[PM-16787] Web push enablement for server (#5395)

* Allow for binning of comb IDs by date and value

* Introduce notification hub pool

* Replace device type sharding with comb + range sharding

* Fix proxy interface

* Use enumerable services for multiServiceNotificationHub

* Fix push interface usage

* Fix push notification service dependencies

* Fix push notification keys

* Fixup documentation

* Remove deprecated settings

* Fix tests

* PascalCase method names

* Remove unused request model properties

* Remove unused setting

* Improve DateFromComb precision

* Prefer readonly service enumerable

* Pascal case template holes

* Name TryParse methods TryParse

* Apply suggestions from code review

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* Include preferred push technology in config response

SignalR will be the fallback, but clients should attempt web push first if offered and available to the client.

* Register web push devices

* Working signing and content encrypting

* update to RFC-8291 and RFC-8188

* Notification hub is now working, no need to create our own

* Fix body

* Flip Success Check

* use nifty json attribute

* Remove vapid private key

This is only needed to encrypt data for transmission along webpush -- it's handled by NotificationHub for us

* Add web push feature flag to control config response

* Update src/Core/NotificationHub/NotificationHubConnection.cs

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* Update src/Core/NotificationHub/NotificationHubConnection.cs

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* fixup! Update src/Core/NotificationHub/NotificationHubConnection.cs

* Move to platform ownership

* Remove debugging extension

* Remove unused dependencies

* Set json content directly

* Name web push registration data

* Fix FCM type typo

* Determine specific feature flag from set of flags

* Fixup merged tests

* Fixup tests

* Code quality suggestions

* Fix merged tests

* Fix test

---------

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

src/Api/Controllers/ConfigController.cs

@@ -23,6 +23,6 @@ public class ConfigController : Controller
     [HttpGet("")]
     public ConfigResponseModel GetConfigs()
     {
-        return new ConfigResponseModel(_globalSettings, _featureService.GetAll());
+        return new ConfigResponseModel(_featureService, _globalSettings);
     }
 }

src/Api/Controllers/DevicesController.cs

@@ -186,6 +186,19 @@ public class DevicesController : Controller
         await _deviceService.SaveAsync(model.ToDevice(device));
     }
 
+    [HttpPut("identifier/{identifier}/web-push-auth")]
+    [HttpPost("identifier/{identifier}/web-push-auth")]
+    public async Task PutWebPushAuth(string identifier, [FromBody] WebPushAuthRequestModel model)
+    {
+        var device = await _deviceRepository.GetByIdentifierAsync(identifier, _userService.GetProperUserId(User).Value);
+        if (device == null)
+        {
+            throw new NotFoundException();
+        }
+
+        await _deviceService.SaveAsync(model.ToData(), device);
+    }
+
     [AllowAnonymous]
     [HttpPut("identifier/{identifier}/clear-token")]
     [HttpPost("identifier/{identifier}/clear-token")]

src/Api/Models/Request/DeviceRequestModels.cs

@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 using Bit.Core.Utilities;
 
 namespace Bit.Api.Models.Request;
@@ -37,6 +38,26 @@ public class DeviceRequestModel
     }
 }
 
+public class WebPushAuthRequestModel
+{
+    [Required]
+    public string Endpoint { get; set; }
+    [Required]
+    public string P256dh { get; set; }
+    [Required]
+    public string Auth { get; set; }
+
+    public WebPushRegistrationData ToData()
+    {
+        return new WebPushRegistrationData
+        {
+            Endpoint = Endpoint,
+            P256dh = P256dh,
+            Auth = Auth
+        };
+    }
+}
+
 public class DeviceTokenRequestModel
 {
     [StringLength(255)]

src/Api/Models/Response/ConfigResponseModel.cs

@@ -1,4 +1,7 @@
-using Bit.Core.Models.Api;
+using Bit.Core;
+using Bit.Core.Enums;
+using Bit.Core.Models.Api;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 
@@ -11,6 +14,7 @@ public class ConfigResponseModel : ResponseModel
     public ServerConfigResponseModel Server { get; set; }
     public EnvironmentConfigResponseModel Environment { get; set; }
     public IDictionary<string, object> FeatureStates { get; set; }
+    public PushSettings Push { get; set; }
     public ServerSettingsResponseModel Settings { get; set; }
 
