[PM-16787] Web push enablement for server (#5395)

* Allow for binning of comb IDs by date and value * Introduce notification hub pool * Replace device type sharding with comb + range sharding * Fix proxy interface * Use enumerable services for multiServiceNotificationHub * Fix push interface usage * Fix push notification service dependencies * Fix push notification keys * Fixup documentation * Remove deprecated settings * Fix tests * PascalCase method names * Remove unused request model properties * Remove unused setting * Improve DateFromComb precision * Prefer readonly service enumerable * Pascal case template holes * Name TryParse methods TryParse * Apply suggestions from code review Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * Include preferred push technology in config response SignalR will be the fallback, but clients should attempt web push first if offered and available to the client. * Register web push devices * Working signing and content encrypting * update to RFC-8291 and RFC-8188 * Notification hub is now working, no need to create our own * Fix body * Flip Success Check * use nifty json attribute * Remove vapid private key This is only needed to encrypt data for transmission along webpush -- it's handled by NotificationHub for us * Add web push feature flag to control config response * Update src/Core/NotificationHub/NotificationHubConnection.cs Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * Update src/Core/NotificationHub/NotificationHubConnection.cs Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fixup! Update src/Core/NotificationHub/NotificationHubConnection.cs * Move to platform ownership * Remove debugging extension * Remove unused dependencies * Set json content directly * Name web push registration data * Fix FCM type typo * Determine specific feature flag from set of flags * Fixup merged tests * Fixup tests * Code quality suggestions * Fix merged tests * Fix test --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
2025-04-04 12:40:22 -05:00 · 2025-02-26 13:48:51 -08:00 · 2025-02-26 13:48:51 -08:00 · 4a4d256fd9
commit 4a4d256fd9
parent dd78361aa4
25 changed files with 383 additions and 83 deletions
--- a/src/Api/Controllers/ConfigController.cs
+++ b/src/Api/Controllers/ConfigController.cs
@ -23,6 +23,6 @@ public class ConfigController : Controller
    [HttpGet("")]
    public ConfigResponseModel GetConfigs()
    {
-        return new ConfigResponseModel(_globalSettings, _featureService.GetAll());
+        return new ConfigResponseModel(_featureService, _globalSettings);
    }
 }
--- a/src/Api/Controllers/DevicesController.cs
+++ b/src/Api/Controllers/DevicesController.cs
@ -186,6 +186,19 @@ public class DevicesController : Controller
        await _deviceService.SaveAsync(model.ToDevice(device));
    }

+    [HttpPut("identifier/{identifier}/web-push-auth")]
+    [HttpPost("identifier/{identifier}/web-push-auth")]
+    public async Task PutWebPushAuth(string identifier, [FromBody] WebPushAuthRequestModel model)
+    {
+        var device = await _deviceRepository.GetByIdentifierAsync(identifier, _userService.GetProperUserId(User).Value);
+        if (device == null)
+        {
+            throw new NotFoundException();
+        }
+
+        await _deviceService.SaveAsync(model.ToData(), device);
+    }
+
    [AllowAnonymous]
    [HttpPut("identifier/{identifier}/clear-token")]
    [HttpPost("identifier/{identifier}/clear-token")]
--- a/src/Api/Models/Request/DeviceRequestModels.cs
+++ b/src/Api/Models/Request/DeviceRequestModels.cs
@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 using Bit.Core.Utilities;

 namespace Bit.Api.Models.Request;
@ -37,6 +38,26 @@ public class DeviceRequestModel
    }
 }

+public class WebPushAuthRequestModel
+{
+    [Required]
+    public string Endpoint { get; set; }
+    [Required]
+    public string P256dh { get; set; }
+    [Required]
+    public string Auth { get; set; }
+
+    public WebPushRegistrationData ToData()
+    {
+        return new WebPushRegistrationData
+        {
+            Endpoint = Endpoint,
+            P256dh = P256dh,
+            Auth = Auth
+        };
+    }
+}
+
 public class DeviceTokenRequestModel
 {
    [StringLength(255)]
--- a/src/Api/Models/Response/ConfigResponseModel.cs
+++ b/src/Api/Models/Response/ConfigResponseModel.cs
@ -1,4 +1,7 @@
-using Bit.Core.Models.Api;
+using Bit.Core;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;

