dearsky/ntfy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:binwiederhier/ntfy into feature/twilio-call-format-file

Browse Source
This commit is contained in:
binwiederhier
2026-01-17 03:49:52 -05:00
parent 16900d2c10 9135bb277b
commit 0e200b96e0
192 changed files with 20578 additions and 4463 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
server/config.go
View File

@@ -11,6 +11,8 @@ import (
// Defines default config settings (excluding limits, see below)
const (
DefaultListenHTTP = ":80"
DefaultConfigFile = "/etc/ntfy/server.yml"
DefaultTemplateDir = "/etc/ntfy/templates"
DefaultCacheDuration = 12 * time.Hour
DefaultCacheBatchTimeout = time.Duration(0)
DefaultKeepaliveInterval = 45 * time.Second // Not too frequently to save battery (Android read timeout used to be 77s!)
@@ -26,8 +28,8 @@ const (
// Defines default Web Push settings
const (
DefaultWebPushExpiryWarningDuration = 7 * 24 * time.Hour
DefaultWebPushExpiryDuration = 9 * 24 * time.Hour
DefaultWebPushExpiryWarningDuration = 55 * 24 * time.Hour
DefaultWebPushExpiryDuration = 60 * 24 * time.Hour
)
// Defines all global and per-visitor limits
@@ -61,6 +63,8 @@ const (
DefaultVisitorAuthFailureLimitReplenish = time.Minute
DefaultVisitorAttachmentTotalSizeLimit = 100 * 1024 * 1024 // 100 MB
DefaultVisitorAttachmentDailyBandwidthLimit = 500 * 1024 * 1024 // 500 MB
DefaultVisitorPrefixBitsIPv4 = 32 // Use the entire IPv4 address for rate limiting
DefaultVisitorPrefixBitsIPv6 = 64 // Use /64 for IPv6 rate limiting
)
var (
@@ -91,12 +95,16 @@ type Config struct {
AuthFile string
AuthStartupQueries string
AuthDefault user.Permission
AuthUsers []*user.User
AuthAccess map[string][]*user.Grant
AuthTokens map[string][]*user.Token
AuthBcryptCost int
AuthStatsQueueWriterInterval time.Duration
AttachmentCacheDir string
AttachmentTotalSizeLimit int64
AttachmentFileSizeLimit int64
AttachmentExpiryDuration time.Duration
TemplateDir string // Directory to load named templates from
KeepaliveInterval time.Duration
ManagerInterval time.Duration
DisallowedTopics []string
@@ -134,7 +142,7 @@ type Config struct {
VisitorAttachmentDailyBandwidthLimit int64
VisitorRequestLimitBurst int
VisitorRequestLimitReplenish time.Duration
VisitorRequestExemptIPAddrs []netip.Prefix
VisitorRequestExemptPrefixes []netip.Prefix
VisitorMessageDailyLimit int
VisitorEmailLimitBurst int
VisitorEmailLimitReplenish time.Duration
@@ -142,19 +150,23 @@ type Config struct {
VisitorAccountCreationLimitReplenish time.Duration
VisitorAuthFailureLimitBurst int
VisitorAuthFailureLimitReplenish time.Duration
VisitorStatsResetTime time.Time // Time of the day at which to reset visitor stats
VisitorSubscriberRateLimiting bool // Enable subscriber-based rate limiting for UnifiedPush topics
BehindProxy bool
VisitorStatsResetTime time.Time // Time of the day at which to reset visitor stats
VisitorSubscriberRateLimiting bool // Enable subscriber-based rate limiting for UnifiedPush topics
VisitorPrefixBitsIPv4 int // Number of bits for IPv4 rate limiting (default: 32)
VisitorPrefixBitsIPv6 int // Number of bits for IPv6 rate limiting (default: 64)
BehindProxy bool // If true, the server will trust the proxy client IP header to determine the client IP address (IPv4 and IPv6 supported)
ProxyForwardedHeader string // The header field to read the real/client IP address from, if BehindProxy is true, defaults to "X-Forwarded-For" (IPv4 and IPv6 supported)
ProxyTrustedPrefixes []netip.Prefix // List of trusted proxy networks (IPv4 or IPv6) that will be stripped from the Forwarded header if BehindProxy is true
StripeSecretKey string
StripeWebhookKey string
StripePriceCacheDuration time.Duration
BillingContact string
EnableSignup bool // Enable creation of accounts via API and UI
EnableLogin bool
RequireLogin bool
EnableReservations bool // Allow users with role "user" to own/reserve topics
EnableMetrics bool
AccessControlAllowOrigin string // CORS header field to restrict access from web clients
Version string // injected by App
WebPushPrivateKey string
WebPushPublicKey string
WebPushFile string
@@ -162,12 +174,13 @@ type Config struct {
WebPushStartupQueries string
WebPushExpiryDuration time.Duration
WebPushExpiryWarningDuration time.Duration
Version string // injected by App
}
// NewConfig instantiates a default new server config
func NewConfig() *Config {
return &Config{
File: "", // Only used for testing
File: DefaultConfigFile, // Only used for testing
BaseURL: "",
ListenHTTP: DefaultListenHTTP,
ListenHTTPS: "",
@@ -190,6 +203,7 @@ func NewConfig() *Config {
AttachmentTotalSizeLimit: DefaultAttachmentTotalSizeLimit,
AttachmentFileSizeLimit: DefaultAttachmentFileSizeLimit,
AttachmentExpiryDuration: DefaultAttachmentExpiryDuration,
TemplateDir: DefaultTemplateDir,
KeepaliveInterval: DefaultKeepaliveInterval,
ManagerInterval: DefaultManagerInterval,
DisallowedTopics: DefaultDisallowedTopics,
@@ -220,11 +234,12 @@ func NewConfig() *Config {
TotalTopicLimit: DefaultTotalTopicLimit,
TotalAttachmentSizeLimit: 0,
VisitorSubscriptionLimit: DefaultVisitorSubscriptionLimit,
VisitorSubscriberRateLimiting: false,
VisitorAttachmentTotalSizeLimit: DefaultVisitorAttachmentTotalSizeLimit,
VisitorAttachmentDailyBandwidthLimit: DefaultVisitorAttachmentDailyBandwidthLimit,
VisitorRequestLimitBurst: DefaultVisitorRequestLimitBurst,
VisitorRequestLimitReplenish: DefaultVisitorRequestLimitReplenish,
VisitorRequestExemptIPAddrs: make([]netip.Prefix, 0),
VisitorRequestExemptPrefixes: make([]netip.Prefix, 0),
VisitorMessageDailyLimit: DefaultVisitorMessageDailyLimit,
VisitorEmailLimitBurst: DefaultVisitorEmailLimitBurst,
VisitorEmailLimitReplenish: DefaultVisitorEmailLimitReplenish,
@@ -233,8 +248,10 @@ func NewConfig() *Config {
VisitorAuthFailureLimitBurst: DefaultVisitorAuthFailureLimitBurst,
VisitorAuthFailureLimitReplenish: DefaultVisitorAuthFailureLimitReplenish,
VisitorStatsResetTime: DefaultVisitorStatsResetTime,
VisitorSubscriberRateLimiting: false,
BehindProxy: false,
VisitorPrefixBitsIPv4: DefaultVisitorPrefixBitsIPv4, // Default: use full IPv4 address
VisitorPrefixBitsIPv6: DefaultVisitorPrefixBitsIPv6, // Default: use /64 for IPv6
BehindProxy: false, // If true, the server will trust the proxy client IP header to determine the client IP address
ProxyForwardedHeader: "X-Forwarded-For", // Default header for reverse proxy client IPs
StripeSecretKey: "",
StripeWebhookKey: "",
StripePriceCacheDuration: DefaultStripePriceCacheDuration,
@@ -242,6 +259,7 @@ func NewConfig() *Config {
EnableSignup: false,
EnableLogin: false,
EnableReservations: false,
RequireLogin: false,
AccessControlAllowOrigin: "*",
Version: "",
WebPushPrivateKey: "",

8
server/errors.go
View File

@@ -3,8 +3,9 @@ package server
import (
"encoding/json"
"fmt"
"heckel.io/ntfy/v2/log"
"net/http"
"heckel.io/ntfy/v2/log"
)
// errHTTP is a generic HTTP error for any non-200 HTTP error
@@ -123,6 +124,9 @@ var (
errHTTPBadRequestTemplateDisallowedFunctionCalls = &errHTTP{40044, http.StatusBadRequest, "invalid request: template contains disallowed function calls, e.g. template, call, or define", "https://ntfy.sh/docs/publish/#message-templating", nil}
errHTTPBadRequestTemplateExecuteFailed = &errHTTP{40045, http.StatusBadRequest, "invalid request: template execution failed", "https://ntfy.sh/docs/publish/#message-templating", nil}
errHTTPBadRequestInvalidUsername = &errHTTP{40046, http.StatusBadRequest, "invalid request: invalid username", "", nil}
errHTTPBadRequestTemplateFileNotFound = &errHTTP{40047, http.StatusBadRequest, "invalid request: template file not found", "https://ntfy.sh/docs/publish/#message-templating", nil}
errHTTPBadRequestTemplateFileInvalid = &errHTTP{40048, http.StatusBadRequest, "invalid request: template file invalid", "https://ntfy.sh/docs/publish/#message-templating", nil}
errHTTPBadRequestSequenceIDInvalid = &errHTTP{40049, http.StatusBadRequest, "invalid request: sequence ID invalid", "https://ntfy.sh/docs/publish/#updating-deleting-notifications", nil}
errHTTPNotFound = &errHTTP{40401, http.StatusNotFound, "page not found", "", nil}
errHTTPUnauthorized = &errHTTP{40101, http.StatusUnauthorized, "unauthorized", "https://ntfy.sh/docs/publish/#authentication", nil}
errHTTPForbidden = &errHTTP{40301, http.StatusForbidden, "forbidden", "https://ntfy.sh/docs/publish/#authentication", nil}
@@ -130,6 +134,8 @@ var (
errHTTPConflictTopicReserved = &errHTTP{40902, http.StatusConflict, "conflict: access control entry for topic or topic pattern already exists", "", nil}
errHTTPConflictSubscriptionExists = &errHTTP{40903, http.StatusConflict, "conflict: topic subscription already exists", "", nil}
errHTTPConflictPhoneNumberExists = &errHTTP{40904, http.StatusConflict, "conflict: phone number already exists", "", nil}
errHTTPConflictProvisionedUserChange = &errHTTP{40905, http.StatusConflict, "conflict: cannot change or delete provisioned user", "", nil}
errHTTPConflictProvisionedTokenChange = &errHTTP{40906, http.StatusConflict, "conflict: cannot change or delete provisioned token", "", nil}
errHTTPGonePhoneVerificationExpired = &errHTTP{41001, http.StatusGone, "phone number verification expired or does not exist", "", nil}
errHTTPEntityTooLargeAttachment = &errHTTP{41301, http.StatusRequestEntityTooLarge, "attachment too large, or bandwidth limit reached", "https://ntfy.sh/docs/publish/#limitations", nil}
errHTTPEntityTooLargeMatrixRequest = &errHTTP{41302, http.StatusRequestEntityTooLarge, "Matrix request is larger than the max allowed length", "", nil}