     public ConfigResponseModel() : base("config")
@@ -23,8 +27,9 @@ public class ConfigResponseModel : ResponseModel
     }
 
     public ConfigResponseModel(
-        IGlobalSettings globalSettings,
+        IFeatureService featureService,
-        IDictionary<string, object> featureStates) : base("config")
+        IGlobalSettings globalSettings
+        ) : base("config")
     {
         Version = AssemblyHelpers.GetVersion();
         GitHash = AssemblyHelpers.GetGitHash();
@@ -37,7 +42,9 @@ public class ConfigResponseModel : ResponseModel
             Notifications = globalSettings.BaseServiceUri.Notifications,
             Sso = globalSettings.BaseServiceUri.Sso
         };
-        FeatureStates = featureStates;
+        FeatureStates = featureService.GetAll();
+        var webPushEnabled = FeatureStates.TryGetValue(FeatureFlagKeys.WebPush, out var webPushEnabledValue) ? (bool)webPushEnabledValue : false;
+        Push = PushSettings.Build(webPushEnabled, globalSettings);
         Settings = new ServerSettingsResponseModel
         {
             DisableUserRegistration = globalSettings.DisableUserRegistration
@@ -61,6 +68,23 @@ public class EnvironmentConfigResponseModel
     public string Sso { get; set; }
 }
 
+public class PushSettings
+{
+    public PushTechnologyType PushTechnology { get; private init; }
+    public string VapidPublicKey { get; private init; }
+
+    public static PushSettings Build(bool webPushEnabled, IGlobalSettings globalSettings)
+    {
+        var vapidPublicKey = webPushEnabled ? globalSettings.WebPush.VapidPublicKey : null;
+        var pushTechnology = vapidPublicKey != null ? PushTechnologyType.WebPush : PushTechnologyType.SignalR;
+        return new()
+        {
+            VapidPublicKey = vapidPublicKey,
+            PushTechnology = pushTechnology
+        };
+    }
+}
+
 public class ServerSettingsResponseModel
 {
     public bool DisableUserRegistration { get; set; }

src/Api/Platform/Push/Controllers/PushController.cs

@@ -1,6 +1,7 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@@ -42,9 +43,8 @@ public class PushController : Controller
     public async Task RegisterAsync([FromBody] PushRegistrationRequestModel model)
     {
         CheckUsage();
-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(model.PushToken, Prefix(model.DeviceId),
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(new PushRegistrationData(model.PushToken), Prefix(model.DeviceId),
-            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix),
+            Prefix(model.UserId), Prefix(model.Identifier), model.Type, model.OrganizationIds.Select(Prefix), model.InstallationId);
-            model.InstallationId);
     }
 
     [HttpPost("delete")]

src/Api/Platform/Push/PushTechnologyType.cs

@@ -0,0 +1,11 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Core.Enums;
+
+public enum PushTechnologyType
+{
+    [Display(Name = "SignalR")]
+    SignalR = 0,
+    [Display(Name = "WebPush")]
+    WebPush = 1,
+}

src/Core/Constants.cs

@@ -172,6 +172,7 @@ public static class FeatureFlagKeys
     public const string AndroidMutualTls = "mutual-tls";
     public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
     public const string PM3503_MobileAnonAddySelfHostAlias = "anon-addy-self-host-alias";
+    public const string WebPush = "web-push";
     public const string AndroidImportLoginsFlow = "import-logins-flow";
     public const string PM12276Breadcrumbing = "pm-12276-breadcrumbing-for-business-features";
 

src/Core/NotificationHub/INotificationHubPool.cs

@@ -4,6 +4,7 @@ namespace Bit.Core.NotificationHub;
 
 public interface INotificationHubPool
 {
+    NotificationHubConnection ConnectionFor(Guid comb);
     INotificationHubClient ClientFor(Guid comb);
     INotificationHubProxy AllClients { get; }
 }

src/Core/NotificationHub/NotificationHubConnection.cs

@@ -1,11 +1,20 @@
-using Bit.Core.Settings;
+using System.Security.Cryptography;
+using System.Text;
+using System.Web;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;
 