@ -11,6 +14,7 @@ public class ConfigResponseModel : ResponseModel
    public ServerConfigResponseModel Server { get; set; }
    public EnvironmentConfigResponseModel Environment { get; set; }
    public IDictionary<string, object> FeatureStates { get; set; }
+    public PushSettings Push { get; set; }
    public ServerSettingsResponseModel Settings { get; set; }

    public ConfigResponseModel() : base("config")
@ -23,8 +27,9 @@ public class ConfigResponseModel : ResponseModel
    }

    public ConfigResponseModel(
-        IGlobalSettings globalSettings,
-        IDictionary<string, object> featureStates) : base("config")
+        IFeatureService featureService,
+        IGlobalSettings globalSettings
+        ) : base("config")
    {
        Version = AssemblyHelpers.GetVersion();
        GitHash = AssemblyHelpers.GetGitHash();
@ -37,7 +42,9 @@ public class ConfigResponseModel : ResponseModel
            Notifications = globalSettings.BaseServiceUri.Notifications,
            Sso = globalSettings.BaseServiceUri.Sso
        };
-        FeatureStates = featureStates;
+        FeatureStates = featureService.GetAll();
+        var webPushEnabled = FeatureStates.TryGetValue(FeatureFlagKeys.WebPush, out var webPushEnabledValue) ? (bool)webPushEnabledValue : false;
+        Push = PushSettings.Build(webPushEnabled, globalSettings);
        Settings = new ServerSettingsResponseModel
        {
            DisableUserRegistration = globalSettings.DisableUserRegistration
@ -61,6 +68,23 @@ public class EnvironmentConfigResponseModel
    public string Sso { get; set; }
 }

+public class PushSettings
+{
+    public PushTechnologyType PushTechnology { get; private init; }
+    public string VapidPublicKey { get; private init; }
+
+    public static PushSettings Build(bool webPushEnabled, IGlobalSettings globalSettings)
+    {
+        var vapidPublicKey = webPushEnabled ? globalSettings.WebPush.VapidPublicKey : null;
+        var pushTechnology = vapidPublicKey != null ? PushTechnologyType.WebPush : PushTechnologyType.SignalR;
+        return new()
+        {
+            VapidPublicKey = vapidPublicKey,
+            PushTechnology = pushTechnology
+        };
+    }
+}
+
 public class ServerSettingsResponseModel
 {
    public bool DisableUserRegistration { get; set; }
--- a/src/Api/Platform/Push/Controllers/PushController.cs
+++ b/src/Api/Platform/Push/Controllers/PushController.cs
@ -1,6 +1,7 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@ -42,9 +43,8 @@ public class PushController : Controller
    public async Task RegisterAsync([FromBody] PushRegistrationRequestModel model)
    {
        CheckUsage();
-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(model.PushToken, Prefix(model.DeviceId),
-            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix),
-            model.InstallationId);
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(new PushRegistrationData(model.PushToken), Prefix(model.DeviceId),
+            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix), model.InstallationId);
    }

    [HttpPost("delete")]
--- a/src/Api/Platform/Push/PushTechnologyType.cs
+++ b/src/Api/Platform/Push/PushTechnologyType.cs
@ -0,0 +1,11 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Enums;
+
+public enum PushTechnologyType
+{
+    [Display(Name = "SignalR")]
+    SignalR = 0,
+    [Display(Name = "WebPush")]
+    WebPush = 1,
+}
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -172,6 +172,7 @@ public static class FeatureFlagKeys
    public const string AndroidMutualTls = "mutual-tls";
    public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
    public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
+    public const string WebPush = "web-push";
    public const string AndroidImportLoginsFlow = "import-logins-flow";
    public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";