110
server/message_cache.go
View File

@@ -6,7 +6,9 @@ import (
"errors"
"fmt"
"net/netip"
"path/filepath"
"strings"
"sync"
"time"
_ "github.com/mattn/go-sqlite3" // SQLite driver
@@ -27,7 +29,9 @@ const (
CREATE TABLE IF NOT EXISTS messages (
id INTEGER PRIMARY KEY AUTOINCREMENT,
mid TEXT NOT NULL,
sequence_id TEXT NOT NULL,
time INT NOT NULL,
event TEXT NOT NULL,
expires INT NOT NULL,
topic TEXT NOT NULL,
message TEXT NOT NULL,
@@ -35,7 +39,7 @@ const (
priority INT NOT NULL,
tags TEXT NOT NULL,
click TEXT NOT NULL,
icon TEXT NOT NULL,
icon TEXT NOT NULL,
actions TEXT NOT NULL,
attachment_name TEXT NOT NULL,
attachment_type TEXT NOT NULL,
@@ -50,6 +54,7 @@ const (
published INT NOT NULL
);
CREATE INDEX IF NOT EXISTS idx_mid ON messages (mid);
CREATE INDEX IF NOT EXISTS idx_sequence_id ON messages (sequence_id);
CREATE INDEX IF NOT EXISTS idx_time ON messages (time);
CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
CREATE INDEX IF NOT EXISTS idx_expires ON messages (expires);
@@ -64,44 +69,51 @@ const (
COMMIT;
`
insertMessageQuery = `
INSERT INTO messages (mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_deleted, sender, user, content_type, encoding, published)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
INSERT INTO messages (mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, attachment_deleted, sender, user, content_type, encoding, published)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
`
deleteMessageQuery = `DELETE FROM messages WHERE mid = ?`
updateMessagesForTopicExpiryQuery = `UPDATE messages SET expires = ? WHERE topic = ?`
selectRowIDFromMessageID = `SELECT id FROM messages WHERE mid = ?` // Do not include topic, see #336 and TestServer_PollSinceID_MultipleTopics
selectMessagesByIDQuery = `
SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE mid = ?
`
selectMessagesSinceTimeQuery = `
SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE topic = ? AND time >= ? AND published = 1
ORDER BY time, id
`
selectMessagesSinceTimeIncludeScheduledQuery = `
SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE topic = ? AND time >= ?
ORDER BY time, id
`
selectMessagesSinceIDQuery = `
SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE topic = ? AND id > ? AND published = 1
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE topic = ? AND id > ? AND published = 1
ORDER BY time, id
`
selectMessagesSinceIDIncludeScheduledQuery = `
SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE topic = ? AND (id > ? OR published = 0)
ORDER BY time, id
`
selectMessagesLatestQuery = `
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE topic = ? AND published = 1
ORDER BY time DESC, id DESC
LIMIT 1
`
selectMessagesDueQuery = `
SELECT mid, time, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
SELECT mid, sequence_id, time, event, expires, topic, message, title, priority, tags, click, icon, actions, attachment_name, attachment_type, attachment_size, attachment_expires, attachment_url, sender, user, content_type, encoding
FROM messages
WHERE time <= ? AND published = 0
ORDER BY time, id
`
@@ -122,7 +134,7 @@ const (
// Schema management queries
const (
currentSchemaVersion = 13
currentSchemaVersion = 14
createSchemaVersionTableQuery = `
CREATE TABLE IF NOT EXISTS schemaVersion (
id INT PRIMARY KEY,
@@ -251,6 +263,13 @@ const (
migrate12To13AlterMessagesTableQuery = `
CREATE INDEX IF NOT EXISTS idx_topic ON messages (topic);
`
//13 -> 14
migrate13To14AlterMessagesTableQuery = `
ALTER TABLE messages ADD COLUMN sequence_id TEXT NOT NULL DEFAULT('');
ALTER TABLE messages ADD COLUMN event TEXT NOT NULL DEFAULT('message');
CREATE INDEX IF NOT EXISTS idx_sequence_id ON messages (sequence_id);
`
)
var (
@@ -268,6 +287,7 @@ var (
10: migrateFrom10,
11: migrateFrom11,
12: migrateFrom12,
13: migrateFrom13,
}
)
@@ -275,10 +295,17 @@ type messageCache struct {
db *sql.DB
queue *util.BatchingQueue[*message]
nop bool
mu sync.Mutex
}
// newSqliteCache creates a SQLite file-backed cache
func newSqliteCache(filename, startupQueries string, cacheDuration time.Duration, batchSize int, batchTimeout time.Duration, nop bool) (*messageCache, error) {
// Check the parent directory of the database file (makes for friendly error messages)
parentDir := filepath.Dir(filename)
if !util.FileExists(parentDir) {
return nil, fmt.Errorf("cache database directory %s does not exist or is not accessible", parentDir)
}
// Open database
db, err := sql.Open("sqlite3", filename)
if err != nil {
return nil, err
@@ -333,6 +360,8 @@ func (c *messageCache) AddMessage(m *message) error {
// addMessages synchronously stores a match of messages. If the database is locked, the transaction waits until
// SQLite's busy_timeout is exceeded before erroring out.
func (c *messageCache) addMessages(ms []*message) error {
c.mu.Lock()
defer c.mu.Unlock()
if c.nop {
return nil
}
@@ -351,7 +380,7 @@ func (c *messageCache) addMessages(ms []*message) error {
}
defer stmt.Close()
for _, m := range ms {
if m.Event != messageEvent {
if m.Event != messageEvent && m.Event != messageDeleteEvent && m.Event != messageClearEvent {
return errUnexpectedMessageType
}
published := m.Time <= time.Now().Unix()
@@ -379,7 +408,9 @@ func (c *messageCache) addMessages(ms []*message) error {
}
_, err := stmt.Exec(
m.ID,
m.SequenceID,
m.Time,
m.Event,
m.Expires,
m.Topic,
m.Message,
@@ -416,6 +447,8 @@ func (c *messageCache) addMessages(ms []*message) error {
func (c *messageCache) Messages(topic string, since sinceMarker, scheduled bool) ([]*message, error) {
if since.IsNone() {
return make([]*message, 0), nil
} else if since.IsLatest() {
return c.messagesLatest(topic)
} else if since.IsID() {
return c.messagesSinceID(topic, since, scheduled)
}
@@ -462,6 +495,14 @@ func (c *messageCache) messagesSinceID(topic string, since sinceMarker, schedule
return readMessages(rows)
}
func (c *messageCache) messagesLatest(topic string) ([]*message, error) {
rows, err := c.db.Query(selectMessagesLatestQuery, topic)
if err != nil {
return nil, err
}
return readMessages(rows)
}
func (c *messageCache) MessagesDue() ([]*message, error) {
rows, err := c.db.Query(selectMessagesDueQuery, time.Now().Unix())
if err != nil {
@@ -504,6 +545,8 @@ func (c *messageCache) Message(id string) (*message, error) {
}
func (c *messageCache) MarkPublished(m *message) error {
c.mu.Lock()
defer c.mu.Unlock()
_, err := c.db.Exec(updateMessagePublishedQuery, m.ID)
return err
}
@@ -549,6 +592,8 @@ func (c *messageCache) Topics() (map[string]*topic, error) {
}
func (c *messageCache) DeleteMessages(ids ...string) error {
c.mu.Lock()
defer c.mu.Unlock()
tx, err := c.db.Begin()
if err != nil {
return err
@@ -563,6 +608,8 @@ func (c *messageCache) DeleteMessages(ids ...string) error {
}
func (c *messageCache) ExpireMessages(topics ...string) error {
c.mu.Lock()
defer c.mu.Unlock()
tx, err := c.db.Begin()
if err != nil {
return err
@@ -597,6 +644,8 @@ func (c *messageCache) AttachmentsExpired() ([]string, error) {
}
func (c *messageCache) MarkAttachmentsDeleted(ids ...string) error {
c.mu.Lock()
defer c.mu.Unlock()
tx, err := c.db.Begin()
if err != nil {
return err
@@ -670,10 +719,12 @@ func readMessages(rows *sql.Rows) ([]*message, error) {
func readMessage(rows *sql.Rows) (*message, error) {
var timestamp, expires, attachmentSize, attachmentExpires int64
var priority int
var id, topic, msg, title, tagsStr, click, icon, actionsStr, attachmentName, attachmentType, attachmentURL, sender, user, contentType, encoding string
var id, sequenceID, event, topic, msg, title, tagsStr, click, icon, actionsStr, attachmentName, attachmentType, attachmentURL, sender, user, contentType, encoding string
err := rows.Scan(
&id,
&sequenceID,
&timestamp,
&event,
&expires,
&topic,
&msg,
@@ -722,9 +773,10 @@ func readMessage(rows *sql.Rows) (*message, error) {
}
return &message{
ID: id,
SequenceID: sequenceID,
Time: timestamp,
Expires: expires,
Event: messageEvent,
Event: event,
Topic: topic,
Message: msg,
Title: title,
@@ -742,6 +794,8 @@ func readMessage(rows *sql.Rows) (*message, error) {
}
func (c *messageCache) UpdateStats(messages int64) error {
c.mu.Lock()
defer c.mu.Unlock()
_, err := c.db.Exec(updateStatsQuery, messages)
return err
}
@@ -992,3 +1046,19 @@ func migrateFrom12(db *sql.DB, _ time.Duration) error {
}
return tx.Commit()
}
func migrateFrom13(db *sql.DB, _ time.Duration) error {
log.Tag(tagMessageCache).Info("Migrating cache database schema: from 13 to 14")
tx, err := db.Begin()
if err != nil {
return err
}
defer tx.Rollback()
if _, err := tx.Exec(migrate13To14AlterMessagesTableQuery); err != nil {
return err
}
if _, err := tx.Exec(updateSchemaVersion, 14); err != nil {
return err
}
return tx.Commit()
}

34
server/message_cache_test.go
View File

@@ -3,8 +3,10 @@ package server
import (
"database/sql"
"fmt"
"github.com/stretchr/testify/assert"
"net/netip"
"path/filepath"
"sync"
"testing"
"time"
@@ -66,6 +68,11 @@ func testCacheMessages(t *testing.T, c *messageCache) {
require.Equal(t, 1, len(messages))
require.Equal(t, "my other message", messages[0].Message)
// mytopic: latest
messages, _ = c.Messages("mytopic", sinceLatestMessage, false)
require.Equal(t, 1, len(messages))
require.Equal(t, "my other message", messages[0].Message)
// example: count
counts, err = c.MessageCounts()
require.Nil(t, err)
@@ -85,6 +92,26 @@ func testCacheMessages(t *testing.T, c *messageCache) {
require.Empty(t, messages)
}
func TestSqliteCache_MessagesLock(t *testing.T) {
testCacheMessagesLock(t, newSqliteTestCache(t))
}
func TestMemCache_MessagesLock(t *testing.T) {
testCacheMessagesLock(t, newMemTestCache(t))
}
func testCacheMessagesLock(t *testing.T, c *messageCache) {
var wg sync.WaitGroup
for i := 0; i < 5000; i++ {
wg.Add(1)
go func() {
assert.Nil(t, c.AddMessage(newDefaultMessage("mytopic", "test message")))
wg.Done()
}()
}
wg.Wait()
}
func TestSqliteCache_MessagesScheduled(t *testing.T) {
testCacheMessagesScheduled(t, newSqliteTestCache(t))
}
@@ -292,6 +319,7 @@ func testCacheAttachments(t *testing.T, c *messageCache) {
expires1 := time.Now().Add(-4 * time.Hour).Unix() // Expired
m := newDefaultMessage("mytopic", "flower for you")
m.ID = "m1"
m.SequenceID = "m1"
m.Sender = netip.MustParseAddr("1.2.3.4")
m.Attachment = &attachment{
Name: "flower.jpg",
@@ -305,6 +333,7 @@ func testCacheAttachments(t *testing.T, c *messageCache) {
expires2 := time.Now().Add(2 * time.Hour).Unix() // Future
m = newDefaultMessage("mytopic", "sending you a car")
m.ID = "m2"
m.SequenceID = "m2"
m.Sender = netip.MustParseAddr("1.2.3.4")
m.Attachment = &attachment{
Name: "car.jpg",
@@ -318,6 +347,7 @@ func testCacheAttachments(t *testing.T, c *messageCache) {
expires3 := time.Now().Add(1 * time.Hour).Unix() // Future
m = newDefaultMessage("another-topic", "sending you another car")
m.ID = "m3"
m.SequenceID = "m3"
m.User = "u_BAsbaAa"
m.Sender = netip.MustParseAddr("5.6.7.8")
m.Attachment = &attachment{
@@ -373,11 +403,13 @@ func TestMemCache_Attachments_Expired(t *testing.T) {
func testCacheAttachmentsExpired(t *testing.T, c *messageCache) {
m := newDefaultMessage("mytopic", "flower for you")
m.ID = "m1"
m.SequenceID = "m1"
m.Expires = time.Now().Add(time.Hour).Unix()
require.Nil(t, c.AddMessage(m))
m = newDefaultMessage("mytopic", "message with attachment")
m.ID = "m2"
m.SequenceID = "m2"
m.Expires = time.Now().Add(2 * time.Hour).Unix()
m.Attachment = &attachment{
Name: "car.jpg",
@@ -390,6 +422,7 @@ func testCacheAttachmentsExpired(t *testing.T, c *messageCache) {
m = newDefaultMessage("mytopic", "message with external attachment")
m.ID = "m3"
m.SequenceID = "m3"
m.Expires = time.Now().Add(2 * time.Hour).Unix()
m.Attachment = &attachment{
Name: "car.jpg",
@@ -401,6 +434,7 @@ func testCacheAttachmentsExpired(t *testing.T, c *messageCache) {
m = newDefaultMessage("mytopic2", "message with expired attachment")
m.ID = "m4"
m.SequenceID = "m4"
m.Expires = time.Now().Add(2 * time.Hour).Unix()
m.Attachment = &attachment{
Name: "expired-car.jpg",

