Fix JWT encoding, null safety, and other code quality issues

andrei-m-code · claude · andrei-m-code · commit 8bfd61487e7d · 2026-02-25T14:57:11.000-05:00
- Fix Base64URL encoding in ApnSender and FirebaseSender (RFC 7617)
- Fix potential NullReferenceException in ApnSender error handling
- Fix static token cache key collision by including key ID
- Add device token validation in ApnSender.SendAsync
- Propagate CancellationToken in FirebaseSender.GetJwtTokenAsync
- Remove infinite loop in CorePush.Tester
- Remove unused System.IdentityModel.Tokens.Jwt dependency

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CorePush.Tester/CorePush.Tester.csproj b/CorePush.Tester/CorePush.Tester.csproj
@@ -11,7 +11,6 @@
 
   <ItemGroup>
     <PackageReference Include="FirebaseAdmin" Version="3.4.0" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.15.0" />
   </ItemGroup>
 
 </Project>
diff --git a/CorePush.Tester/Program.cs b/CorePush.Tester/Program.cs
@@ -50,15 +50,13 @@ private static async Task SendApnNotificationAsync()
             ServerType = apnServerType,
         };
 
-        while (true)
-        {
-            var apn = new ApnSender(settings, http);
-            var payload = new AppleNotification(
-                Guid.NewGuid(), 
-                "Hello World (Message)",
-                "Hello World (Title)");
-            var response = await apn.SendAsync(payload, apnDeviceToken);
-        }
+        var apn = new ApnSender(settings, http);
+        var payload = new AppleNotification(
+            Guid.NewGuid(),
+            "Hello World (Message)",
+            "Hello World (Title)");
+        var response = await apn.SendAsync(payload, apnDeviceToken);
+        Console.WriteLine($"APN Response: {response.StatusCode} - {response.Message}");
     }
 
     private static async Task SendFirebaseNotificationAsync()
diff --git a/CorePush/Apple/ApnSender.cs b/CorePush/Apple/ApnSender.cs
@@ -78,6 +78,8 @@ public async Task<PushResult> SendAsync(
         ApnPushType apnPushType = ApnPushType.Alert,
         CancellationToken cancellationToken = default)
     {
+        ArgumentException.ThrowIfNullOrWhiteSpace(deviceToken);
+
         var path = $"/3/device/{deviceToken}";
         var json = serializer.Serialize(notification);
 
@@ -102,19 +104,20 @@ public async Task<PushResult> SendAsync(
         using var response = await http.SendAsync(message, cancellationToken);
         
         var content = await response.Content.ReadAsStringAsync(cancellationToken);
-        var error = response.IsSuccessStatusCode 
-            ? null 
-            : serializer.Deserialize<ApnsError>(content).Reason;
+        var error = response.IsSuccessStatusCode
+            ? null
+            : serializer.Deserialize<ApnsError>(content)?.Reason;
 
         return new PushResult((int)response.StatusCode, response.IsSuccessStatusCode, content, error);
     }
 
     private string GetJwtToken()
     {
-        var (token, date) = tokens.GetOrAdd(settings.AppBundleIdentifier, _ => new Tuple<string, DateTime>(CreateJwtToken(), DateTime.UtcNow));
+        var cacheKey = $"{settings.AppBundleIdentifier}:{settings.P8PrivateKeyId}";
+        var (token, date) = tokens.GetOrAdd(cacheKey, _ => new Tuple<string, DateTime>(CreateJwtToken(), DateTime.UtcNow));
         if (date < DateTime.UtcNow.AddMinutes(-tokenExpiresMinutes))
         {
-            tokens.TryRemove(settings.AppBundleIdentifier, out _);
+            tokens.TryRemove(cacheKey, out _);
             return GetJwtToken();
         }
 
@@ -156,5 +159,9 @@ private static string Base64UrlEncode(string str)
         return Base64UrlEncode(bytes);
     }
 
-    private static string Base64UrlEncode(byte[] bytes) => Convert.ToBase64String(bytes);
+    private static string Base64UrlEncode(byte[] bytes) =>
+        Convert.ToBase64String(bytes)
+            .Replace('+', '-')
+            .Replace('/', '_')
+            .TrimEnd('=');
 }
diff --git a/CorePush/Firebase/FirebaseSender.cs b/CorePush/Firebase/FirebaseSender.cs
@@ -102,7 +102,7 @@ public async Task<PushResult> SendAsync(object payload, CancellationToken cancel
             HttpMethod.Post, 
             $"https://fcm.googleapis.com/v1/projects/{settings.ProjectId}/messages:send");
 
-        var token = await GetJwtTokenAsync();
+        var token = await GetJwtTokenAsync(cancellationToken);
             
         message.Headers.Add("Authorization", $"Bearer {token}");
         message.Content = new StringContent(json, Encoding.UTF8, "application/json");
@@ -118,22 +118,22 @@ public async Task<PushResult> SendAsync(object payload, CancellationToken cancel
             firebaseResponse.Error?.Status);
     }
 