--- a/src/Core/NotificationHub/INotificationHubPool.cs
+++ b/src/Core/NotificationHub/INotificationHubPool.cs
@ -4,6 +4,7 @@ namespace Bit.Core.NotificationHub;

 public interface INotificationHubPool
 {
+    NotificationHubConnection ConnectionFor(Guid comb);
    INotificationHubClient ClientFor(Guid comb);
    INotificationHubProxy AllClients { get; }
 }
--- a/src/Core/NotificationHub/NotificationHubConnection.cs
+++ b/src/Core/NotificationHub/NotificationHubConnection.cs
@ -1,11 +1,20 @@
-using Bit.Core.Settings;
+using System.Security.Cryptography;
+using System.Text;
+using System.Web;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;

-class NotificationHubConnection
+namespace Bit.Core.NotificationHub;
+
+public class NotificationHubConnection
 {
    public string HubName { get; init; }
    public string ConnectionString { get; init; }
+    private Lazy<NotificationHubConnectionStringBuilder> _parsedConnectionString;
+    public Uri Endpoint => _parsedConnectionString.Value.Endpoint;
+    private string SasKey => _parsedConnectionString.Value.SharedAccessKey;
+    private string SasKeyName => _parsedConnectionString.Value.SharedAccessKeyName;
    public bool EnableSendTracing { get; init; }
    private NotificationHubClient _hubClient;
    /// <summary>
@ -95,7 +104,38 @@ class NotificationHubConnection
        return RegistrationStartDate < queryTime;
    }

-    private NotificationHubConnection() { }
+    public HttpRequestMessage CreateRequest(HttpMethod method, string pathUri, params string[] queryParameters)
+    {
+        var uriBuilder = new UriBuilder(Endpoint)
+        {
+            Scheme = "https",
+            Path = $"{HubName}/{pathUri.TrimStart('/')}",
+            Query = string.Join('&', [.. queryParameters, "api-version=2015-01"]),
+        };
+
+        var result = new HttpRequestMessage(method, uriBuilder.Uri);
+        result.Headers.Add("Authorization", GenerateSasToken(uriBuilder.Uri));
+        result.Headers.Add("TrackingId", Guid.NewGuid().ToString());
+        return result;
+    }
+
+    private string GenerateSasToken(Uri uri)
+    {
+        string targetUri = Uri.EscapeDataString(uri.ToString().ToLower()).ToLower();
+        long expires = DateTime.UtcNow.AddMinutes(1).Ticks / TimeSpan.TicksPerSecond;
+        string stringToSign = targetUri + "\n" + expires;
+
+        using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(SasKey)))
+        {
+            var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
+            return $"SharedAccessSignature sr={targetUri}&sig={HttpUtility.UrlEncode(signature)}&se={expires}&skn={SasKeyName}";
+        }
+    }
+
+    private NotificationHubConnection()
+    {
+        _parsedConnectionString = new(() => new NotificationHubConnectionStringBuilder(ConnectionString));
+    }

    /// <summary>
    /// Creates a new NotificationHubConnection from the given settings.
--- a/src/Core/NotificationHub/NotificationHubPool.cs
+++ b/src/Core/NotificationHub/NotificationHubPool.cs
@ -44,6 +44,18 @@ public class NotificationHubPool : INotificationHubPool
    /// <returns></returns>
    /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
    public INotificationHubClient ClientFor(Guid comb)
+    {
+        var resolvedConnection = ConnectionFor(comb);
+        return resolvedConnection.HubClient;
+    }
+
+    /// <summary>
+    /// Gets the NotificationHubConnection for the given comb ID.
+    /// </summary>
+    /// <param name="comb"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
+    public NotificationHubConnection ConnectionFor(Guid comb)
    {
        var possibleConnections = _connections.Where(c => c.RegistrationEnabled(comb)).ToArray();
        if (possibleConnections.Length == 0)
@ -55,7 +67,8 @@ public class NotificationHubPool : INotificationHubPool
        }
        var resolvedConnection = possibleConnections[CoreHelpers.BinForComb(comb, possibleConnections.Length)];
        _logger.LogTrace("Resolved notification hub for comb {Comb} out of {HubCount} hubs.\n{ConnectionInfo}", comb, possibleConnections.Length, resolvedConnection.LogString);
-        return resolvedConnection.HubClient;
+        return resolvedConnection;
+
    }