304
server/server.go
View File

@@ -31,9 +31,12 @@ import (
"github.com/gorilla/websocket"
"github.com/prometheus/client_golang/prometheus/promhttp"
"golang.org/x/sync/errgroup"
"gopkg.in/yaml.v2"
"heckel.io/ntfy/v2/log"
"heckel.io/ntfy/v2/payments"
"heckel.io/ntfy/v2/user"
"heckel.io/ntfy/v2/util"
"heckel.io/ntfy/v2/util/sprig"
)
// Server is the main server, providing the UI and API for ntfy
@@ -77,11 +80,12 @@ var (
wsPathRegex = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}(,[-_A-Za-z0-9]{1,64})*/ws$`)
authPathRegex = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}(,[-_A-Za-z0-9]{1,64})*/auth$`)
publishPathRegex = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}/(publish|send|trigger)$`)
updatePathRegex = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}/[-_A-Za-z0-9]{1,64}$`)
clearPathRegex = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}/[-_A-Za-z0-9]{1,64}/(read|clear)$`)
sequenceIDRegex = topicRegex
webConfigPath = "/config.js"
webManifestPath = "/manifest.webmanifest"
webRootHTMLPath = "/app.html"
webServiceWorkerPath = "/sw.js"
accountPath = "/account"
matrixPushPath = "/_matrix/push/v1/notify"
metricsPath = "/metrics"
@@ -105,7 +109,7 @@ var (
apiAccountBillingSubscriptionCheckoutSuccessTemplate = "/v1/account/billing/subscription/success/{CHECKOUT_SESSION_ID}"
apiAccountBillingSubscriptionCheckoutSuccessRegex = regexp.MustCompile(`/v1/account/billing/subscription/success/(.+)$`)
apiAccountReservationSingleRegex = regexp.MustCompile(`/v1/account/reservation/([-_A-Za-z0-9]{1,64})$`)
staticRegex = regexp.MustCompile(`^/static/.+`)
staticRegex = regexp.MustCompile(`^/(static/.+|app.html|sw.js|sw.js.map)$`)
docsRegex = regexp.MustCompile(`^/docs(|/.*)$`)
fileRegex = regexp.MustCompile(`^/file/([-_A-Za-z0-9]{1,64})(?:\.[A-Za-z0-9]{1,16})?$`)
urlRegex = regexp.MustCompile(`^https?://`)
@@ -120,26 +124,31 @@ var (
//go:embed docs
docsStaticFs embed.FS
docsStaticCached = &util.CachingEmbedFS{ModTime: time.Now(), FS: docsStaticFs}
//go:embed templates
templatesFs embed.FS // Contains template config files (e.g. grafana.yml, github.yml, ...)
templatesDir = "templates"
// templateDisallowedRegex tests a template for disallowed expressions. While not really dangerous, they
// are not useful, and seem potentially troublesome.
templateDisallowedRegex = regexp.MustCompile(`(?m)\{\{-?\s*(call|template|define)\b`)
templateNameRegex = regexp.MustCompile(`^[-_A-Za-z0-9]+$`)
)
const (
firebaseControlTopic = "~control" // See Android if changed
firebasePollTopic = "~poll" // See iOS if changed (DISABLED for now)
emptyMessageBody = "triggered" // Used if message body is empty
emptyMessageBody = "triggered" // Used when a message body is empty
newMessageBody = "New message" // Used in poll requests as generic message
defaultAttachmentMessage = "You received a file: %s" // Used if message body is empty, and there is an attachment
encodingBase64 = "base64" // Used mainly for binary UnifiedPush messages
jsonBodyBytesLimit = 32768 // Max number of bytes for a request bodys (unless MessageLimit is higher)
jsonBodyBytesLimit = 131072 // Max number of bytes for a request bodys (unless MessageLimit is higher)
unifiedPushTopicPrefix = "up" // Temporarily, we rate limit all "up*" topics based on the subscriber
unifiedPushTopicLength = 14 // Length of UnifiedPush topics, including the "up" part
messagesHistoryMax = 10 // Number of message count values to keep in memory
templateMaxExecutionTime = 100 * time.Millisecond
)
var (
// templateDisallowedRegex tests a template for disallowed expressions. While not really dangerous, they
// are not useful, and seem potentially troublesome.
templateDisallowedRegex = regexp.MustCompile(`(?m)\{\{-?\s*(call|template|define)\b`)
templateMaxExecutionTime = 100 * time.Millisecond // Maximum time a template can take to execute, used to prevent DoS attacks
templateMaxOutputBytes = 1024 * 1024 // Maximum number of bytes a template can output, used to prevent DoS attacks
templateFileExtension = ".yml" // Template files must end with this extension
)
// WebSocket constants
@@ -158,7 +167,7 @@ func New(conf *Config) (*Server, error) {
mailer = &smtpSender{config: conf}
}
var stripe stripeAPI
if conf.StripeSecretKey != "" {
if payments.Available && conf.StripeSecretKey != "" {
stripe = newStripeAPI()
}
messageCache, err := createMessageCache(conf)
@@ -189,7 +198,18 @@ func New(conf *Config) (*Server, error) {
}
var userManager *user.Manager
if conf.AuthFile != "" {
userManager, err = user.NewManager(conf.AuthFile, conf.AuthStartupQueries, conf.AuthDefault, conf.AuthBcryptCost, conf.AuthStatsQueueWriterInterval)
authConfig := &user.Config{
Filename: conf.AuthFile,
StartupQueries: conf.AuthStartupQueries,
DefaultAccess: conf.AuthDefault,
ProvisionEnabled: true, // Enable provisioning of users and access
Users: conf.AuthUsers,
Access: conf.AuthAccess,
Tokens: conf.AuthTokens,
BcryptCost: conf.AuthBcryptCost,
QueueWriterInterval: conf.AuthStatsQueueWriterInterval,
}
userManager, err = user.NewManager(authConfig)
if err != nil {
return nil, err
}
@@ -413,7 +433,8 @@ func (s *Server) handleError(w http.ResponseWriter, r *http.Request, v *visitor,
} else {
ev.Info("WebSocket error: %s", err.Error())
}
return // Do not attempt to write to upgraded connection
w.WriteHeader(httpErr.HTTPCode)
return // Do not attempt to write any body to upgraded connection
}
if isNormalError {
ev.Debug("Connection closed with HTTP %d (ntfy error %d)", httpErr.HTTPCode, httpErr.Code)
@@ -445,8 +466,10 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
return s.ensureWebPushEnabled(s.handleWebManifest)(w, r, v)
} else if r.Method == http.MethodGet && r.URL.Path == apiUsersPath {
return s.ensureAdmin(s.handleUsersGet)(w, r, v)
} else if r.Method == http.MethodPut && r.URL.Path == apiUsersPath {
} else if r.Method == http.MethodPost && r.URL.Path == apiUsersPath {
return s.ensureAdmin(s.handleUsersAdd)(w, r, v)
} else if r.Method == http.MethodPut && r.URL.Path == apiUsersPath {
return s.ensureAdmin(s.handleUsersUpdate)(w, r, v)
} else if r.Method == http.MethodDelete && r.URL.Path == apiUsersPath {
return s.ensureAdmin(s.handleUsersDelete)(w, r, v)
} else if (r.Method == http.MethodPut || r.Method == http.MethodPost) && r.URL.Path == apiUsersAccessPath {
@@ -509,7 +532,7 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
return s.handleMatrixDiscovery(w)
} else if r.Method == http.MethodGet && r.URL.Path == metricsPath && s.metricsHandler != nil {
return s.handleMetrics(w, r, v)
} else if r.Method == http.MethodGet && (staticRegex.MatchString(r.URL.Path) || r.URL.Path == webServiceWorkerPath || r.URL.Path == webRootHTMLPath) {
} else if r.Method == http.MethodGet && staticRegex.MatchString(r.URL.Path) {
return s.ensureWebEnabled(s.handleStatic)(w, r, v)
} else if r.Method == http.MethodGet && docsRegex.MatchString(r.URL.Path) {
return s.ensureWebEnabled(s.handleDocs)(w, r, v)
@@ -521,8 +544,12 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
return s.transformBodyJSON(s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublish)))(w, r, v)
} else if r.Method == http.MethodPost && r.URL.Path == matrixPushPath {
return s.transformMatrixJSON(s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublishMatrix)))(w, r, v)
} else if (r.Method == http.MethodPut || r.Method == http.MethodPost) && topicPathRegex.MatchString(r.URL.Path) {
} else if (r.Method == http.MethodPut || r.Method == http.MethodPost) && (topicPathRegex.MatchString(r.URL.Path) || updatePathRegex.MatchString(r.URL.Path)) {
return s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublish))(w, r, v)
} else if r.Method == http.MethodDelete && updatePathRegex.MatchString(r.URL.Path) {
return s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handleDelete))(w, r, v)
} else if r.Method == http.MethodPut && clearPathRegex.MatchString(r.URL.Path) {
return s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handleClear))(w, r, v)
} else if r.Method == http.MethodGet && publishPathRegex.MatchString(r.URL.Path) {
return s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublish))(w, r, v)
} else if r.Method == http.MethodGet && jsonPathRegex.MatchString(r.URL.Path) {
@@ -578,6 +605,7 @@ func (s *Server) handleWebConfig(w http.ResponseWriter, _ *http.Request, _ *visi
BaseURL: "", // Will translate to window.location.origin
AppRoot: s.config.WebRoot,
EnableLogin: s.config.EnableLogin,
RequireLogin: s.config.RequireLogin,
EnableSignup: s.config.EnableSignup,
EnablePayments: s.config.StripeSecretKey != "",
EnableCalls: s.config.TwilioAccount != "",
@@ -757,7 +785,7 @@ func (s *Server) handlePublishInternal(r *http.Request, v *visitor) (*message, e
// the subscription as invalid if any 400-499 code (except 429/408) is returned.
// See https://github.com/mastodon/mastodon/blob/730bb3e211a84a2f30e3e2bbeae3f77149824a68/app/workers/web/push_notification_worker.rb#L35-L46
return nil, errHTTPInsufficientStorageUnifiedPush.With(t)
} else if !util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) && !vrate.MessageAllowed() {
} else if !util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) && !vrate.MessageAllowed() {
return nil, errHTTPTooManyRequestsLimitMessages.With(t)
} else if email != "" && !vrate.EmailAllowed() {
return nil, errHTTPTooManyRequestsLimitEmails.With(t)
@@ -849,7 +877,7 @@ func (s *Server) handlePublish(w http.ResponseWriter, r *http.Request, v *visito
return err
}
minc(metricMessagesPublishedSuccess)
return s.writeJSON(w, m)
return s.writeJSON(w, m.forJSON())
}
func (s *Server) handlePublishMatrix(w http.ResponseWriter, r *http.Request, v *visitor) error {
@@ -877,6 +905,58 @@ func (s *Server) handlePublishMatrix(w http.ResponseWriter, r *http.Request, v *
return writeMatrixSuccess(w)
}
func (s *Server) handleDelete(w http.ResponseWriter, r *http.Request, v *visitor) error {
return s.handleActionMessage(w, r, v, messageDeleteEvent)
}
func (s *Server) handleClear(w http.ResponseWriter, r *http.Request, v *visitor) error {
return s.handleActionMessage(w, r, v, messageClearEvent)
}
func (s *Server) handleActionMessage(w http.ResponseWriter, r *http.Request, v *visitor, event string) error {
t, err := fromContext[*topic](r, contextTopic)
if err != nil {
return err
}
vrate, err := fromContext[*visitor](r, contextRateVisitor)
if err != nil {
return err
}
if !util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) && !vrate.MessageAllowed() {
return errHTTPTooManyRequestsLimitMessages.With(t)
}
sequenceID, e := s.sequenceIDFromPath(r.URL.Path)
if e != nil {
return e.With(t)
}
// Create an action message with the given event type
m := newActionMessage(event, t.ID, sequenceID)
m.Sender = v.IP()
m.User = v.MaybeUserID()
m.Expires = time.Unix(m.Time, 0).Add(v.Limits().MessageExpiryDuration).Unix()
// Publish to subscribers
if err := t.Publish(v, m); err != nil {
return err
}
// Send to Firebase for Android clients
if s.firebaseClient != nil {
go s.sendToFirebase(v, m)
}
// Send to web push endpoints
if s.config.WebPushPublicKey != "" {
go s.publishToWebPushEndpoints(v, m)
}
// Add to message cache
if err := s.messageCache.AddMessage(m); err != nil {
return err
}
logvrm(v, r, m).Tag(tagPublish).Debug("Published %s for sequence ID %s", event, sequenceID)
s.mu.Lock()
s.messages++
s.mu.Unlock()
return s.writeJSON(w, m.forJSON())
}
func (s *Server) sendToFirebase(v *visitor, m *message) {
logvm(v, m).Tag(tagFirebase).Debug("Publishing to Firebase")
if err := s.firebaseClient.Send(v, m); err != nil {
@@ -933,7 +1013,25 @@ func (s *Server) forwardPollRequest(v *visitor, m *message) {
}
}
func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, firebase bool, email, call string, template bool, unifiedpush bool, err *errHTTP) {
func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, firebase bool, email, call string, template templateMode, unifiedpush bool, err *errHTTP) {
if r.Method != http.MethodGet && updatePathRegex.MatchString(r.URL.Path) {
pathSequenceID, err := s.sequenceIDFromPath(r.URL.Path)
if err != nil {
return false, false, "", "", "", false, err
}
m.SequenceID = pathSequenceID
} else {
sequenceID := readParam(r, "x-sequence-id", "sequence-id", "sid")
if sequenceID != "" {
if sequenceIDRegex.MatchString(sequenceID) {
m.SequenceID = sequenceID
} else {
return false, false, "", "", "", false, errHTTPBadRequestSequenceIDInvalid
}
} else {
m.SequenceID = m.ID
}
}
cache = readBoolParam(r, true, "x-cache", "cache")
firebase = readBoolParam(r, true, "x-firebase", "firebase")
m.Title = readParam(r, "x-title", "title", "t")
@@ -949,7 +1047,7 @@ func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, fi
}
if attach != "" {
if !urlRegex.MatchString(attach) {
return false, false, "", "", false, false, errHTTPBadRequestAttachmentURLInvalid
return false, false, "", "", "", false, errHTTPBadRequestAttachmentURLInvalid
}
m.Attachment.URL = attach
if m.Attachment.Name == "" {
@@ -967,48 +1065,53 @@ func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, fi
}
if icon != "" {
if !urlRegex.MatchString(icon) {
return false, false, "", "", false, false, errHTTPBadRequestIconURLInvalid
return false, false, "", "", "", false, errHTTPBadRequestIconURLInvalid
}
m.Icon = icon
}
email = readParam(r, "x-email", "x-e-mail", "email", "e-mail", "mail", "e")
if s.smtpSender == nil && email != "" {
return false, false, "", "", false, false, errHTTPBadRequestEmailDisabled
return false, false, "", "", "", false, errHTTPBadRequestEmailDisabled
}
call = readParam(r, "x-call", "call")
if call != "" && (s.config.TwilioAccount == "" || s.userManager == nil) {
return false, false, "", "", false, false, errHTTPBadRequestPhoneCallsDisabled
return false, false, "", "", "", false, errHTTPBadRequestPhoneCallsDisabled
} else if call != "" && !isBoolValue(call) && !phoneNumberRegex.MatchString(call) {
return false, false, "", "", false, false, errHTTPBadRequestPhoneNumberInvalid
