fix: validate VAPID public key on load, regenerate if swapped

The DB may contain keys generated before the swap fix, with the private key stored as the public key. Add ValidateVAPIDPublicKey() and use it in serve.go to detect and regenerate invalid stored keys on startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
author: Claudomator Agent <agent@claudomator> 2026-03-17 08:04:04 +0000
committer: Claudomator Agent <agent@claudomator> 2026-03-17 08:04:04 +0000
commit: b9039dbf194f66738766cb4296ba6d141d6d433e (patch)
tree: d76eae28d92ec34b2870e6400fcdf558c5063942 /internal/notify/vapid.go
parent: 94e45575a34e8672f8b405c54cabd8e524281fef (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/internal/notify/vapid.go b/internal/notify/vapid.go
index d93a090..684bf4d 100644
--- a/internal/notify/vapid.go
+++ b/internal/notify/vapid.go
@@ -1,6 +1,10 @@
 package notify
 
-import webpush "github.com/SherClockHolmes/webpush-go"
+import (
+	"encoding/base64"
+
+	webpush "github.com/SherClockHolmes/webpush-go"
+)
 
 // GenerateVAPIDKeys generates a VAPID key pair for web push notifications.
 // Returns the base64url-encoded public and private keys.
@@ -9,3 +13,13 @@ func GenerateVAPIDKeys() (publicKey, privateKey string, err error) {
 	privateKey, publicKey, err = webpush.GenerateVAPIDKeys()
 	return
 }
+
+// ValidateVAPIDPublicKey reports whether key is a valid VAPID public key:
+// a base64url-encoded 65-byte uncompressed P-256 point (starts with 0x04).
+func ValidateVAPIDPublicKey(key string) bool {
+	b, err := base64.RawURLEncoding.DecodeString(key)
+	if err != nil {
+		return false
+	}
+	return len(b) == 65 && b[0] == 0x04
+}
author	Claudomator Agent <agent@claudomator>	2026-03-17 08:04:04 +0000
committer	Claudomator Agent <agent@claudomator>	2026-03-17 08:04:04 +0000
commit	b9039dbf194f66738766cb4296ba6d141d6d433e (patch)
tree	d76eae28d92ec34b2870e6400fcdf558c5063942 /internal/notify/vapid.go
parent	94e45575a34e8672f8b405c54cabd8e524281fef (diff)