-class NotificationHubConnection
+namespace Bit.Core.NotificationHub;
+
+public class NotificationHubConnection
 {
     public string HubName { get; init; }
     public string ConnectionString { get; init; }
+    private Lazy<NotificationHubConnectionStringBuilder> _parsedConnectionString;
+    public Uri Endpoint => _parsedConnectionString.Value.Endpoint;
+    private string SasKey => _parsedConnectionString.Value.SharedAccessKey;
+    private string SasKeyName => _parsedConnectionString.Value.SharedAccessKeyName;
     public bool EnableSendTracing { get; init; }
     private NotificationHubClient _hubClient;
     /// <summary>
@@ -95,7 +104,38 @@ class NotificationHubConnection
         return RegistrationStartDate < queryTime;
     }
 
-    private NotificationHubConnection() { }
+    public HttpRequestMessage CreateRequest(HttpMethod method, string pathUri, params string[] queryParameters)
+    {
+        var uriBuilder = new UriBuilder(Endpoint)
+        {
+            Scheme = "https",
+            Path = $"{HubName}/{pathUri.TrimStart('/')}",
+            Query = string.Join('&', [.. queryParameters, "api-version=2015-01"]),
+        };
+
+        var result = new HttpRequestMessage(method, uriBuilder.Uri);
+        result.Headers.Add("Authorization", GenerateSasToken(uriBuilder.Uri));
+        result.Headers.Add("TrackingId", Guid.NewGuid().ToString());
+        return result;
+    }
+
+    private string GenerateSasToken(Uri uri)
+    {
+        string targetUri = Uri.EscapeDataString(uri.ToString().ToLower()).ToLower();
+        long expires = DateTime.UtcNow.AddMinutes(1).Ticks / TimeSpan.TicksPerSecond;
+        string stringToSign = targetUri + "\n" + expires;
+
+        using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(SasKey)))
+        {
+            var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
+            return $"SharedAccessSignature sr={targetUri}&sig={HttpUtility.UrlEncode(signature)}&se={expires}&skn={SasKeyName}";
+        }
+    }
+
+    private NotificationHubConnection()
+    {
+        _parsedConnectionString = new(() => new NotificationHubConnectionStringBuilder(ConnectionString));
+    }
 
     /// <summary>
     /// Creates a new NotificationHubConnection from the given settings.

src/Core/NotificationHub/NotificationHubPool.cs

@@ -44,6 +44,18 @@ public class NotificationHubPool : INotificationHubPool
     /// <returns></returns>
     /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
     public INotificationHubClient ClientFor(Guid comb)
+    {
+        var resolvedConnection = ConnectionFor(comb);
+        return resolvedConnection.HubClient;
+    }
+
+    /// <summary>
+    /// Gets the NotificationHubConnection for the given comb ID.
+    /// </summary>
+    /// <param name="comb"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException">Thrown when no notification hub is found for a given comb.</exception>
+    public NotificationHubConnection ConnectionFor(Guid comb)
     {
         var possibleConnections = _connections.Where(c => c.RegistrationEnabled(comb)).ToArray();
         if (possibleConnections.Length == 0)
@@ -55,7 +67,8 @@ public class NotificationHubPool : INotificationHubPool
         }
         var resolvedConnection = possibleConnections[CoreHelpers.BinForComb(comb, possibleConnections.Length)];
         _logger.LogTrace("Resolved notification hub for comb {Comb} out of {HubCount} hubs.\n{ConnectionInfo}", comb, possibleConnections.Length, resolvedConnection.LogString);
-        return resolvedConnection.HubClient;
+        return resolvedConnection;
+
     }
 
     public INotificationHubProxy AllClients { get { return new NotificationHubClientProxy(_clients); } }

src/Core/NotificationHub/NotificationHubPushRegistrationService.cs

@@ -1,82 +1,131 @@
-using Bit.Core.Enums;
+using System.Diagnostics.CodeAnalysis;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Microsoft.Azure.NotificationHubs;
+using Microsoft.Extensions.Logging;
 
 namespace Bit.Core.NotificationHub;
 
 public class NotificationHubPushRegistrationService : IPushRegistrationService
 {
+    private static readonly JsonSerializerOptions webPushSerializationOptions = new()
+    {
+        Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
+    };
     private readonly IInstallationDeviceRepository _installationDeviceRepository;
     private readonly INotificationHubPool _notificationHubPool;
+    private readonly IHttpClientFactory _httpClientFactory;
+    private readonly ILogger<NotificationHubPushRegistrationService> _logger;
 
     public NotificationHubPushRegistrationService(
         IInstallationDeviceRepository installationDeviceRepository,
-        INotificationHubPool notificationHubPool)
+        INotificationHubPool notificationHubPool,
+        IHttpClientFactory httpClientFactory,
+        ILogger<NotificationHubPushRegistrationService> logger)
     {
         _installationDeviceRepository = installationDeviceRepository;
         _notificationHubPool = notificationHubPool;
+        _httpClientFactory = httpClientFactory;
+        _logger = logger;
     }
 