return false, false, "", "", "", false, errHTTPBadRequestPhoneNumberInvalid
}
template = templateMode(readParam(r, "x-template", "template", "tpl"))
messageStr := readParam(r, "x-message", "message", "m")
if !template.InlineMode() {
// Convert "\n" to literal newline everything but inline mode
messageStr = strings.ReplaceAll(messageStr, "\\n", "\n")
}
messageStr := strings.ReplaceAll(readParam(r, "x-message", "message", "m"), "\\n", "\n")
if messageStr != "" {
m.Message = messageStr
}
var e error
m.Priority, e = util.ParsePriority(readParam(r, "x-priority", "priority", "prio", "p"))
if e != nil {
return false, false, "", "", false, false, errHTTPBadRequestPriorityInvalid
return false, false, "", "", "", false, errHTTPBadRequestPriorityInvalid
}
m.Tags = readCommaSeparatedParam(r, "x-tags", "tags", "tag", "ta")
delayStr := readParam(r, "x-delay", "delay", "x-at", "at", "x-in", "in")
if delayStr != "" {
if !cache {
return false, false, "", "", false, false, errHTTPBadRequestDelayNoCache
return false, false, "", "", "", false, errHTTPBadRequestDelayNoCache
}
if email != "" {
return false, false, "", "", false, false, errHTTPBadRequestDelayNoEmail // we cannot store the email address (yet)
return false, false, "", "", "", false, errHTTPBadRequestDelayNoEmail // we cannot store the email address (yet)
}
if call != "" {
return false, false, "", "", false, false, errHTTPBadRequestDelayNoCall // we cannot store the phone number (yet)
return false, false, "", "", "", false, errHTTPBadRequestDelayNoCall // we cannot store the phone number (yet)
}
delay, err := util.ParseFutureTime(delayStr, time.Now())
if err != nil {
return false, false, "", "", false, false, errHTTPBadRequestDelayCannotParse
return false, false, "", "", "", false, errHTTPBadRequestDelayCannotParse
} else if delay.Unix() < time.Now().Add(s.config.MessageDelayMin).Unix() {
return false, false, "", "", false, false, errHTTPBadRequestDelayTooSmall
return false, false, "", "", "", false, errHTTPBadRequestDelayTooSmall
} else if delay.Unix() > time.Now().Add(s.config.MessageDelayMax).Unix() {
return false, false, "", "", false, false, errHTTPBadRequestDelayTooLarge
return false, false, "", "", "", false, errHTTPBadRequestDelayTooLarge
}
m.Time = delay.Unix()
}
@@ -1016,16 +1119,16 @@ func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, fi
if actionsStr != "" {
m.Actions, e = parseActions(actionsStr)
if e != nil {
return false, false, "", "", false, false, errHTTPBadRequestActionsInvalid.Wrap(e.Error())
return false, false, "", "", "", false, errHTTPBadRequestActionsInvalid.Wrap("%s", e.Error())
}
}
contentType, markdown := readParam(r, "content-type", "content_type"), readBoolParam(r, false, "x-markdown", "markdown", "md")
if markdown || strings.ToLower(contentType) == "text/markdown" {
m.ContentType = "text/markdown"
}
template = readBoolParam(r, false, "x-template", "template", "tpl")
unifiedpush = readBoolParam(r, false, "x-unifiedpush", "unifiedpush", "up") // see GET too!
if unifiedpush {
contentEncoding := readParam(r, "content-encoding")
if unifiedpush || contentEncoding == "aes128gcm" {
firebase = false
unifiedpush = true
}
@@ -1054,7 +1157,7 @@ func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, fi
// If file.txt is <= 4096 (message limit) and valid UTF-8, treat it as a message
// 7. curl -T file.txt ntfy.sh/mytopic
// In all other cases, mostly if file.txt is > message limit, treat it as an attachment
func (s *Server) handlePublishBody(r *http.Request, v *visitor, m *message, body *util.PeekedReadCloser, template, unifiedpush bool) error {
func (s *Server) handlePublishBody(r *http.Request, v *visitor, m *message, body *util.PeekedReadCloser, template templateMode, unifiedpush bool) error {
if m.Event == pollRequestEvent { // Case 1
return s.handleBodyDiscard(body)
} else if unifiedpush {
@@ -1063,8 +1166,8 @@ func (s *Server) handlePublishBody(r *http.Request, v *visitor, m *message, body
return s.handleBodyAsTextMessage(m, body) // Case 3
} else if m.Attachment != nil && m.Attachment.Name != "" {
return s.handleBodyAsAttachment(r, v, m, body) // Case 4
} else if template {
return s.handleBodyAsTemplatedTextMessage(m, body) // Case 5
} else if template.Enabled() {
return s.handleBodyAsTemplatedTextMessage(m, template, body) // Case 5
} else if !body.LimitReached && utf8.Valid(body.PeekedBytes) {
return s.handleBodyAsTextMessage(m, body) // Case 6
}
@@ -1100,7 +1203,7 @@ func (s *Server) handleBodyAsTextMessage(m *message, body *util.PeekedReadCloser
return nil
}
func (s *Server) handleBodyAsTemplatedTextMessage(m *message, body *util.PeekedReadCloser) error {
func (s *Server) handleBodyAsTemplatedTextMessage(m *message, template templateMode, body *util.PeekedReadCloser) error {
body, err := util.Peek(body, max(s.config.MessageSizeLimit, jsonBodyBytesLimit))
if err != nil {
return err
@@ -1108,19 +1211,69 @@ func (s *Server) handleBodyAsTemplatedTextMessage(m *message, body *util.PeekedR
return errHTTPEntityTooLargeJSONBody
}
peekedBody := strings.TrimSpace(string(body.PeekedBytes))
if m.Message, err = replaceTemplate(m.Message, peekedBody); err != nil {
return err
if template.FileMode() {
if err := s.renderTemplateFromFile(m, template.FileName(), peekedBody); err != nil {
return err
}
} else {
if err := s.renderTemplateFromParams(m, peekedBody); err != nil {
return err
}
}
if m.Title, err = replaceTemplate(m.Title, peekedBody); err != nil {
return err
}
if len(m.Message) > s.config.MessageSizeLimit {
if len(m.Title) > s.config.MessageSizeLimit || len(m.Message) > s.config.MessageSizeLimit {
return errHTTPBadRequestTemplateMessageTooLarge
}
return nil
}
func replaceTemplate(tpl string, source string) (string, error) {
// renderTemplateFromFile transforms the JSON message body according to a template from the filesystem.
// The template file must be in the templates directory, or in the configured template directory.
func (s *Server) renderTemplateFromFile(m *message, templateName, peekedBody string) error {
if !templateNameRegex.MatchString(templateName) {
return errHTTPBadRequestTemplateFileNotFound
}
templateContent, _ := templatesFs.ReadFile(filepath.Join(templatesDir, templateName+templateFileExtension)) // Read from the embedded filesystem first
if s.config.TemplateDir != "" {
if b, _ := os.ReadFile(filepath.Join(s.config.TemplateDir, templateName+templateFileExtension)); len(b) > 0 {
templateContent = b
}
}
if len(templateContent) == 0 {
return errHTTPBadRequestTemplateFileNotFound
}
var tpl templateFile
if err := yaml.Unmarshal(templateContent, &tpl); err != nil {
return errHTTPBadRequestTemplateFileInvalid
}
var err error
if tpl.Message != nil {
if m.Message, err = s.renderTemplate(*tpl.Message, peekedBody); err != nil {
return err
}
}
if tpl.Title != nil {
if m.Title, err = s.renderTemplate(*tpl.Title, peekedBody); err != nil {
return err
}
}
return nil
}
// renderTemplateFromParams transforms the JSON message body according to the inline template in the
// message and title parameters.
func (s *Server) renderTemplateFromParams(m *message, peekedBody string) error {
var err error
if m.Message, err = s.renderTemplate(m.Message, peekedBody); err != nil {
return err
}
if m.Title, err = s.renderTemplate(m.Title, peekedBody); err != nil {
return err
}
return nil
}
// renderTemplate renders a template with the given JSON source data.
func (s *Server) renderTemplate(tpl string, source string) (string, error) {
if templateDisallowedRegex.MatchString(tpl) {
return "", errHTTPBadRequestTemplateDisallowedFunctionCalls
}
@@ -1128,15 +1281,16 @@ func replaceTemplate(tpl string, source string) (string, error) {
if err := json.Unmarshal([]byte(source), &data); err != nil {
return "", errHTTPBadRequestTemplateMessageNotJSON
}
t, err := template.New("").Parse(tpl)
t, err := template.New("").Funcs(sprig.TxtFuncMap()).Parse(tpl)
if err != nil {
return "", errHTTPBadRequestTemplateInvalid
return "", errHTTPBadRequestTemplateInvalid.Wrap("%s", err.Error())
}
var buf bytes.Buffer
if err := t.Execute(util.NewTimeoutWriter(&buf, templateMaxExecutionTime), data); err != nil {
return "", errHTTPBadRequestTemplateExecuteFailed
limitWriter := util.NewLimitWriter(util.NewTimeoutWriter(&buf, templateMaxExecutionTime), util.NewFixedLimiter(templateMaxOutputBytes))
if err := t.Execute(limitWriter, data); err != nil {
return "", errHTTPBadRequestTemplateExecuteFailed.Wrap("%s", err.Error())
}
return buf.String(), nil
return strings.TrimSpace(strings.ReplaceAll(buf.String(), "\\n", "\n")), nil // replace any remaining "\n" (those outside of template curly braces) with newlines
}
func (s *Server) handleBodyAsAttachment(r *http.Request, v *visitor, m *message, body *util.PeekedReadCloser) error {
@@ -1192,7 +1346,7 @@ func (s *Server) handleBodyAsAttachment(r *http.Request, v *visitor, m *message,
func (s *Server) handleSubscribeJSON(w http.ResponseWriter, r *http.Request, v *visitor) error {
encoder := func(msg *message) (string, error) {
var buf bytes.Buffer
if err := json.NewEncoder(&buf).Encode(&msg); err != nil {
if err := json.NewEncoder(&buf).Encode(msg.forJSON()); err != nil {
return "", err
}
return buf.String(), nil
@@ -1203,10 +1357,10 @@ func (s *Server) handleSubscribeJSON(w http.ResponseWriter, r *http.Request, v *
func (s *Server) handleSubscribeSSE(w http.ResponseWriter, r *http.Request, v *visitor) error {
encoder := func(msg *message) (string, error) {
var buf bytes.Buffer
if err := json.NewEncoder(&buf).Encode(&msg); err != nil {
if err := json.NewEncoder(&buf).Encode(msg.forJSON()); err != nil {
return "", err
}
if msg.Event != messageEvent {
if msg.Event != messageEvent && msg.Event != messageDeleteEvent && msg.Event != messageClearEvent {
return fmt.Sprintf("event: %s\ndata: %s\n", msg.Event, buf.String()), nil // Browser's .onmessage() does not fire on this!
}
return fmt.Sprintf("data: %s\n", buf.String()), nil
@@ -1556,8 +1710,8 @@ func (s *Server) sendOldMessages(topics []*topic, since sinceMarker, scheduled b
// parseSince returns a timestamp identifying the time span from which cached messages should be received.
//
// Values in the "since=..." parameter can be either a unix timestamp or a duration (e.g. 12h), or
// "all" for all messages.
// Values in the "since=..." parameter can be either a unix timestamp or a duration (e.g. 12h),
// "all" for all messages, or "latest" for the most recent message for a topic
func parseSince(r *http.Request, poll bool) (sinceMarker, error) {
since := readParam(r, "x-since", "since", "si")
@@ -1569,6 +1723,8 @@ func parseSince(r *http.Request, poll bool) (sinceMarker, error) {
return sinceNoMessages, nil
} else if since == "all" {
return sinceAllMessages, nil
} else if since == "latest" {
return sinceLatestMessage, nil
} else if since == "none" {
return sinceNoMessages, nil
}
@@ -1614,6 +1770,15 @@ func (s *Server) topicsFromPath(path string) ([]*topic, string, error) {
return topics, parts[1], nil
}
// sequenceIDFromPath returns the sequence ID from a path like /mytopic/sequenceIdHere
func (s *Server) sequenceIDFromPath(path string) (string, *errHTTP) {
parts := strings.Split(path, "/")
if len(parts) < 3 {
return "", errHTTPBadRequestSequenceIDInvalid
}
return parts[2], nil
}
// topicsFromIDs returns the topics with the given IDs, creating them if they don't exist.
func (s *Server) topicsFromIDs(ids ...string) ([]*topic, error) {
s.mu.Lock()
@@ -1862,6 +2027,15 @@ func (s *Server) transformBodyJSON(next handleFunc) handleFunc {
if m.Call != "" {
r.Header.Set("X-Call", m.Call)
}
if m.Cache != "" {
r.Header.Set("X-Cache", m.Cache)
}
if m.Firebase != "" {
r.Header.Set("X-Firebase", m.Firebase)
}
if m.SequenceID != "" {
r.Header.Set("X-Sequence-ID", m.SequenceID)
}
return next(w, r, v)
}
}
@@ -1885,14 +2059,14 @@ func (s *Server) transformMatrixJSON(next handleFunc) handleFunc {
}
func (s *Server) authorizeTopicWrite(next handleFunc) handleFunc {
return s.autorizeTopic(next, user.PermissionWrite)
return s.authorizeTopic(next, user.PermissionWrite)
}
func (s *Server) authorizeTopicRead(next handleFunc) handleFunc {
return s.autorizeTopic(next, user.PermissionRead)
return s.authorizeTopic(next, user.PermissionRead)
}
func (s *Server) autorizeTopic(next handleFunc, perm user.Permission) handleFunc {
func (s *Server) authorizeTopic(next handleFunc, perm user.Permission) handleFunc {
return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
if s.userManager == nil {
return next(w, r, v)
@@ -1924,8 +2098,8 @@ func (s *Server) autorizeTopic(next handleFunc, perm user.Permission) handleFunc
// This function will ALWAYS return a visitor, even if an error occurs (e.g. unauthorized), so
// that subsequent logging calls still have a visitor context.
func (s *Server) maybeAuthenticate(r *http.Request) (*visitor, error) {
// Read "Authorization" header value, and exit out early if it's not set
ip := extractIPAddress(r, s.config.BehindProxy)
// Read the "Authorization" header value and exit out early if it's not set
ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyForwardedHeader, s.config.ProxyTrustedPrefixes)
vip := s.visitor(ip, nil)
if s.userManager == nil {
return vip, nil
@@ -2000,7 +2174,7 @@ func (s *Server) authenticateBearerAuth(r *http.Request, token string) (*user.Us
if err != nil {
return nil, err
}
ip := extractIPAddress(r, s.config.BehindProxy)
ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyForwardedHeader, s.config.ProxyTrustedPrefixes)
go s.userManager.EnqueueTokenUpdate(token, &user.TokenUpdate{
LastAccess: time.Now(),
LastOrigin: ip,
@@ -2011,7 +2185,7 @@ func (s *Server) authenticateBearerAuth(r *http.Request, token string) (*user.Us
func (s *Server) visitor(ip netip.Addr, user *user.User) *visitor {
s.mu.Lock()
defer s.mu.Unlock()
id := visitorID(ip, user)
id := visitorID(ip, user, s.config)
v, exists := s.visitors[id]
if !exists {
s.visitors[id] = newVisitor(s.config, s.messageCache, s.userManager, ip, user)