    public INotificationHubProxy AllClients { get { return new NotificationHubClientProxy(_clients); } }
--- a/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushRegistrationService.cs
@ -1,82 +1,131 @@
-using Bit.Core.Enums;
+using System.Diagnostics.CodeAnalysis;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;
+using Microsoft.Extensions.Logging;

 namespace Bit.Core.NotificationHub;

 public class NotificationHubPushRegistrationService : IPushRegistrationService
 {
+    private static readonly JsonSerializerOptions webPushSerializationOptions = new()
+    {
+        Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
+    };
    private readonly IInstallationDeviceRepository _installationDeviceRepository;
    private readonly INotificationHubPool _notificationHubPool;
+    private readonly IHttpClientFactory _httpClientFactory;
+    private readonly ILogger<NotificationHubPushRegistrationService> _logger;

    public NotificationHubPushRegistrationService(
        IInstallationDeviceRepository installationDeviceRepository,
-        INotificationHubPool notificationHubPool)
+        INotificationHubPool notificationHubPool,
+        IHttpClientFactory httpClientFactory,
+        ILogger<NotificationHubPushRegistrationService> logger)
    {
        _installationDeviceRepository = installationDeviceRepository;
        _notificationHubPool = notificationHubPool;
+        _httpClientFactory = httpClientFactory;
+        _logger = logger;
    }

-    public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId,
        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
    {
-        if (string.IsNullOrWhiteSpace(pushToken))
-        {
-            return;
-        }
-
+        var orgIds = organizationIds.ToList();
+        var clientType = DeviceTypes.ToClientType(type);
        var installation = new Installation
        {
            InstallationId = deviceId,
-            PushChannel = pushToken,
+            PushChannel = data.Token,
+            Tags = new List<string>
+            {
+                $"userId:{userId}",
+                $"clientType:{clientType}"
+            }.Concat(orgIds.Select(organizationId => $"organizationId:{organizationId}")).ToList(),
            Templates = new Dictionary<string, InstallationTemplate>()
        };

-        var clientType = DeviceTypes.ToClientType(type);
-
-        installation.Tags = new List<string> { $"userId:{userId}", $"clientType:{clientType}" };
-
        if (!string.IsNullOrWhiteSpace(identifier))
        {
            installation.Tags.Add("deviceIdentifier:" + identifier);
        }

-        var organizationIdsList = organizationIds.ToList();
-        foreach (var organizationId in organizationIdsList)
-        {
-            installation.Tags.Add($"organizationId:{organizationId}");
-        }
-
        if (installationId != Guid.Empty)
        {
            installation.Tags.Add($"installationId:{installationId}");
        }

-        string payloadTemplate = null, messageTemplate = null, badgeMessageTemplate = null;
+        if (data.Token != null)
+        {
+            await CreateOrUpdateMobileRegistrationAsync(installation, userId, identifier, clientType, orgIds, type, installationId);
+        }
+        else if (data.WebPush != null)
+        {
+            await CreateOrUpdateWebRegistrationAsync(data.WebPush.Value.Endpoint, data.WebPush.Value.P256dh, data.WebPush.Value.Auth, installation, userId, identifier, clientType, orgIds, installationId);
+        }
+
+        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
+        {
+            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
+        }
+    }
+
+    private async Task CreateOrUpdateMobileRegistrationAsync(Installation installation, string userId,
+        string identifier, ClientType clientType, List<string> organizationIds, DeviceType type, Guid installationId)
+    {
+        if (string.IsNullOrWhiteSpace(installation.PushChannel))
+        {
+            return;
+        }
+
        switch (type)
        {
            case DeviceType.Android:
-                payloadTemplate = "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}";
-                messageTemplate = "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
-                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}";
+                installation.Templates.Add(BuildInstallationTemplate("payload",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
                installation.Platform = NotificationPlatform.FcmV1;
                break;
            case DeviceType.iOS:
-                payloadTemplate = "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}," +
-                    "\"aps\":{\"content-available\":1}}";
-                messageTemplate = "{\"data\":{\"type\":\"#(type)\"}," +
-                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}";
-                badgeMessageTemplate = "{\"data\":{\"type\":\"#(type)\"}," +
-                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}";
-
+                installation.Templates.Add(BuildInstallationTemplate("payload",
+                    "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}," +
+                    "\"aps\":{\"content-available\":1}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"data\":{\"type\":\"#(type)\"}," +
+                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}", userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"data\":{\"type\":\"#(type)\"}," +
+                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}",
+                    userId, identifier, clientType, organizationIds, installationId));
                installation.Platform = NotificationPlatform.Apns;
                break;
            case DeviceType.AndroidAmazon:
-                payloadTemplate = "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}";
-                messageTemplate = "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}";
+                installation.Templates.Add(BuildInstallationTemplate("payload",
+                    "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));