-    public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId,
         string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
-        if (string.IsNullOrWhiteSpace(pushToken))
+        var orgIds = organizationIds.ToList();
-        {
+        var clientType = DeviceTypes.ToClientType(type);
-            return;
-        }
-
         var installation = new Installation
         {
             InstallationId = deviceId,
-            PushChannel = pushToken,
+            PushChannel = data.Token,
+            Tags = new List<string>
+            {
+                $"userId:{userId}",
+                $"clientType:{clientType}"
+            }.Concat(orgIds.Select(organizationId => $"organizationId:{organizationId}")).ToList(),
             Templates = new Dictionary<string, InstallationTemplate>()
         };
 
-        var clientType = DeviceTypes.ToClientType(type);
-
-        installation.Tags = new List<string> { $"userId:{userId}", $"clientType:{clientType}" };
-
         if (!string.IsNullOrWhiteSpace(identifier))
         {
             installation.Tags.Add("deviceIdentifier:" + identifier);
         }
 
-        var organizationIdsList = organizationIds.ToList();
-        foreach (var organizationId in organizationIdsList)
-        {
-            installation.Tags.Add($"organizationId:{organizationId}");
-        }
-
         if (installationId != Guid.Empty)
         {
             installation.Tags.Add($"installationId:{installationId}");
         }
 
-        string payloadTemplate = null, messageTemplate = null, badgeMessageTemplate = null;
+        if (data.Token != null)
+        {
+            await CreateOrUpdateMobileRegistrationAsync(installation, userId, identifier, clientType, orgIds, type, installationId);
+        }
+        else if (data.WebPush != null)
+        {
+            await CreateOrUpdateWebRegistrationAsync(data.WebPush.Value.Endpoint, data.WebPush.Value.P256dh, data.WebPush.Value.Auth, installation, userId, identifier, clientType, orgIds, installationId);
+        }
+
+        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
+        {
+            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
+        }
+    }
+
+    private async Task CreateOrUpdateMobileRegistrationAsync(Installation installation, string userId,
+        string identifier, ClientType clientType, List<string> organizationIds, DeviceType type, Guid installationId)
+    {
+        if (string.IsNullOrWhiteSpace(installation.PushChannel))
+        {
+            return;
+        }
+
         switch (type)
         {
             case DeviceType.Android:
-                payloadTemplate = "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}";
+                installation.Templates.Add(BuildInstallationTemplate("payload",
-                messageTemplate = "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\",\"payload\":\"$(payload)\"}}}",
-                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}";
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"message\":{\"data\":{\"type\":\"$(type)\"}," +
+                    "\"notification\":{\"title\":\"$(title)\",\"body\":\"$(message)\"}}}",
+                    userId, identifier, clientType, organizationIds, installationId));
                 installation.Platform = NotificationPlatform.FcmV1;
                 break;
             case DeviceType.iOS:
-                payloadTemplate = "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}," +
+                installation.Templates.Add(BuildInstallationTemplate("payload",
-                    "\"aps\":{\"content-available\":1}}";
+                    "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}," +
-                messageTemplate = "{\"data\":{\"type\":\"#(type)\"}," +
+                    "\"aps\":{\"content-available\":1}}",
-                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}";
+                    userId, identifier, clientType, organizationIds, installationId));
-                badgeMessageTemplate = "{\"data\":{\"type\":\"#(type)\"}," +
+                installation.Templates.Add(BuildInstallationTemplate("message",
-                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}";
+                    "{\"data\":{\"type\":\"#(type)\"}," +
-
+                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":null,\"content-available\":1}}", userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"data\":{\"type\":\"#(type)\"}," +
+                    "\"aps\":{\"alert\":\"$(message)\",\"badge\":\"#(badge)\",\"content-available\":1}}",
+                    userId, identifier, clientType, organizationIds, installationId));
                 installation.Platform = NotificationPlatform.Apns;
                 break;
             case DeviceType.AndroidAmazon:
-                payloadTemplate = "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}";
+                installation.Templates.Add(BuildInstallationTemplate("payload",
-                messageTemplate = "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}";
+                    "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("message",
+                    "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
+                installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+                    "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                    userId, identifier, clientType, organizationIds, installationId));
 
                 installation.Platform = NotificationPlatform.Adm;
                 break;
@@ -84,28 +133,62 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
                 break;
         }
 