73
server/server.yml
View File

@@ -82,6 +82,14 @@
# set to "read-write" (default), "read-only", "write-only" or "deny-all".
# - auth-startup-queries allows you to run commands when the database is initialized, e.g. to enable
# WAL mode. This is similar to cache-startup-queries. See above for details.
# - auth-users is a list of users that are automatically created when the server starts.
# Each entry is in the format "<username>:<password-hash>:<role>", e.g. "phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:user"
# Use 'ntfy user hash' to generate the password hash from a password.
# - auth-access is a list of access control entries that are automatically created when the server starts.
# Each entry is in the format "<username>:<topic-pattern>:<access>", e.g. "phil:mytopic:rw" or "phil:phil-*:rw".
# - auth-tokens is a list of access tokens that are automatically created when the server starts.
# Each entry is in the format "<username>:<token>[:<label>]", e.g. "phil:tk_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef:My token".
# Use 'ntfy token generate' to generate a new access token.
#
# Debian/RPM package users:
# Use /var/lib/ntfy/user.db as user database to avoid permission issues. The package
@@ -94,14 +102,27 @@
# auth-file: <filename>
# auth-default-access: "read-write"
# auth-startup-queries:
# auth-users:
# auth-access:
# auth-tokens:
# If set, the X-Forwarded-For header is used to determine the visitor IP address
# instead of the remote address of the connection.
# If set, the X-Forwarded-For header (or whatever is configured in proxy-forwarded-header) is used to determine
# the visitor IP address instead of the remote address of the connection.
#
# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited
# WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate-limited
# as if they are one.
#
# - behind-proxy makes it so that the real visitor IP address is extracted from the header defined in
# proxy-forwarded-header. Without this, the remote address of the incoming connection is used.
# - proxy-forwarded-header is the header to use to identify visitors. It may be a single IP address (e.g. 1.2.3.4),
# a comma-separated list of IP addresses (e.g. "1.2.3.4, 5.6.7.8"), or an RFC 7239-style header (e.g. "for=1.2.3.4;by=proxy.example.com, for=5.6.7.8").
# - proxy-trusted-hosts is a comma-separated list of IP addresses, hostnames or CIDRs that are removed from the forwarded header
# to determine the real IP address. This is only useful if there are multiple proxies involved that add themselves to
# the forwarded header.
#
# behind-proxy: false
# proxy-forwarded-header: "X-Forwarded-For"
# proxy-trusted-hosts:
# If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments
# are "attachment-cache-dir" and "base-url".
@@ -116,6 +137,26 @@
# attachment-file-size-limit: "15M"
# attachment-expiry-duration: "3h"
# Template directory for message templates.
#
# When "X-Template: <name>" (aliases: "Template: <name>", "Tpl: <name>") or "?template=<name>" is set, transform the message
# based on one of the built-in pre-defined templates, or on a template defined in the "template-dir" directory.
#
# Template files must have the ".yml" extension and must be formatted as YAML. They may contain "title" and "message" keys,
# which are interpreted as Go templates.
#
# Example template file (e.g. /etc/ntfy/templates/grafana.yml):
# title: |
# {{- if eq .status "firing" }}
# {{ .title | default "Alert firing" }}
# {{- else if eq .status "resolved" }}
# {{ .title | default "Alert resolved" }}
# {{- end }}
# message: |
# {{ .message | trunc 2000 }}
#
# template-dir: "/etc/ntfy/templates"
# If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set,
# messages will additionally be sent out as e-mail using an external SMTP server.
#
@@ -138,7 +179,7 @@
# - smtp-server-domain is the e-mail domain, e.g. ntfy.sh
# - smtp-server-addr-prefix is an optional prefix for the e-mail addresses to prevent spam. If set to "ntfy-",
# for instance, only e-mails to ntfy-$topic@ntfy.sh will be accepted. If this is not set, all emails to
# $topic@ntfy.sh will be accepted (which may obviously be a spam problem).
# $topic@ntfy.sh will be accepted (which may be a spam problem).
#
# smtp-server-listen:
# smtp-server-domain:
@@ -146,7 +187,7 @@
# Web Push support (background notifications for browsers)
#
# If enabled, allows ntfy to receive push notifications, even when the ntfy web app is closed. When enabled, users
# If enabled, allows the ntfy web app to receive push notifications, even when the web app is closed. When enabled, users
# can enable background notifications in the web app. Once enabled, ntfy will forward published messages to the push
# endpoint, which will then forward it to the browser.
#
@@ -155,15 +196,19 @@
#
# - web-push-public-key is the generated VAPID public key, e.g. AA1234BBCCddvveekaabcdfqwertyuiopasdfghjklzxcvbnm1234567890
# - web-push-private-key is the generated VAPID private key, e.g. AA2BB1234567890abcdefzxcvbnm1234567890
# - web-push-file is a database file to keep track of browser subscription endpoints, e.g. `/var/cache/ntfy/webpush.db`
# - web-push-email-address is the admin email address send to the push provider, e.g. `sysadmin@example.com`
# - web-push-file is a database file to keep track of browser subscription endpoints, e.g. /var/cache/ntfy/webpush.db
# - web-push-email-address is the admin email address send to the push provider, e.g. sysadmin@example.com
# - web-push-startup-queries is an optional list of queries to run on startup`
# - web-push-expiry-warning-duration defines the duration after which unused subscriptions are sent a warning (default is 55d`)
# - web-push-expiry-duration defines the duration after which unused subscriptions will expire (default is 60d)
#
# web-push-public-key:
# web-push-private-key:
# web-push-file:
# web-push-email-address:
# web-push-startup-queries:
# web-push-expiry-warning-duration: "55d"
# web-push-expiry-duration: "60d"
# If enabled, ntfy can perform voice calls via Twilio via the "X-Call" header.
#
@@ -215,9 +260,11 @@
#
# - enable-signup allows users to sign up via the web app, or API
# - enable-login allows users to log in via the web app, or API
# - require-login redirects users to the login page if they are not logged in (disallows web app access without login)
# - enable-reservations allows users to reserve topics (if their tier allows it)
#
# enable-signup: false
# require-login: false
# enable-login: false
# enable-reservations: false
@@ -280,6 +327,18 @@
# visitor-email-limit-burst: 16
# visitor-email-limit-replenish: "1h"
# Rate limiting: IPv4/IPv6 address prefix bits used for rate limiting
# - visitor-prefix-bits-ipv4: number of bits of the IPv4 address to use for rate limiting (default: 32, full address)
# - visitor-prefix-bits-ipv6: number of bits of the IPv6 address to use for rate limiting (default: 64, /64 subnet)
#
# This is used to group visitors by their IP address or subnet. For example, if you set visitor-prefix-bits-ipv4 to 24,
# all visitors in the 1.2.3.0/24 network are treated as one.
#
# By default, ntfy uses the full IPv4 address (32 bits) and the /64 subnet of the IPv6 address (64 bits).
#
# visitor-prefix-bits-ipv4: 32
# visitor-prefix-bits-ipv6: 64
# Rate limiting: Attachment size and bandwidth limits per visitor:
# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor
# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor

33
server/server_account.go
View File

@@ -37,7 +37,7 @@ func (s *Server) handleAccountCreate(w http.ResponseWriter, r *http.Request, v *
return errHTTPConflictUserExists
}
logvr(v, r).Tag(tagAccount).Field("user_name", newAccount.Username).Info("Creating user %s", newAccount.Username)
if err := s.userManager.AddUser(newAccount.Username, newAccount.Password, user.RoleUser); err != nil {
if err := s.userManager.AddUser(newAccount.Username, newAccount.Password, user.RoleUser, false); err != nil {
if errors.Is(err, user.ErrInvalidArgument) {
return errHTTPBadRequestInvalidUsername
}
@@ -85,6 +85,7 @@ func (s *Server) handleAccountGet(w http.ResponseWriter, r *http.Request, v *vis
response.Username = u.Name
response.Role = string(u.Role)
response.SyncTopic = u.SyncTopic
response.Provisioned = u.Provisioned
if u.Prefs != nil {
if u.Prefs.Language != nil {
response.Language = *u.Prefs.Language
@@ -139,11 +140,12 @@ func (s *Server) handleAccountGet(w http.ResponseWriter, r *http.Request, v *vis
lastOrigin = t.LastOrigin.String()
}
response.Tokens = append(response.Tokens, &apiAccountTokenResponse{
Token: t.Value,
Label: t.Label,
LastAccess: t.LastAccess.Unix(),
LastOrigin: lastOrigin,
Expires: t.Expires.Unix(),
Token: t.Value,
Label: t.Label,
LastAccess: t.LastAccess.Unix(),
LastOrigin: lastOrigin,
Expires: t.Expires.Unix(),
Provisioned: t.Provisioned,
})
}
}
@@ -174,6 +176,12 @@ func (s *Server) handleAccountDelete(w http.ResponseWriter, r *http.Request, v *
if _, err := s.userManager.Authenticate(u.Name, req.Password); err != nil {
return errHTTPBadRequestIncorrectPasswordConfirmation
}
if err := s.userManager.CanChangeUser(u.Name); err != nil {
if errors.Is(err, user.ErrProvisionedUserChange) {
return errHTTPConflictProvisionedUserChange
}
return err
}
if s.webPush != nil && u.ID != "" {
if err := s.webPush.RemoveSubscriptionsByUserID(u.ID); err != nil {
logvr(v, r).Err(err).Warn("Error removing web push subscriptions for %s", u.Name)
@@ -207,7 +215,10 @@ func (s *Server) handleAccountPasswordChange(w http.ResponseWriter, r *http.Requ
return errHTTPBadRequestIncorrectPasswordConfirmation
}
logvr(v, r).Tag(tagAccount).Debug("Changing password for user %s", u.Name)
if err := s.userManager.ChangePassword(u.Name, req.NewPassword); err != nil {
if err := s.userManager.ChangePassword(u.Name, req.NewPassword, false); err != nil {
if errors.Is(err, user.ErrProvisionedUserChange) {
return errHTTPConflictProvisionedUserChange
}
return err
}
return s.writeJSON(w, newSuccessResponse())
@@ -234,7 +245,7 @@ func (s *Server) handleAccountTokenCreate(w http.ResponseWriter, r *http.Request
"token_expires": expires,
}).
Debug("Creating token for user %s", u.Name)
token, err := s.userManager.CreateToken(u.ID, label, expires, v.IP())
token, err := s.userManager.CreateToken(u.ID, label, expires, v.IP(), false)
if err != nil {
return err
}
@@ -274,6 +285,9 @@ func (s *Server) handleAccountTokenUpdate(w http.ResponseWriter, r *http.Request
Debug("Updating token for user %s as deleted", u.Name)
token, err := s.userManager.ChangeToken(u.ID, req.Token, req.Label, expires)
if err != nil {
if errors.Is(err, user.ErrProvisionedTokenChange) {
return errHTTPConflictProvisionedTokenChange
}
return err
}
response := &apiAccountTokenResponse{
@@ -296,6 +310,9 @@ func (s *Server) handleAccountTokenDelete(w http.ResponseWriter, r *http.Request
}
}
if err := s.userManager.RemoveToken(u.ID, token); err != nil {
if errors.Is(err, user.ErrProvisionedTokenChange) {
return errHTTPConflictProvisionedTokenChange
}
return err
}
logvr(v, r).

38
server/server_account_test.go
View File

@@ -87,9 +87,9 @@ func TestAccount_Signup_AsUser(t *testing.T) {
defer s.closeDatabases()
log.Info("1")
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
log.Info("2")
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
log.Info("3")
rr := request(t, s, "POST", "/v1/account", `{"username":"emma", "password":"emma"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
@@ -174,9 +174,9 @@ func TestAccount_ChangeSettings(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
u, _ := s.userManager.User("phil")
token, _ := s.userManager.CreateToken(u.ID, "", time.Unix(0, 0), netip.IPv4Unspecified())
token, _ := s.userManager.CreateToken(u.ID, "", time.Unix(0, 0), netip.IPv4Unspecified(), false)
rr := request(t, s, "PATCH", "/v1/account/settings", `{"notification": {"sound": "juntos"},"ignored": true}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
@@ -203,7 +203,7 @@ func TestAccount_Subscription_AddUpdateDelete(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
rr := request(t, s, "POST", "/v1/account/subscription", `{"base_url": "http://abc.com", "topic": "def"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
@@ -251,10 +251,14 @@ func TestAccount_Subscription_AddUpdateDelete(t *testing.T) {
}
func TestAccount_ChangePassword(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
conf := newTestConfigWithAuthFile(t)
conf.AuthUsers = []*user.User{
{Name: "philuser", Hash: "$2a$10$U4WSIYY6evyGmZaraavM2e2JeVG6EMGUKN1uUwufUeeRd4Jpg6cGC", Role: user.RoleUser}, // philuser:philpass
}
s := newTestServer(t, conf)
defer s.closeDatabases()
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
rr := request(t, s, "POST", "/v1/account/password", `{"password": "WRONG", "new_password": ""}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
@@ -281,6 +285,12 @@ func TestAccount_ChangePassword(t *testing.T) {
"Authorization": util.BasicAuth("phil", "new password"),
})
require.Equal(t, 200, rr.Code)
// Cannot change password of provisioned user
rr = request(t, s, "POST", "/v1/account/password", `{"password": "philpass", "new_password": "new password"}`, map[string]string{
"Authorization": util.BasicAuth("philuser", "philpass"),
})
require.Equal(t, 409, rr.Code)
}
func TestAccount_ChangePassword_NoAccount(t *testing.T) {
@@ -296,7 +306,7 @@ func TestAccount_ExtendToken(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
rr := request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
@@ -332,7 +342,7 @@ func TestAccount_ExtendToken_NoTokenProvided(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
rr := request(t, s, "PATCH", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("phil", "phil"), // Not Bearer!
@@ -345,7 +355,7 @@ func TestAccount_DeleteToken(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
rr := request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
@@ -455,14 +465,14 @@ func TestAccount_Reservation_AddAdminSuccess(t *testing.T) {
Code: "pro",
ReservationLimit: 2,
}))
require.Nil(t, s.userManager.AddUser("noadmin1", "pass", user.RoleUser))
require.Nil(t, s.userManager.AddUser("noadmin1", "pass", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("noadmin1", "pro"))
require.Nil(t, s.userManager.AddReservation("noadmin1", "mytopic", user.PermissionDenyAll))
require.Nil(t, s.userManager.AddUser("noadmin2", "pass", user.RoleUser))
require.Nil(t, s.userManager.AddUser("noadmin2", "pass", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("noadmin2", "pro"))
require.Nil(t, s.userManager.AddUser("phil", "adminpass", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("phil", "adminpass", user.RoleAdmin, false))
// Admin can reserve topic
rr := request(t, s, "POST", "/v1/account/reservation", `{"topic":"sometopic","everyone":"deny-all"}`, map[string]string{
@@ -624,7 +634,7 @@ func TestAccount_Reservation_Delete_Messages_And_Attachments(t *testing.T) {
s := newTestServer(t, conf)
// Create user with tier
require.Nil(t, s.userManager.AddUser("phil", "mypass", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "mypass", user.RoleUser, false))
require.Nil(t, s.userManager.AddTier(&user.Tier{
Code: "pro",
MessageLimit: 20,