                installation.Platform = NotificationPlatform.Adm;
                break;
@ -84,28 +133,62 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
                break;
        }

-        BuildInstallationTemplate(installation, "payload", payloadTemplate, userId, identifier, clientType,
-            organizationIdsList, installationId);
-        BuildInstallationTemplate(installation, "message", messageTemplate, userId, identifier, clientType,
-            organizationIdsList, installationId);
-        BuildInstallationTemplate(installation, "badgeMessage", badgeMessageTemplate ?? messageTemplate,
-            userId, identifier, clientType, organizationIdsList, installationId);
-
-        await ClientFor(GetComb(deviceId)).CreateOrUpdateInstallationAsync(installation);
-        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
-        {
-            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
-        }
+        await ClientFor(GetComb(installation.InstallationId)).CreateOrUpdateInstallationAsync(installation);
    }

-    private void BuildInstallationTemplate(Installation installation, string templateId, string templateBody,
-        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+    private async Task CreateOrUpdateWebRegistrationAsync(string endpoint, string p256dh, string auth, Installation installation, string userId,
+        string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
    {
-        if (templateBody == null)
+        // The Azure SDK is currently lacking support for web push registrations.
+        // We need to use the REST API directly.
+
+        if (string.IsNullOrWhiteSpace(endpoint) || string.IsNullOrWhiteSpace(p256dh) || string.IsNullOrWhiteSpace(auth))
        {
            return;
        }

+        installation.Templates.Add(BuildInstallationTemplate("payload",
+            "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+            userId, identifier, clientType, organizationIds, installationId));
+        installation.Templates.Add(BuildInstallationTemplate("message",
+            "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                userId, identifier, clientType, organizationIds, installationId));
+        installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+            "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+            userId, identifier, clientType, organizationIds, installationId));
+
+        var content = new
+        {
+            installationId = installation.InstallationId,
+            pushChannel = new
+            {
+                endpoint,
+                p256dh,
+                auth
+            },
+            platform = "browser",
+            tags = installation.Tags,
+            templates = installation.Templates
+        };
+
+        var client = _httpClientFactory.CreateClient("NotificationHub");
+        var request = ConnectionFor(GetComb(installation.InstallationId)).CreateRequest(HttpMethod.Put, $"installations/{installation.InstallationId}");
+        request.Content = JsonContent.Create(content, new MediaTypeHeaderValue("application/json"), webPushSerializationOptions);
+        var response = await client.SendAsync(request);
+        var body = await response.Content.ReadAsStringAsync();
+        if (!response.IsSuccessStatusCode)
+        {
+            _logger.LogWarning("Web push registration failed: {Response}", body);
+        }
+        else
+        {
+            _logger.LogInformation("Web push registration success: {Response}", body);
+        }
+    }
+
+    private static KeyValuePair<string, InstallationTemplate> BuildInstallationTemplate(string templateId, [StringSyntax(StringSyntaxAttribute.Json)] string templateBody,
+        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+    {
        var fullTemplateId = $"template:{templateId}";

        var template = new InstallationTemplate
@ -132,7 +215,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
            template.Tags.Add($"installationId:{installationId}");
        }

-        installation.Templates.Add(fullTemplateId, template);
+        return new KeyValuePair<string, InstallationTemplate>(fullTemplateId, template);
    }

    public async Task DeleteRegistrationAsync(string deviceId)
@ -213,6 +296,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
        return _notificationHubPool.ClientFor(deviceId);
    }