-        BuildInstallationTemplate(installation, "payload", payloadTemplate, userId, identifier, clientType,
+        await ClientFor(GetComb(installation.InstallationId)).CreateOrUpdateInstallationAsync(installation);
-            organizationIdsList, installationId);
-        BuildInstallationTemplate(installation, "message", messageTemplate, userId, identifier, clientType,
-            organizationIdsList, installationId);
-        BuildInstallationTemplate(installation, "badgeMessage", badgeMessageTemplate ?? messageTemplate,
-            userId, identifier, clientType, organizationIdsList, installationId);
-
-        await ClientFor(GetComb(deviceId)).CreateOrUpdateInstallationAsync(installation);
-        if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
-        {
-            await _installationDeviceRepository.UpsertAsync(new InstallationDeviceEntity(deviceId));
-        }
     }
 
-    private void BuildInstallationTemplate(Installation installation, string templateId, string templateBody,
+    private async Task CreateOrUpdateWebRegistrationAsync(string endpoint, string p256dh, string auth, Installation installation, string userId,
-        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+        string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
     {
-        if (templateBody == null)
+        // The Azure SDK is currently lacking support for web push registrations.
+        // We need to use the REST API directly.
+
+        if (string.IsNullOrWhiteSpace(endpoint) || string.IsNullOrWhiteSpace(p256dh) || string.IsNullOrWhiteSpace(auth))
         {
             return;
         }
 
+        installation.Templates.Add(BuildInstallationTemplate("payload",
+            "{\"data\":{\"type\":\"#(type)\",\"payload\":\"$(payload)\"}}",
+            userId, identifier, clientType, organizationIds, installationId));
+        installation.Templates.Add(BuildInstallationTemplate("message",
+            "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+                userId, identifier, clientType, organizationIds, installationId));
+        installation.Templates.Add(BuildInstallationTemplate("badgeMessage",
+            "{\"data\":{\"type\":\"#(type)\",\"message\":\"$(message)\"}}",
+            userId, identifier, clientType, organizationIds, installationId));
+
+        var content = new
+        {
+            installationId = installation.InstallationId,
+            pushChannel = new
+            {
+                endpoint,
+                p256dh,
+                auth
+            },
+            platform = "browser",
+            tags = installation.Tags,
+            templates = installation.Templates
+        };
+
+        var client = _httpClientFactory.CreateClient("NotificationHub");
+        var request = ConnectionFor(GetComb(installation.InstallationId)).CreateRequest(HttpMethod.Put, $"installations/{installation.InstallationId}");
+        request.Content = JsonContent.Create(content, new MediaTypeHeaderValue("application/json"), webPushSerializationOptions);
+        var response = await client.SendAsync(request);
+        var body = await response.Content.ReadAsStringAsync();
+        if (!response.IsSuccessStatusCode)
+        {
+            _logger.LogWarning("Web push registration failed: {Response}", body);
+        }
+        else
+        {
+            _logger.LogInformation("Web push registration success: {Response}", body);
+        }
+    }
+
+    private static KeyValuePair<string, InstallationTemplate> BuildInstallationTemplate(string templateId, [StringSyntax(StringSyntaxAttribute.Json)] string templateBody,
+        string userId, string identifier, ClientType clientType, List<string> organizationIds, Guid installationId)
+    {
         var fullTemplateId = $"template:{templateId}";
 
         var template = new InstallationTemplate
@@ -132,7 +215,7 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
             template.Tags.Add($"installationId:{installationId}");
         }
 
-        installation.Templates.Add(fullTemplateId, template);
+        return new KeyValuePair<string, InstallationTemplate>(fullTemplateId, template);
     }
 
     public async Task DeleteRegistrationAsync(string deviceId)
@@ -213,6 +296,11 @@ public class NotificationHubPushRegistrationService : IPushRegistrationService
         return _notificationHubPool.ClientFor(deviceId);
     }
 
