From c21f9a23ec7be420d95bd0a6426a234c64f82041 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Fri, 8 May 2026 23:56:17 -0400
Subject: [PATCH] fix: use Vapid.from_pem() instead of passing PEM string to
 webpush()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pywebpush 2.x routes string keys through Vapid.from_string() which only
handles raw/DER base64 — not PEM. Pre-build the Vapid object so the key
deserializes correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 cortex/push_utils.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cortex/push_utils.py b/cortex/push_utils.py
index b533f22..12d6d99 100644
--- a/cortex/push_utils.py
+++ b/cortex/push_utils.py
@@ -67,12 +67,14 @@ def _get_private_key_pem() -> str:
 def _send_one(sub: dict, payload: dict) -> bool:
     """Send a push to a single subscription. Returns False if the endpoint is stale (410)."""
     from pywebpush import webpush, WebPushException
+    from py_vapid import Vapid
 
     try:
+        vapid = Vapid.from_pem(_get_private_key_pem().encode())
         webpush(
             subscription_info=sub,
             data=json.dumps(payload),
-            vapid_private_key=_get_private_key_pem(),
+            vapid_private_key=vapid,
             vapid_claims={"sub": settings.vapid_contact},
         )
         return True