+    private NotificationHubConnection ConnectionFor(Guid deviceId)
+    {
+        return _notificationHubPool.ConnectionFor(deviceId);
+    }
+
    private Guid GetComb(string deviceId)
    {
        var deviceIdString = deviceId;
--- a/src/Core/NotificationHub/PushRegistrationData.cs
+++ b/src/Core/NotificationHub/PushRegistrationData.cs
@ -0,0 +1,50 @@
+namespace Bit.Core.NotificationHub;
+
+public struct WebPushRegistrationData : IEquatable<WebPushRegistrationData>
+{
+    public string Endpoint { get; init; }
+    public string P256dh { get; init; }
+    public string Auth { get; init; }
+
+    public bool Equals(WebPushRegistrationData other)
+    {
+        return Endpoint == other.Endpoint && P256dh == other.P256dh && Auth == other.Auth;
+    }
+
+    public override int GetHashCode()
+    {
+        return HashCode.Combine(Endpoint, P256dh, Auth);
+    }
+}
+
+public class PushRegistrationData : IEquatable<PushRegistrationData>
+{
+    public string Token { get; set; }
+    public WebPushRegistrationData? WebPush { get; set; }
+    public PushRegistrationData(string token)
+    {
+        Token = token;
+    }
+
+    public PushRegistrationData(string Endpoint, string P256dh, string Auth) : this(new WebPushRegistrationData
+    {
+        Endpoint = Endpoint,
+        P256dh = P256dh,
+        Auth = Auth
+    })
+    { }
+
+    public PushRegistrationData(WebPushRegistrationData webPush)
+    {
+        WebPush = webPush;
+    }
+    public bool Equals(PushRegistrationData other)
+    {
+        return Token == other.Token && WebPush.Equals(other.WebPush);
+    }
+
+    public override int GetHashCode()
+    {
+        return HashCode.Combine(Token, WebPush.GetHashCode());
+    }
+}
--- a/src/Core/Platform/Push/Services/IPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/IPushRegistrationService.cs
@ -1,11 +1,11 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;

 namespace Bit.Core.Platform.Push;

 public interface IPushRegistrationService
 {
-    Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
-        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
+    Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId, string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
    Task DeleteRegistrationAsync(string deviceId);
    Task AddUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
    Task DeleteUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
--- a/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushRegistrationService.cs
@ -1,4 +1,5 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;

 namespace Bit.Core.Platform.Push.Internal;

@ -9,7 +10,7 @@ public class NoopPushRegistrationService : IPushRegistrationService
        return Task.FromResult(0);
    }

-    public Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public Task CreateOrUpdateRegistrationAsync(PushRegistrationData pushRegistrationData, string deviceId, string userId,
        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
    {
        return Task.FromResult(0);
--- a/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushRegistrationService.cs
@ -1,6 +1,7 @@
 using Bit.Core.Enums;
 using Bit.Core.IdentityServer;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
@ -24,14 +25,14 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
    {
    }

-    public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData pushData, string deviceId, string userId,
        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
    {
        var requestModel = new PushRegistrationRequestModel
        {
            DeviceId = deviceId,
            Identifier = identifier,
-            PushToken = pushToken,
+            PushToken = pushData.Token,
            Type = type,
            UserId = userId,
            OrganizationIds = organizationIds,
--- a/src/Core/Services/IDeviceService.cs
+++ b/src/Core/Services/IDeviceService.cs
@ -1,10 +1,12 @@
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Entities;
+using Bit.Core.NotificationHub;

 namespace Bit.Core.Services;

 public interface IDeviceService
 {
+    Task SaveAsync(WebPushRegistrationData webPush, Device device);
    Task SaveAsync(Device device);
    Task ClearTokenAsync(Device device);
    Task DeactivateAsync(Device device);
--- a/src/Core/Services/Implementations/DeviceService.cs
+++ b/src/Core/Services/Implementations/DeviceService.cs
@ -3,6 +3,7 @@ using Bit.Core.Auth.Utilities;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
@ -28,9 +29,19 @@ public class DeviceService : IDeviceService
        _globalSettings = globalSettings;
    }

