From b9039dbf194f66738766cb4296ba6d141d6d433e Mon Sep 17 00:00:00 2001
From: Claudomator Agent <agent@claudomator>
Date: Tue, 17 Mar 2026 08:04:04 +0000
Subject: fix: validate VAPID public key on load, regenerate if swapped

The DB may contain keys generated before the swap fix, with the private
key stored as the public key. Add ValidateVAPIDPublicKey() and use it in
serve.go to detect and regenerate invalid stored keys on startup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 internal/notify/vapid.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'internal/notify/vapid.go')

diff --git a/internal/notify/vapid.go b/internal/notify/vapid.go
index d93a090..684bf4d 100644
--- a/internal/notify/vapid.go
+++ b/internal/notify/vapid.go
@@ -1,6 +1,10 @@
 package notify
 
-import webpush "github.com/SherClockHolmes/webpush-go"
+import (
+	"encoding/base64"
+
+	webpush "github.com/SherClockHolmes/webpush-go"
+)
 
 // GenerateVAPIDKeys generates a VAPID key pair for web push notifications.
 // Returns the base64url-encoded public and private keys.
@@ -9,3 +13,13 @@ func GenerateVAPIDKeys() (publicKey, privateKey string, err error) {
 	privateKey, publicKey, err = webpush.GenerateVAPIDKeys()
 	return
 }
+
+// ValidateVAPIDPublicKey reports whether key is a valid VAPID public key:
+// a base64url-encoded 65-byte uncompressed P-256 point (starts with 0x04).
+func ValidateVAPIDPublicKey(key string) bool {
+	b, err := base64.RawURLEncoding.DecodeString(key)
+	if err != nil {
+		return false
+	}
+	return len(b) == 65 && b[0] == 0x04
+}
-- 
cgit v1.2.3