61
server/server_admin.go
View File

@@ -25,7 +25,7 @@ func (s *Server) handleUsersGet(w http.ResponseWriter, r *http.Request, v *visit
for i, g := range grants[u.ID] {
userGrants[i] = &apiUserGrantResponse{
Topic: g.TopicPattern,
Permission: g.Allow.String(),
Permission: g.Permission.String(),
}
}
usersResponse[i] = &apiUserResponse{
@@ -39,11 +39,11 @@ func (s *Server) handleUsersGet(w http.ResponseWriter, r *http.Request, v *visit
}
func (s *Server) handleUsersAdd(w http.ResponseWriter, r *http.Request, v *visitor) error {
req, err := readJSONWithLimit[apiUserAddRequest](r.Body, jsonBodyBytesLimit, false)
req, err := readJSONWithLimit[apiUserAddOrUpdateRequest](r.Body, jsonBodyBytesLimit, false)
if err != nil {
return err
} else if !user.AllowedUsername(req.Username) || req.Password == "" {
return errHTTPBadRequest.Wrap("username invalid, or password missing")
} else if !user.AllowedUsername(req.Username) || (req.Password == "" && req.Hash == "") {
return errHTTPBadRequest.Wrap("username invalid, or password/password_hash missing")
}
u, err := s.userManager.User(req.Username)
if err != nil && !errors.Is(err, user.ErrUserNotFound) {
@@ -60,7 +60,11 @@ func (s *Server) handleUsersAdd(w http.ResponseWriter, r *http.Request, v *visit
return err
}
}
if err := s.userManager.AddUser(req.Username, req.Password, user.RoleUser); err != nil {
password, hashed := req.Password, false
if req.Hash != "" {
password, hashed = req.Hash, true
}
if err := s.userManager.AddUser(req.Username, password, user.RoleUser, hashed); err != nil {
return err
}
if tier != nil {
@@ -71,6 +75,53 @@ func (s *Server) handleUsersAdd(w http.ResponseWriter, r *http.Request, v *visit
return s.writeJSON(w, newSuccessResponse())
}
func (s *Server) handleUsersUpdate(w http.ResponseWriter, r *http.Request, v *visitor) error {
req, err := readJSONWithLimit[apiUserAddOrUpdateRequest](r.Body, jsonBodyBytesLimit, false)
if err != nil {
return err
} else if !user.AllowedUsername(req.Username) {
return errHTTPBadRequest.Wrap("username invalid")
} else if req.Password == "" && req.Hash == "" && req.Tier == "" {
return errHTTPBadRequest.Wrap("need to provide at least one of \"password\", \"password_hash\" or \"tier\"")
}
u, err := s.userManager.User(req.Username)
if err != nil && !errors.Is(err, user.ErrUserNotFound) {
return err
} else if u != nil {
if u.IsAdmin() {
return errHTTPForbidden
}
if req.Hash != "" {
if err := s.userManager.ChangePassword(req.Username, req.Hash, true); err != nil {
return err
}
} else if req.Password != "" {
if err := s.userManager.ChangePassword(req.Username, req.Password, false); err != nil {
return err
}
}
} else {
password, hashed := req.Password, false
if req.Hash != "" {
password, hashed = req.Hash, true
}
if err := s.userManager.AddUser(req.Username, password, user.RoleUser, hashed); err != nil {
return err
}
}
if req.Tier != "" {
if _, err = s.userManager.Tier(req.Tier); errors.Is(err, user.ErrTierNotFound) {
return errHTTPBadRequestTierInvalid
} else if err != nil {
return err
}
if err := s.userManager.ChangeTier(req.Username, req.Tier); err != nil {
return err
}
}
return s.writeJSON(w, newSuccessResponse())
}
func (s *Server) handleUsersDelete(w http.ResponseWriter, r *http.Request, v *visitor) error {
req, err := readJSONWithLimit[apiUserDeleteRequest](r.Body, jsonBodyBytesLimit, false)
if err != nil {

244
server/server_admin_test.go
View File

@@ -14,13 +14,13 @@ func TestUser_AddRemove(t *testing.T) {
defer s.closeDatabases()
// Create admin, tier
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddTier(&user.Tier{
Code: "tier1",
}))
// Create user via API
rr := request(t, s, "PUT", "/v1/users", `{"username": "ben", "password":"ben"}`, map[string]string{
rr := request(t, s, "POST", "/v1/users", `{"username": "ben", "password":"ben"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
@@ -49,6 +49,226 @@ func TestUser_AddRemove(t *testing.T) {
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Check user was deleted
users, err = s.userManager.Users()
require.Nil(t, err)
require.Equal(t, 3, len(users))
require.Equal(t, "phil", users[0].Name)
require.Equal(t, "emma", users[1].Name)
require.Equal(t, user.Everyone, users[2].Name)
// Reject invalid user change
rr = request(t, s, "PUT", "/v1/users", `{"username": "ben"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 400, rr.Code)
}
func TestUser_AddWithPasswordHash(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
// Create user via API
rr := request(t, s, "POST", "/v1/users", `{"username": "ben", "hash":"$2a$04$2aPIIqPXQU16OfkSUZH1XOzpu1gsPRKkrfVdFLgWQ.tqb.vtTCuVe"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Check that user can login with password
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben"),
})
require.Equal(t, 200, rr.Code)
// Check users
users, err := s.userManager.Users()
require.Nil(t, err)
require.Equal(t, 3, len(users))
require.Equal(t, "phil", users[0].Name)
require.Equal(t, user.RoleAdmin, users[0].Role)
require.Equal(t, "ben", users[1].Name)
require.Equal(t, user.RoleUser, users[1].Role)
}
func TestUser_ChangeUserPassword(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
// Create user via API
rr := request(t, s, "POST", "/v1/users", `{"username": "ben", "password": "ben"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Try to login with first password
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben"),
})
require.Equal(t, 200, rr.Code)
// Change password via API
rr = request(t, s, "PUT", "/v1/users", `{"username": "ben", "password": "ben-two"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Make sure first password fails
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben"),
})
require.Equal(t, 401, rr.Code)
// Try to login with second password
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben-two"),
})
require.Equal(t, 200, rr.Code)
}
func TestUser_ChangeUserTier(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin, tier
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddTier(&user.Tier{
Code: "tier1",
}))
require.Nil(t, s.userManager.AddTier(&user.Tier{
Code: "tier2",
}))
// Create user with tier via API
rr := request(t, s, "POST", "/v1/users", `{"username": "ben", "password":"ben", "tier": "tier1"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Check users
users, err := s.userManager.Users()
require.Nil(t, err)
require.Equal(t, 3, len(users))
require.Equal(t, "phil", users[0].Name)
require.Equal(t, "ben", users[1].Name)
require.Equal(t, user.RoleUser, users[1].Role)
require.Equal(t, "tier1", users[1].Tier.Code)
// Change user tier via API
rr = request(t, s, "PUT", "/v1/users", `{"username": "ben", "tier": "tier2"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Check users again
users, err = s.userManager.Users()
require.Nil(t, err)
require.Equal(t, "tier2", users[1].Tier.Code)
}
func TestUser_ChangeUserPasswordAndTier(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin, tier
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddTier(&user.Tier{
Code: "tier1",
}))
require.Nil(t, s.userManager.AddTier(&user.Tier{
Code: "tier2",
}))
// Create user with tier via API
rr := request(t, s, "POST", "/v1/users", `{"username": "ben", "password":"ben", "tier": "tier1"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Check users
users, err := s.userManager.Users()
require.Nil(t, err)
require.Equal(t, 3, len(users))
require.Equal(t, "phil", users[0].Name)
require.Equal(t, "ben", users[1].Name)
require.Equal(t, user.RoleUser, users[1].Role)
require.Equal(t, "tier1", users[1].Tier.Code)
// Change user password and tier via API
rr = request(t, s, "PUT", "/v1/users", `{"username": "ben", "password":"ben-two", "tier": "tier2"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Make sure first password fails
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben"),
})
require.Equal(t, 401, rr.Code)
// Try to login with second password
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben-two"),
})
require.Equal(t, 200, rr.Code)
// Check new tier
users, err = s.userManager.Users()
require.Nil(t, err)
require.Equal(t, "tier2", users[1].Tier.Code)
}
func TestUser_ChangeUserPasswordWithHash(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
// Create user with tier via API
rr := request(t, s, "POST", "/v1/users", `{"username": "ben", "password":"not-ben"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Try to login with first password
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "not-ben"),
})
require.Equal(t, 200, rr.Code)
// Change user password and tier via API
rr = request(t, s, "PUT", "/v1/users", `{"username": "ben", "hash":"$2a$04$2aPIIqPXQU16OfkSUZH1XOzpu1gsPRKkrfVdFLgWQ.tqb.vtTCuVe"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 200, rr.Code)
// Try to login with second password
rr = request(t, s, "POST", "/v1/account/token", "", map[string]string{
"Authorization": util.BasicAuth("ben", "ben"),
})
require.Equal(t, 200, rr.Code)
}
func TestUser_DontChangeAdminPassword(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddUser("admin", "admin", user.RoleAdmin, false))
// Try to change password via API
rr := request(t, s, "PUT", "/v1/users", `{"username": "admin", "password": "admin-new"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 403, rr.Code)
}
func TestUser_AddRemove_Failures(t *testing.T) {
@@ -56,23 +276,23 @@ func TestUser_AddRemove_Failures(t *testing.T) {
defer s.closeDatabases()
// Create admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
// Cannot create user with invalid username
rr := request(t, s, "PUT", "/v1/users", `{"username": "not valid", "password":"ben"}`, map[string]string{
rr := request(t, s, "POST", "/v1/users", `{"username": "not valid", "password":"ben"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 400, rr.Code)
// Cannot create user if user already exists
rr = request(t, s, "PUT", "/v1/users", `{"username": "phil", "password":"phil"}`, map[string]string{
rr = request(t, s, "POST", "/v1/users", `{"username": "phil", "password":"phil"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 40901, toHTTPError(t, rr.Body.String()).Code)
// Cannot create user with invalid tier
rr = request(t, s, "PUT", "/v1/users", `{"username": "emma", "password":"emma", "tier": "invalid"}`, map[string]string{
rr = request(t, s, "POST", "/v1/users", `{"username": "emma", "password":"emma", "tier": "invalid"}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 40030, toHTTPError(t, rr.Body.String()).Code)
@@ -97,8 +317,8 @@ func TestAccess_AllowReset(t *testing.T) {
defer s.closeDatabases()
// User and admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
// Subscribing not allowed
rr := request(t, s, "GET", "/gold/json?poll=1", "", map[string]string{
@@ -138,7 +358,7 @@ func TestAccess_AllowReset_NonAdminAttempt(t *testing.T) {
defer s.closeDatabases()
// User
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
// Grant access fails, because non-admin
rr := request(t, s, "POST", "/v1/users/access", `{"username": "ben", "topic":"gold", "permission":"ro"}`, map[string]string{
@@ -154,8 +374,8 @@ func TestAccess_AllowReset_KillConnection(t *testing.T) {
defer s.closeDatabases()
// User and admin, grant access to "gol*" topics
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin, false))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
require.Nil(t, s.userManager.AllowAccess("ben", "gol*", user.PermissionRead)) // Wildcard!
start, timeTaken := time.Now(), atomic.Int64{}