+    public async Task SaveAsync(WebPushRegistrationData webPush, Device device)
+    {
+        await SaveAsync(new PushRegistrationData(webPush.Endpoint, webPush.P256dh, webPush.Auth), device);
+    }
+
    public async Task SaveAsync(Device device)
    {
-        if (device.Id == default(Guid))
+        await SaveAsync(new PushRegistrationData(device.PushToken), device);
+    }
+
+    private async Task SaveAsync(PushRegistrationData data, Device device)
+    {
+        if (device.Id == default)
        {
            await _deviceRepository.CreateAsync(device);
        }
@ -45,9 +56,9 @@ public class DeviceService : IDeviceService
                OrganizationUserStatusType.Confirmed))
            .Select(ou => ou.OrganizationId.ToString());

-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(device.PushToken, device.Id.ToString(),
-            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString,
-            _globalSettings.Installation.Id);
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(data, device.Id.ToString(),
+            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString, _globalSettings.Installation.Id);
+
    }

    public async Task ClearTokenAsync(Device device)
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@ -83,6 +83,8 @@ public class GlobalSettings : IGlobalSettings
    public virtual IDomainVerificationSettings DomainVerification { get; set; } = new DomainVerificationSettings();
    public virtual ILaunchDarklySettings LaunchDarkly { get; set; } = new LaunchDarklySettings();
    public virtual string DevelopmentDirectory { get; set; }
+    public virtual IWebPushSettings WebPush { get; set; } = new WebPushSettings();
+
    public virtual bool EnableEmailVerification { get; set; }
    public virtual string KdfDefaultHashKey { get; set; }
    public virtual string PricingUri { get; set; }
@ -677,4 +679,9 @@ public class GlobalSettings : IGlobalSettings
        public virtual IConnectionStringSettings Redis { get; set; } = new ConnectionStringSettings();
        public virtual IConnectionStringSettings Cosmos { get; set; } = new ConnectionStringSettings();
    }
+
+    public class WebPushSettings : IWebPushSettings
+    {
+        public string VapidPublicKey { get; set; }
+    }
 }
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@ -27,5 +27,6 @@ public interface IGlobalSettings
    string DatabaseProvider { get; set; }
    GlobalSettings.SqlSettings SqlServer { get; set; }
    string DevelopmentDirectory { get; set; }
+    IWebPushSettings WebPush { get; set; }
    GlobalSettings.EventLoggingSettings EventLogging { get; set; }
 }
--- a/src/Core/Settings/IWebPushSettings.cs
+++ b/src/Core/Settings/IWebPushSettings.cs
@ -0,0 +1,6 @@
+namespace Bit.Core.Settings;
+
+public interface IWebPushSettings
+{
+    public string VapidPublicKey { get; set; }
+}
--- a/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
+++ b/test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs
@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Test.Common.AutoFixture;
@ -248,7 +249,7 @@ public class PushControllerTests
        Assert.Equal("Not correctly configured for push relays.", exception.Message);

        await sutProvider.GetDependency<IPushRegistrationService>().Received(0)
-            .CreateOrUpdateRegistrationAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
+            .CreateOrUpdateRegistrationAsync(Arg.Any<PushRegistrationData>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
                Arg.Any<DeviceType>(), Arg.Any<IEnumerable<string>>(), Arg.Any<Guid>());
    }

@ -265,7 +266,7 @@ public class PushControllerTests
        var expectedDeviceId = $"{installationId}_{deviceId}";
        var expectedOrganizationId = $"{installationId}_{organizationId}";