+    private NotificationHubConnection ConnectionFor(Guid deviceId)
+    {
+        return _notificationHubPool.ConnectionFor(deviceId);
+    }
+
     private Guid GetComb(string deviceId)
     {
         var deviceIdString = deviceId;

src/Core/NotificationHub/PushRegistrationData.cs

@@ -0,0 +1,50 @@
+namespace Bit.Core.NotificationHub;
+
+public struct WebPushRegistrationData : IEquatable<WebPushRegistrationData>
+{
+    public string Endpoint { get; init; }
+    public string P256dh { get; init; }
+    public string Auth { get; init; }
+
+    public bool Equals(WebPushRegistrationData other)
+    {
+        return Endpoint == other.Endpoint && P256dh == other.P256dh && Auth == other.Auth;
+    }
+
+    public override int GetHashCode()
+    {
+        return HashCode.Combine(Endpoint, P256dh, Auth);
+    }
+}
+
+public class PushRegistrationData : IEquatable<PushRegistrationData>
+{
+    public string Token { get; set; }
+    public WebPushRegistrationData? WebPush { get; set; }
+    public PushRegistrationData(string token)
+    {
+        Token = token;
+    }
+
+    public PushRegistrationData(string Endpoint, string P256dh, string Auth) : this(new WebPushRegistrationData
+    {
+        Endpoint = Endpoint,
+        P256dh = P256dh,
+        Auth = Auth
+    })
+    { }
+
+    public PushRegistrationData(WebPushRegistrationData webPush)
+    {
+        WebPush = webPush;
+    }
+    public bool Equals(PushRegistrationData other)
+    {
+        return Token == other.Token && WebPush.Equals(other.WebPush);
+    }
+
+    public override int GetHashCode()
+    {
+        return HashCode.Combine(Token, WebPush.GetHashCode());
+    }
+}

src/Core/Platform/Push/Services/IPushRegistrationService.cs

@@ -1,11 +1,11 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 
 namespace Bit.Core.Platform.Push;
 
 public interface IPushRegistrationService
 {
-    Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    Task CreateOrUpdateRegistrationAsync(PushRegistrationData data, string deviceId, string userId, string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
-        string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId);
     Task DeleteRegistrationAsync(string deviceId);
     Task AddUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);
     Task DeleteUserRegistrationOrganizationAsync(IEnumerable<string> deviceIds, string organizationId);

src/Core/Platform/Push/Services/NoopPushRegistrationService.cs

@@ -1,4 +1,5 @@
 using Bit.Core.Enums;
+using Bit.Core.NotificationHub;
 
 namespace Bit.Core.Platform.Push.Internal;
 
@@ -9,7 +10,7 @@ public class NoopPushRegistrationService : IPushRegistrationService
         return Task.FromResult(0);
     }
 
-    public Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public Task CreateOrUpdateRegistrationAsync(PushRegistrationData pushRegistrationData, string deviceId, string userId,
         string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         return Task.FromResult(0);

src/Core/Platform/Push/Services/RelayPushRegistrationService.cs

@@ -1,6 +1,7 @@
 using Bit.Core.Enums;
 using Bit.Core.IdentityServer;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
@@ -24,14 +25,14 @@ public class RelayPushRegistrationService : BaseIdentityClientService, IPushRegi
     {
     }
 
-    public async Task CreateOrUpdateRegistrationAsync(string pushToken, string deviceId, string userId,
+    public async Task CreateOrUpdateRegistrationAsync(PushRegistrationData pushData, string deviceId, string userId,
         string identifier, DeviceType type, IEnumerable<string> organizationIds, Guid installationId)
     {
         var requestModel = new PushRegistrationRequestModel
         {
             DeviceId = deviceId,
             Identifier = identifier,
-            PushToken = pushToken,
+            PushToken = pushData.Token,
             Type = type,
             UserId = userId,
             OrganizationIds = organizationIds,

src/Core/Services/IDeviceService.cs

@@ -1,10 +1,12 @@
 using Bit.Core.Auth.Models.Api.Request;
 using Bit.Core.Entities;
+using Bit.Core.NotificationHub;
 
 namespace Bit.Core.Services;
 
 public interface IDeviceService
 {
+    Task SaveAsync(WebPushRegistrationData webPush, Device device);
     Task SaveAsync(Device device);
     Task ClearTokenAsync(Device device);
     Task DeactivateAsync(Device device);

src/Core/Services/Implementations/DeviceService.cs

@@ -3,6 +3,7 @@ using Bit.Core.Auth.Utilities;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
@@ -28,9 +29,19 @@ public class DeviceService : IDeviceService
         _globalSettings = globalSettings;
     }
 
