If change VAPID keys and in DB already have users registered with other keys, than practically these users are like losts?

[yourchoice]

If change VAPID keys (generated by VAPID::createVapidKeys()) and in DB already have users registered with other keys, than practically these users are like losts?

In this case I saw that user can unregister, but notification push not working.

Maybe better to store somewhere VAPID pub, priv keys and associate with regisitered users in DB.

In this case, maybe method $webPush->sendNotification() need a new param to rewrite VAPID keys if exists.

It's true ?

[Minishlink]

Hi, you should not change the VAPID keys ever. That's your identity for browser vendors. It's like forgetting your PGP keys. Thus, the createVapidKeys() function must be called only once in the lifetime of your project.

Now, if you do change the VAPID keys. Next time the user will be on your website, the Javascript API subscription will subscribe your user with the new VAPID public key that you provided, so that either the existing subscription is updated or a new subscription is created (I don't know which behavior but it ends up the same). It is true that until the user goes to your website, the browser's server will not know that your VAPID keys are changed, and thus the user won't receive notifications.

That being said, I reckon that there is still a possibility that people lose their keys, and that push notifications may be critical if it's the entry point of your website... For this use case, I'll implement an option or a setAuth method.

[yourchoice]

10x

[Minishlink]

Ok, so you can specify a custom auth for each notification with the last parameter of sendNotification:
sendNotification($endpoint, $payload = null, $userPublicKey = null, $userAuthToken = null, $flush = false, $options = array(), $auth = array())

[yourchoice]

I will try to keep same vapid keys. But maybe this is a good thing for future if appear new changes regarding auth and need support for old auth.

10x

[collimarco]

@Minishlink Your answer is incorrect. If you use different VAPID keys an error will be raised when you visit the website, but unfortunately the VAPID key is not replaced automatically. Some time ago I asked to improve the subscribe method to automatically replace the key, but nothing changed. You can read more here: w3c/push-api#291

[Tejas-cloud]

If you change Vapid keys , then

1. go to browser setting ,
2. search notification setting.
3. check which sites are allowed to send notification,
   4.remove your site . and add your site again.
   so this time browser will give you permission for considering your new vapid keys and you can get notification.
   THis must be done on host browser.