-        await sutProvider.Sut.RegisterAsync(new PushRegistrationRequestModel
+        var model = new PushRegistrationRequestModel
        {
            DeviceId = deviceId.ToString(),
            PushToken = "test-push-token",
@ -274,10 +275,12 @@ public class PushControllerTests
            Identifier = identifier.ToString(),
            OrganizationIds = [organizationId.ToString()],
            InstallationId = installationId
-        });
+        };
+
+        await sutProvider.Sut.RegisterAsync(model);

        await sutProvider.GetDependency<IPushRegistrationService>().Received(1)
-            .CreateOrUpdateRegistrationAsync("test-push-token", expectedDeviceId, expectedUserId,
+            .CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(data => data.Equals(new PushRegistrationData(model.PushToken))), expectedDeviceId, expectedUserId,
                expectedIdentifier, DeviceType.Android, Arg.Do<IEnumerable<string>>(organizationIds =>
                {
                    var organizationIdsList = organizationIds.ToList();
--- a/test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs
@ -1,4 +1,5 @@
-using Bit.Core.Settings;
+using Bit.Core.NotificationHub;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Xunit;

--- a/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
+++ b/test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs
@ -19,7 +19,7 @@ public class NotificationHubPushRegistrationServiceTests
        SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
        Guid organizationId, Guid installationId)
    {
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
            identifier.ToString(), DeviceType.Android, [organizationId.ToString()], installationId);

        sutProvider.GetDependency<INotificationHubPool>()
@ -39,7 +39,7 @@ public class NotificationHubPushRegistrationServiceTests

        var pushToken = "test push token";

-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
            identifierNull ? null : identifier.ToString(), DeviceType.Android,
            partOfOrganizationId ? [organizationId.ToString()] : [],
            installationIdNull ? Guid.Empty : installationId);
@ -115,7 +115,7 @@ public class NotificationHubPushRegistrationServiceTests

        var pushToken = "test push token";

-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
            identifierNull ? null : identifier.ToString(), DeviceType.iOS,
            partOfOrganizationId ? [organizationId.ToString()] : [],
            installationIdNull ? Guid.Empty : installationId);
@ -191,7 +191,7 @@ public class NotificationHubPushRegistrationServiceTests

        var pushToken = "test push token";

-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
            identifierNull ? null : identifier.ToString(), DeviceType.AndroidAmazon,
            partOfOrganizationId ? [organizationId.ToString()] : [],
            installationIdNull ? Guid.Empty : installationId);
@ -268,7 +268,7 @@ public class NotificationHubPushRegistrationServiceTests

        var pushToken = "test push token";

-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
            identifier.ToString(), deviceType, [organizationId.ToString()], installationId);

        sutProvider.GetDependency<INotificationHubPool>()
--- a/test/Core.Test/Services/DeviceServiceTests.cs
+++ b/test/Core.Test/Services/DeviceServiceTests.cs
@ -4,6 +4,7 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@ -43,13 +44,13 @@ public class DeviceServiceTests
            Name = "test device",
            Type = DeviceType.Android,
            UserId = userId,
-            PushToken = "testtoken",
+            PushToken = "testToken",
            Identifier = "testid"
        };
        await deviceService.SaveAsync(device);

        Assert.True(device.RevisionDate - DateTime.UtcNow < TimeSpan.FromSeconds(1));
-        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken", id.ToString(),
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(v => v.Token == "testToken"), id.ToString(),
            userId.ToString(), "testid", DeviceType.Android,
            Arg.Do<IEnumerable<string>>(organizationIds =>
            {
@ -84,12 +85,12 @@ public class DeviceServiceTests
            Name = "test device",
            Type = DeviceType.Android,
            UserId = userId,
-            PushToken = "testtoken",
+            PushToken = "testToken",
            Identifier = "testid"
        };
        await deviceService.SaveAsync(device);

-        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken",
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(v => v.Token == "testToken"),
            Arg.Do<string>(id => Guid.TryParse(id, out var _)), userId.ToString(), "testid", DeviceType.Android,
            Arg.Do<IEnumerable<string>>(organizationIds =>
            {
--- a/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
+++ b/test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
@ -163,6 +163,10 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>

                // New Device Verification
                { "globalSettings:disableEmailNewDevice", "false" },
+
+                // Web push notifications
+                { "globalSettings:webPush:vapidPublicKey", "BGBtAM0bU3b5jsB14IjBYarvJZ6rWHilASLudTTYDDBi7a-3kebo24Yus_xYeOMZ863flAXhFAbkL6GVSrxgErg" },
+                { "globalSettings:launchDarkly:flagValues:web-push", "true" },
            });
        });