Pushpad blog with information related to this: https://blog.pushpad.xyz/2021/01/web-push-error-410-the-push-subscription-has-expired-or-the-user-has-unsubscribed/.

Other useful links:

https://www.w3.org/TR/push-api/#subscription-refreshes

https://blog.pushpad.xyz/2016/05/the-push-api-and-its-wild-unsubscription-mechanism/

w3c/push-api#116

https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerGlobalScope/pushsubscriptionchange_event

Tasks

• Add event listener for pushsubscriptionchange in sw.js - Commit: 1169420
• Add new endpoint /edit-subscription to backend/index.js - Commit: a81472c
• Investigate how/if CSRF protection can be implemented with service worker when pushsubscriptionchange event occurs.
• Test pushsubscriptionchange works correctly.

Work for this is being done in v2.1 branch.

A good example of a push notification service worker from PushPad doesn't seem to implement any CSRF protections when a pushsubscriptionchange event occurs.

Testing pushsubscriptionchange is going to be a challenge.

See https://stackoverflow.com/questions/36602136/how-can-i-test-pushsubscriptionchange-event-handling-code and https://bugs.chromium.org/p/chromium/issues/detail?id=753163

Tested the /edit-subscription API route using curl.

Replicated payload that would be sent by the service worker. HTTP 200 OK response 👍🏻

Unfortunately, I couldn't get Firefox or Chrome to trigger the pushsubscriptionchange event when altering the browser permissions 😞

Deployed to production. Will monitor in the coming days.

I've been looking a little deeper into the pushsubscriptionchange event. Much of the push APIs (PushEvent, PushManager etc are experimental and due to their experimental nature, the findings below are not that suprising.

Here is the current (working draft) W3 specification for the pushsubscriptionchange event.

The specification indicates that the PushSubscriptionChangeEvent interface should have two attributes: newSubscription and oldSubscription. However, conversations in push-api/issues/325 show that when pushsubscriptionchange fires in Firefox, these two attributes are undefined as it has not been implemented yet:

Taken from: w3c/push-api#325 (comment)

Here's the code inside of Firefox that creates and triggers pushsubscriptionchange - you can see it's creating a regular ExtendableEvent instead of a PushSubcriptionChangeEvent that the spec says we should create.

I'm not expert in cpp but it appears to still be that way today:

Commit hash: 9b0bdcc3
File: ServiceWorkerOp.cpp

This presents an issue for users of Firefox who use PS2Alert.me. When the subscription eventually expires, there is no quick/easy way of sending the new subscription data to the server. Luckily, there is a workaround documented here that I could try implementing.

Looking to Chrome, the PushSubscriptionChangeEvent is not implemented at the time of writing this comment. Further evidence for this can be found in this chromium issue. However, for now Chrome seems to be OK for expiring subscriptions as the push provider it uses (Firebase Cloud Messaging) does not expire subscriptions:

It's on our roadmap, but not a major priority for us right now. FCM (our push provider) does not expire subscriptions.

Peter's final comment hints that pushsubscriptionchange may be coming to Chrome sometime this year:

We still plan to ship this, but it most likely will be delayed until 2022.

Looking to Microsoft Edge, the status page points to the Push API being supported. However, to what extent I'm not sure (e.g. Is PushSubscriptionChangeEvent supported).

The recommended library: https://github.com/RyotaSugawara/serviceworker-storage from the medium post is now readonly.

Looking into using: https://github.com/jakearchibald/idb

EDIT: I only need to set and get to IndexedDB. Now looking at: https://www.npmjs.com/package/idb-keyval

Further work is being done in branch v2.2 - Changes to be implemented to production soon.

Changes implemented into production. To monitor over the coming days again.

Testing with Firefox, the pushsubscriptionchange event fired however, the following error was thrown by the service worker:

At line 26 indicating that newSubscription was null. Furthermore, this indicates that Firefox does not re-create the subscription when it expires and a new subscription needs to be created manually.

The service worker will need the Public VAPID key and urlBase64ToUint8Array function to do this.

Changes deployed to production.