From 5ab44bd78dc54291fccd8aa9d7ea116fbca47f5d Mon Sep 17 00:00:00 2001
From: Karl <karl@k-world.me.uk>
Date: Fri, 18 Jul 2025 17:07:46 +0100
Subject: [PATCH] fix key logic

---
 routes/api.py | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/routes/api.py b/routes/api.py
index d503b96..b676924 100644
--- a/routes/api.py
+++ b/routes/api.py
@@ -15,6 +15,8 @@ from ktvmanager.lib.checker import validate_account
 from typing import Tuple
 import json
 import re
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ec
 from pywebpush import webpush, WebPushException
 
 api_blueprint = Blueprint("api", __name__)
@@ -149,18 +151,24 @@ def login_route(username: str, password: str) -> Response:
 def vapid_public_key():
     """Provides the VAPID public key in the correct format."""
     pem_key = current_app.config["VAPID_PUBLIC_KEY"]
-    # Use regex to robustly extract the base64 content from the PEM key
-    match = re.search(r"-----BEGIN PUBLIC KEY-----(.*)-----END PUBLIC KEY-----", pem_key, re.DOTALL)
-    if not match:
-        return jsonify({"error": "Could not parse VAPID public key from config"}), 500
-    
-    # Join the split lines to remove all whitespace and newlines
-    base64_key = "".join(match.group(1).split())
-    
-    # Convert to URL-safe base64 and remove padding for the PushManager API
-    url_safe_key = base64_key.replace('+', '-').replace('/', '_').rstrip('=')
-    
-    return jsonify({"public_key": url_safe_key})
+    try:
+        public_key = serialization.load_pem_public_key(pem_key.encode("utf-8"))
+        if not isinstance(public_key, ec.EllipticCurvePublicKey):
+            raise TypeError("VAPID public key is not an Elliptic Curve key")
+        
+        # Get the raw, uncompressed public key bytes (65 bytes for P-256)
+        raw_key = public_key.public_bytes(
+            encoding=serialization.Encoding.X962,
+            format=serialization.PublicFormat.UncompressedPoint
+        )
+        
+        # URL-safe base64 encode the raw key
+        url_safe_key = base64.urlsafe_b64encode(raw_key).rstrip(b'=').decode('utf-8')
+        
+        return jsonify({"public_key": url_safe_key})
+    except (ValueError, TypeError, AttributeError) as e:
+        current_app.logger.error(f"Error processing VAPID public key: {e}")
+        return jsonify({"error": "Could not process VAPID public key"}), 500
 
 
 @api_blueprint.route("/save-subscription", methods=["POST"])