From a94b81003e7e099ac3b0af934ddb03218385b329 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 1 Nov 2022 09:21:23 +0100
Subject: [PATCH] pwa: set an explicit exp claim in vapid JWT token (#65858)

---
 combo/apps/pwa/signals.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/combo/apps/pwa/signals.py b/combo/apps/pwa/signals.py
index c0df8ffc..8ab76af3 100644
--- a/combo/apps/pwa/signals.py
+++ b/combo/apps/pwa/signals.py
@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import datetime
 import json
 import logging
 
@@ -44,7 +45,10 @@ def notification(sender, instance=None, created=False, **kwargs):
     if settings.PWA_VAPID_CLAIMS:  # legacy
         claims = settings.PWA_VAPID_CLAIMS
     else:
-        claims = {'sub': 'mailto:%s' % settings.DEFAULT_FROM_EMAIL}
+        claims = {
+            'sub': 'mailto:%s' % settings.DEFAULT_FROM_EMAIL,
+            'exp': int(datetime.datetime.now().timestamp() + 3600 * 3),
+        }
     message = json.dumps(
         {
             'summary': instance.summary,
-- 
2.37.2