+    public async Task SaveAsync(WebPushRegistrationData webPush, Device device)
+    {
+        await SaveAsync(new PushRegistrationData(webPush.Endpoint, webPush.P256dh, webPush.Auth), device);
+    }
+
     public async Task SaveAsync(Device device)
     {
-        if (device.Id == default(Guid))
+        await SaveAsync(new PushRegistrationData(device.PushToken), device);
+    }
+
+    private async Task SaveAsync(PushRegistrationData data, Device device)
+    {
+        if (device.Id == default)
         {
             await _deviceRepository.CreateAsync(device);
         }
@@ -45,9 +56,9 @@ public class DeviceService : IDeviceService
                 OrganizationUserStatusType.Confirmed))
             .Select(ou => ou.OrganizationId.ToString());
 
-        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(device.PushToken, device.Id.ToString(),
+        await _pushRegistrationService.CreateOrUpdateRegistrationAsync(data, device.Id.ToString(),
-            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString,
+            device.UserId.ToString(), device.Identifier, device.Type, organizationIdsString, _globalSettings.Installation.Id);
-            _globalSettings.Installation.Id);
+
     }
 
     public async Task ClearTokenAsync(Device device)

src/Core/Settings/GlobalSettings.cs

@@ -83,6 +83,8 @@ public class GlobalSettings : IGlobalSettings
     public virtual IDomainVerificationSettings DomainVerification { get; set; } = new DomainVerificationSettings();
     public virtual ILaunchDarklySettings LaunchDarkly { get; set; } = new LaunchDarklySettings();
     public virtual string DevelopmentDirectory { get; set; }
+    public virtual IWebPushSettings WebPush { get; set; } = new WebPushSettings();
+
     public virtual bool EnableEmailVerification { get; set; }
     public virtual string KdfDefaultHashKey { get; set; }
     public virtual string PricingUri { get; set; }
@@ -677,4 +679,9 @@ public class GlobalSettings : IGlobalSettings
         public virtual IConnectionStringSettings Redis { get; set; } = new ConnectionStringSettings();
         public virtual IConnectionStringSettings Cosmos { get; set; } = new ConnectionStringSettings();
     }
+
+    public class WebPushSettings : IWebPushSettings
+    {
+        public string VapidPublicKey { get; set; }
+    }
 }

src/Core/Settings/IGlobalSettings.cs

@@ -27,5 +27,6 @@ public interface IGlobalSettings
     string DatabaseProvider { get; set; }
     GlobalSettings.SqlSettings SqlServer { get; set; }
     string DevelopmentDirectory { get; set; }
+    IWebPushSettings WebPush { get; set; }
     GlobalSettings.EventLoggingSettings EventLogging { get; set; }
 }

src/Core/Settings/IWebPushSettings.cs

@@ -0,0 +1,6 @@
+namespace Bit.Core.Settings;
+
+public interface IWebPushSettings
+{
+    public string VapidPublicKey { get; set; }
+}

test/Api.Test/Platform/Push/Controllers/PushControllerTests.cs

@@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Api;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Settings;
 using Bit.Test.Common.AutoFixture;
@@ -248,7 +249,7 @@ public class PushControllerTests
         Assert.Equal("Not correctly configured for push relays.", exception.Message);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(0)
-            .CreateOrUpdateRegistrationAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
+            .CreateOrUpdateRegistrationAsync(Arg.Any<PushRegistrationData>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
                 Arg.Any<DeviceType>(), Arg.Any<IEnumerable<string>>(), Arg.Any<Guid>());
     }
 
@@ -265,7 +266,7 @@ public class PushControllerTests
         var expectedDeviceId = $"{installationId}_{deviceId}";
         var expectedOrganizationId = $"{installationId}_{organizationId}";
 
