InstanceSerializer do
   describe 'configuration' do
     it 'returns the VAPID public key' do
       expect(serialization['configuration']['vapid']).to eq({
-        'public_key' => Rails.configuration.x.vapid_public_key,
+        'public_key' => Rails.configuration.x.vapid.public_key,
       })
     end
 

spec/workers/web/push_notification_worker_spec.rb

@@ -38,13 +38,13 @@ RSpec.describe Web::PushNotificationWorker do
 
   describe 'perform' do
     around do |example|
-      original_private = Rails.configuration.x.vapid_private_key
-      original_public = Rails.configuration.x.vapid_public_key
-      Rails.configuration.x.vapid_private_key = vapid_private_key
-      Rails.configuration.x.vapid_public_key = vapid_public_key
+      original_private = Rails.configuration.x.vapid.private_key
+      original_public = Rails.configuration.x.vapid.public_key
+      Rails.configuration.x.vapid.private_key = vapid_private_key
+      Rails.configuration.x.vapid.public_key = vapid_public_key
       example.run
-      Rails.configuration.x.vapid_private_key = original_private
-      Rails.configuration.x.vapid_public_key = original_public
+      Rails.configuration.x.vapid.private_key = original_private
+      Rails.configuration.x.vapid.public_key = original_public
     end
 
     before do