-    private async Task<string> GetJwtTokenAsync()
+    private async Task<string> GetJwtTokenAsync(CancellationToken cancellationToken)
     {
         if (firebaseToken != null && firebaseTokenExpiration > DateTime.UtcNow)
         {
             return firebaseToken.AccessToken;
         }
-            
+
         using var message = new HttpRequestMessage(HttpMethod.Post, "https://oauth2.googleapis.com/token");
         using var form = new MultipartFormDataContent();
         var authToken = GetMasterToken();
         form.Add(new StringContent(authToken), "assertion");
         form.Add(new StringContent("urn:ietf:params:oauth:grant-type:jwt-bearer"), "grant_type");
         message.Content = form;
 
-        using var response = await http.SendAsync(message);
-        var content = await response.Content.ReadAsStringAsync();
+        using var response = await http.SendAsync(message, cancellationToken);
+        var content = await response.Content.ReadAsStringAsync(cancellationToken);
             
         if (!response.IsSuccessStatusCode)
         {
@@ -163,8 +163,8 @@ private string GetMasterToken()
             exp = CryptoHelper.GetEpochTimestamp() + 3600 /* has to be short lived */
         });
         
-        var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
-        var payloadBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
+        var headerBase64 = Base64UrlEncode(Encoding.UTF8.GetBytes(header));
+        var payloadBase64 = Base64UrlEncode(Encoding.UTF8.GetBytes(payload));
         var unsignedJwtData = $"{headerBase64}.{payloadBase64}";
         var unsignedJwtBytes = Encoding.UTF8.GetBytes(unsignedJwtData);
 
@@ -174,11 +174,17 @@ private string GetMasterToken()
         signer.BlockUpdate(unsignedJwtBytes, 0, unsignedJwtBytes.Length);
 
         var signature = signer.GenerateSignature();
-        var signatureBase64 = Convert.ToBase64String(signature);
+        var signatureBase64 = Base64UrlEncode(signature);
 
         return $"{unsignedJwtData}.{signatureBase64}";
     }
 
+    private static string Base64UrlEncode(byte[] bytes) =>
+        Convert.ToBase64String(bytes)
+            .Replace('+', '-')
+            .Replace('/', '_')
+            .TrimEnd('=');
+
     private static AsymmetricKeyParameter ParsePkcs8PrivateKeyPem(string key)
     {
         using var keyReader = new StringReader(key);

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,8 @@ public async Task<PushResult> SendAsync(`
`78`	`78`	`ApnPushType apnPushType = ApnPushType.Alert,`
`79`	`79`	`CancellationToken cancellationToken = default)`
`80`	`80`	`{`
	`81`	`+ ArgumentException.ThrowIfNullOrWhiteSpace(deviceToken);`
	`82`	`+`
`81`	`83`	`var path = $"/3/device/{deviceToken}";`
`82`	`84`	`var json = serializer.Serialize(notification);`
`83`	`85`
`@@ -102,19 +104,20 @@ public async Task<PushResult> SendAsync(`
`102`	`104`	`using var response = await http.SendAsync(message, cancellationToken);`
`103`	`105`
`104`	`106`	`var content = await response.Content.ReadAsStringAsync(cancellationToken);`
`105`		`- var error = response.IsSuccessStatusCode`
`106`		`- ? null`
`107`		`- : serializer.Deserialize<ApnsError>(content).Reason;`
	`107`	`+ var error = response.IsSuccessStatusCode`
	`108`	`+ ? null`
	`109`	`+ : serializer.Deserialize<ApnsError>(content)?.Reason;`
`108`	`110`
`109`	`111`	`return new PushResult((int)response.StatusCode, response.IsSuccessStatusCode, content, error);`
`110`	`112`	`}`
`111`	`113`
`112`	`114`	`private string GetJwtToken()`
`113`	`115`	`{`
`114`		`- var (token, date) = tokens.GetOrAdd(settings.AppBundleIdentifier, _ => new Tuple<string, DateTime>(CreateJwtToken(), DateTime.UtcNow));`
	`116`	`+ var cacheKey = $"{settings.AppBundleIdentifier}:{settings.P8PrivateKeyId}";`
	`117`	`+ var (token, date) = tokens.GetOrAdd(cacheKey, _ => new Tuple<string, DateTime>(CreateJwtToken(), DateTime.UtcNow));`
`115`	`118`	`if (date < DateTime.UtcNow.AddMinutes(-tokenExpiresMinutes))`
`116`	`119`	`{`
`117`		`- tokens.TryRemove(settings.AppBundleIdentifier, out _);`
	`120`	`+ tokens.TryRemove(cacheKey, out _);`
`118`	`121`	`return GetJwtToken();`
`119`	`122`	`}`
`120`	`123`
`@@ -156,5 +159,9 @@ private static string Base64UrlEncode(string str)`
`156`	`159`	`return Base64UrlEncode(bytes);`
`157`	`160`	`}`
`158`	`161`
`159`		`- private static string Base64UrlEncode(byte[] bytes) => Convert.ToBase64String(bytes);`
	`162`	`+ private static string Base64UrlEncode(byte[] bytes) =>`
	`163`	`+ Convert.ToBase64String(bytes)`
	`164`	`+ .Replace('+', '-')`
	`165`	`+ .Replace('/', '_')`
	`166`	`+ .TrimEnd('=');`
`160`	`167`	`}`