-        await sutProvider.Sut.RegisterAsync(new PushRegistrationRequestModel
+        var model = new PushRegistrationRequestModel
         {
             DeviceId = deviceId.ToString(),
             PushToken = "test-push-token",
@@ -274,10 +275,12 @@ public class PushControllerTests
             Identifier = identifier.ToString(),
             OrganizationIds = [organizationId.ToString()],
             InstallationId = installationId
-        });
+        };
+
+        await sutProvider.Sut.RegisterAsync(model);
 
         await sutProvider.GetDependency<IPushRegistrationService>().Received(1)
-            .CreateOrUpdateRegistrationAsync("test-push-token", expectedDeviceId, expectedUserId,
+            .CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(data => data.Equals(new PushRegistrationData(model.PushToken))), expectedDeviceId, expectedUserId,
                 expectedIdentifier, DeviceType.Android, Arg.Do<IEnumerable<string>>(organizationIds =>
                 {
                     var organizationIdsList = organizationIds.ToList();

test/Core.Test/NotificationHub/NotificationHubConnectionTests.cs

@@ -1,4 +1,5 @@
-using Bit.Core.Settings;
+using Bit.Core.NotificationHub;
+using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Xunit;
 

test/Core.Test/NotificationHub/NotificationHubPushRegistrationServiceTests.cs

@@ -19,7 +19,7 @@ public class NotificationHubPushRegistrationServiceTests
         SutProvider<NotificationHubPushRegistrationService> sutProvider, Guid deviceId, Guid userId, Guid identifier,
         Guid organizationId, Guid installationId)
     {
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifier.ToString(), DeviceType.Android, [organizationId.ToString()], installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()
@@ -39,7 +39,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.Android,
             partOfOrganizationId ? [organizationId.ToString()] : [],
             installationIdNull ? Guid.Empty : installationId);
@@ -115,7 +115,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.iOS,
             partOfOrganizationId ? [organizationId.ToString()] : [],
             installationIdNull ? Guid.Empty : installationId);
@@ -191,7 +191,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifierNull ? null : identifier.ToString(), DeviceType.AndroidAmazon,
             partOfOrganizationId ? [organizationId.ToString()] : [],
             installationIdNull ? Guid.Empty : installationId);
@@ -268,7 +268,7 @@ public class NotificationHubPushRegistrationServiceTests
 
         var pushToken = "test push token";
 
-        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(pushToken, deviceId.ToString(), userId.ToString(),
+        await sutProvider.Sut.CreateOrUpdateRegistrationAsync(new PushRegistrationData(pushToken), deviceId.ToString(), userId.ToString(),
             identifier.ToString(), deviceType, [organizationId.ToString()], installationId);
 
         sutProvider.GetDependency<INotificationHubPool>()

test/Core.Test/Services/DeviceServiceTests.cs

@@ -4,6 +4,7 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.NotificationHub;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -43,13 +44,13 @@ public class DeviceServiceTests
             Name = "test device",
             Type = DeviceType.Android,
             UserId = userId,
-            PushToken = "testtoken",
+            PushToken = "testToken",
             Identifier = "testid"
         };
         await deviceService.SaveAsync(device);
 
         Assert.True(device.RevisionDate - DateTime.UtcNow < TimeSpan.FromSeconds(1));
-        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken", id.ToString(),
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(v => v.Token == "testToken"), id.ToString(),
             userId.ToString(), "testid", DeviceType.Android,
             Arg.Do<IEnumerable<string>>(organizationIds =>
             {
@@ -84,12 +85,12 @@ public class DeviceServiceTests
             Name = "test device",
             Type = DeviceType.Android,
             UserId = userId,
-            PushToken = "testtoken",
+            PushToken = "testToken",
             Identifier = "testid"
         };
         await deviceService.SaveAsync(device);
 
-        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync("testtoken",
+        await pushRepo.Received(1).CreateOrUpdateRegistrationAsync(Arg.Is<PushRegistrationData>(v => v.Token == "testToken"),
             Arg.Do<string>(id => Guid.TryParse(id, out var _)), userId.ToString(), "testid", DeviceType.Android,
             Arg.Do<IEnumerable<string>>(organizationIds =>
             {

test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs

@@ -163,6 +163,10 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
 
                 // New Device Verification
                 { "globalSettings:disableEmailNewDevice", "false" },
+
+                // Web push notifications
+                { "globalSettings:webPush:vapidPublicKey", "BGBtAM0bU3b5jsB14IjBYarvJZ6rWHilASLudTTYDDBi7a-3kebo24Yus_xYeOMZ863flAXhFAbkL6GVSrxgErg" },
+                { "globalSettings:launchDarkly:flagValues:web-push", "true" },
             });
         });