For web consumers, the API for WebPushDelegate.onGetSubscription is expected to function differently from how we implemented it.
Querying that API, should check if a subscription exists and return it, otherwise return null.
Instead, we were eagerly creating a subscription when that query was made.
This resulted in sites being given a push subscription without user permission.
We don't have a straight-forward mechanism to query if a subscription already exists, but we can check if the scope and endpoint exist. That should be enough to satisfy this API without creating a new subscription during the query and _only then_ invoking the subscribe API to get-or-create.
This might also be the cause of https://github.com/mozilla-mobile/android-components/issues/7161 but let's fix this first and verify that after.
cc: @TitanNano for reference
@TitanNano the next Fenix build should have the fix for this. If you get a chance to test it out, please let me know. :)
Thanks for filling and triaging all these WebPush bugs!
@jonalmeida I can confirm in Fenix Nightly 200530 06:01 (Build #21510609) with AC 44.0.20200529205416 PushManager.getSubscription() now correctly returns null if no subscription exists and does no longer create unauthorized subscriptions.