119
server/server_firebase.go
View File

@@ -1,3 +1,5 @@
//go:build !nofirebase
package server
import (
@@ -14,6 +16,10 @@ import (
)
const (
// FirebaseAvailable is a constant used to indicate that Firebase support is available.
// It can be disabled with the 'nofirebase' build tag.
FirebaseAvailable = true
fcmMessageLimit = 4000
fcmApnsBodyMessageLimit = 100
)
@@ -50,7 +56,7 @@ func (c *firebaseClient) Send(v *visitor, m *message) error {
ev.Field("firebase_message", util.MaybeMarshalJSON(fbm)).Trace("Firebase message")
}
err = c.sender.Send(fbm)
if err == errFirebaseQuotaExceeded {
if errors.Is(err, errFirebaseQuotaExceeded) {
logvm(v, m).
Tag(tagFirebase).
Err(err).
@@ -73,8 +79,8 @@ type firebaseSenderImpl struct {
client *messaging.Client
}
func newFirebaseSender(credentialsFile string) (*firebaseSenderImpl, error) {
fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(credentialsFile))
func newFirebaseSender(credentialsFile string) (firebaseSender, error) {
fb, err := firebase.NewApp(context.Background(), nil, option.WithAuthCredentialsFile(option.ServiceAccount, credentialsFile))
if err != nil {
return nil, err
}
@@ -133,56 +139,65 @@ func toFirebaseMessage(m *message, auther user.Auther) (*messaging.Message, erro
"time": fmt.Sprintf("%d", m.Time),
"event": m.Event,
"topic": m.Topic,
"message": m.Message,
"message": newMessageBody,
"poll_id": m.PollID,
}
apnsConfig = createAPNSAlertConfig(m, data)
case messageDeleteEvent, messageClearEvent:
data = map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": m.Event,
"topic": m.Topic,
"sequence_id": m.SequenceID,
}
apnsConfig = createAPNSBackgroundConfig(data)
case messageEvent:
allowForward := true
if auther != nil {
allowForward = auther.Authorize(nil, m.Topic, user.PermissionRead) == nil
}
if allowForward {
data = map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": m.Event,
"topic": m.Topic,
"priority": fmt.Sprintf("%d", m.Priority),
"tags": strings.Join(m.Tags, ","),
"click": m.Click,
"icon": m.Icon,
"title": m.Title,
"message": m.Message,
"content_type": m.ContentType,
"encoding": m.Encoding,
}
if len(m.Actions) > 0 {
actions, err := json.Marshal(m.Actions)
if err != nil {
return nil, err
}
data["actions"] = string(actions)
}
if m.Attachment != nil {
data["attachment_name"] = m.Attachment.Name
data["attachment_type"] = m.Attachment.Type
data["attachment_size"] = fmt.Sprintf("%d", m.Attachment.Size)
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires)
data["attachment_url"] = m.Attachment.URL
}
apnsConfig = createAPNSAlertConfig(m, data)
} else {
// If anonymous read for a topic is not allowed, we cannot send the message along
// If "anonymous read" for a topic is not allowed, we cannot send the message along
// via Firebase. Instead, we send a "poll_request" message, asking the client to poll.
data = map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": pollRequestEvent,
"topic": m.Topic,
//
// The data map needs to contain all the fields for it to function properly. If not all
// fields are set, the iOS app fails to decode the message.
//
// See https://github.com/binwiederhier/ntfy/pull/1345
if err := auther.Authorize(nil, m.Topic, user.PermissionRead); err != nil {
m = toPollRequest(m)
}
// TODO Handle APNS?
}
data = map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": m.Event,
"topic": m.Topic,
"sequence_id": m.SequenceID,
"priority": fmt.Sprintf("%d", m.Priority),
"tags": strings.Join(m.Tags, ","),
"click": m.Click,
"icon": m.Icon,
"title": m.Title,
"message": m.Message,
"content_type": m.ContentType,
"encoding": m.Encoding,
}
if len(m.Actions) > 0 {
actions, err := json.Marshal(m.Actions)
if err != nil {
return nil, err
}
data["actions"] = string(actions)
}
if m.Attachment != nil {
data["attachment_name"] = m.Attachment.Name
data["attachment_type"] = m.Attachment.Type
data["attachment_size"] = fmt.Sprintf("%d", m.Attachment.Size)
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires)
data["attachment_url"] = m.Attachment.URL
}
if m.PollID != "" {
data["poll_id"] = m.PollID
}
apnsConfig = createAPNSAlertConfig(m, data)
}
var androidConfig *messaging.AndroidConfig
if m.Priority >= 4 {
@@ -276,3 +291,17 @@ func maybeTruncateAPNSBodyMessage(s string) string {
}
return s
}
// toPollRequest converts a message to a poll request message.
//
// This empties all the fields that are not needed for a poll request and just sets the required fields,
// most importantly, the PollID.
func toPollRequest(m *message) *message {
pr := newPollRequestMessage(m.Topic, m.ID)
pr.ID = m.ID
pr.Time = m.Time
pr.Priority = m.Priority // Keep priority
pr.ContentType = m.ContentType
pr.Encoding = m.Encoding
return pr
}

38
server/server_firebase_dummy.go Normal file
View File

@@ -0,0 +1,38 @@
//go:build nofirebase
package server
import (
"errors"
"heckel.io/ntfy/v2/user"
)
const (
// FirebaseAvailable is a constant used to indicate that Firebase support is available.
// It can be disabled with the 'nofirebase' build tag.
FirebaseAvailable = false
)
var (
errFirebaseNotAvailable = errors.New("Firebase not available")
errFirebaseTemporarilyBanned = errors.New("visitor temporarily banned from using Firebase")
)
type firebaseClient struct {
}
func (c *firebaseClient) Send(v *visitor, m *message) error {
return errFirebaseNotAvailable
}
type firebaseSender interface {
Send(m string) error
}
func newFirebaseClient(sender firebaseSender, auther user.Auther) *firebaseClient {
return nil
}
func newFirebaseSender(credentialsFile string) (firebaseSender, error) {
return nil, errFirebaseNotAvailable
}

28
server/server_firebase_test.go
View File

@@ -1,3 +1,5 @@
//go:build !nofirebase
package server
import (
@@ -175,6 +177,7 @@ func TestToFirebaseMessage_Message_Normal_Allowed(t *testing.T) {
"time": fmt.Sprintf("%d", m.Time),
"event": "message",
"topic": "mytopic",
"sequence_id": "",
"priority": "4",
"tags": strings.Join(m.Tags, ","),
"click": "https://google.com",
@@ -197,6 +200,7 @@ func TestToFirebaseMessage_Message_Normal_Allowed(t *testing.T) {
"time": fmt.Sprintf("%d", m.Time),
"event": "message",
"topic": "mytopic",
"sequence_id": "",
"priority": "4",
"tags": strings.Join(m.Tags, ","),
"click": "https://google.com",
@@ -223,14 +227,26 @@ func TestToFirebaseMessage_Message_Normal_Not_Allowed(t *testing.T) {
require.Equal(t, &messaging.AndroidConfig{
Priority: "high",
}, fbm.Android)
require.Equal(t, "", fbm.Data["message"])
require.Equal(t, "", fbm.Data["priority"])
require.Equal(t, "New message", fbm.Data["message"])
require.Equal(t, "5", fbm.Data["priority"])
require.Equal(t, map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": "poll_request",
"topic": "mytopic",
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": "poll_request",
"topic": "mytopic",
"sequence_id": "",
"message": "New message",
"title": "",
"tags": "",
"click": "",
"icon": "",
"priority": "5",
"encoding": "",
"content_type": "",
"poll_id": m.ID,
}, fbm.Data)
require.Equal(t, "", fbm.APNS.Payload.Aps.Alert.Title)
require.Equal(t, "New message", fbm.APNS.Payload.Aps.Alert.Body)
}
func TestToFirebaseMessage_PollRequest(t *testing.T) {

4
server/server_middleware.go
View File

@@ -16,7 +16,7 @@ const (
func (s *Server) limitRequests(next handleFunc) handleFunc {
return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
if util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) {
if util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) {
return next(w, r, v)
} else if !v.RequestAllowed() {
return errHTTPTooManyRequestsLimitRequests
@@ -40,7 +40,7 @@ func (s *Server) limitRequestsWithTopic(next handleFunc) handleFunc {
contextRateVisitor: vrate,
contextTopic: t,
})
if util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) {
if util.ContainsIP(s.config.VisitorRequestExemptPrefixes, v.ip) {
return next(w, r, v)
} else if !vrate.RequestAllowed() {
return errHTTPTooManyRequestsLimitRequests

9
server/server_payments.go
View File

@@ -1,3 +1,5 @@
//go:build !nopayments
package server
import (
@@ -12,6 +14,7 @@ import (
"github.com/stripe/stripe-go/v74/subscription"
"github.com/stripe/stripe-go/v74/webhook"
"heckel.io/ntfy/v2/log"
"heckel.io/ntfy/v2/payments"
"heckel.io/ntfy/v2/user"
"heckel.io/ntfy/v2/util"
"io"
@@ -22,7 +25,7 @@ import (
// Payments in ntfy are done via Stripe.
//
// Pretty much all payments related things are in this file. The following processes
// Pretty much all payments-related things are in this file. The following processes
// handle payments:
//
// - Checkout:
@@ -464,8 +467,8 @@ func (s *Server) updateSubscriptionAndTier(r *http.Request, v *visitor, u *user.
billing := &user.Billing{
StripeCustomerID: customerID,
StripeSubscriptionID: subscriptionID,
StripeSubscriptionStatus: stripe.SubscriptionStatus(status),
StripeSubscriptionInterval: stripe.PriceRecurringInterval(interval),
StripeSubscriptionStatus: payments.SubscriptionStatus(status),
StripeSubscriptionInterval: payments.PriceRecurringInterval(interval),
StripeSubscriptionPaidUntil: time.Unix(paidUntil, 0),
StripeSubscriptionCancelAt: time.Unix(cancelAt, 0),
}

47
server/server_payments_dummy.go Normal file
View File

@@ -0,0 +1,47 @@
//go:build nopayments
package server
import (
"net/http"
)
type stripeAPI interface {
CancelSubscription(id string) (string, error)
}
func newStripeAPI() stripeAPI {
return nil
}
func (s *Server) fetchStripePrices() (map[string]int64, error) {
return nil, errHTTPNotFound
}
func (s *Server) handleBillingTiersGet(w http.ResponseWriter, _ *http.Request, _ *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleAccountBillingSubscriptionCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleAccountBillingSubscriptionCreateSuccess(w http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleAccountBillingSubscriptionUpdate(w http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleAccountBillingSubscriptionDelete(w http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleAccountBillingPortalSessionCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleAccountBillingWebhook(_ http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}

47
server/server_payments_test.go
View File

@@ -1,3 +1,5 @@
//go:build !nopayments
package server
import (
@@ -6,6 +8,7 @@ import (
"github.com/stretchr/testify/require"
"github.com/stripe/stripe-go/v74"
"golang.org/x/time/rate"
"heckel.io/ntfy/v2/payments"
"heckel.io/ntfy/v2/user"
"heckel.io/ntfy/v2/util"
"io"
@@ -148,7 +151,7 @@ func TestPayments_SubscriptionCreate_NotAStripeCustomer_Success(t *testing.T) {
Code: "pro",
StripeMonthlyPriceID: "price_123",
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
// Create subscription
response := request(t, s, "POST", "/v1/account/billing/subscription", `{"tier": "pro", "interval": "month"}`, map[string]string{
@@ -184,7 +187,7 @@ func TestPayments_SubscriptionCreate_StripeCustomer_Success(t *testing.T) {
Code: "pro",
StripeMonthlyPriceID: "price_123",
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
u, err := s.userManager.User("phil")
require.Nil(t, err)
@@ -226,7 +229,7 @@ func TestPayments_AccountDelete_Cancels_Subscription(t *testing.T) {
Code: "pro",
StripeMonthlyPriceID: "price_123",
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
u, err := s.userManager.User("phil")
require.Nil(t, err)
@@ -280,7 +283,7 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
MessageLimit: 220, // 220 * 5% = 11 requests before rate limiting kicks in
MessageExpiryDuration: time.Hour,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser)) // No tier
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false)) // No tier
u, err := s.userManager.User("phil")
require.Nil(t, err)
@@ -345,8 +348,8 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
require.Nil(t, u.Tier)
require.Equal(t, "", u.Billing.StripeCustomerID)
require.Equal(t, "", u.Billing.StripeSubscriptionID)
require.Equal(t, stripe.SubscriptionStatus(""), u.Billing.StripeSubscriptionStatus)
require.Equal(t, stripe.PriceRecurringInterval(""), u.Billing.StripeSubscriptionInterval)
require.Equal(t, payments.SubscriptionStatus(""), u.Billing.StripeSubscriptionStatus)
require.Equal(t, payments.PriceRecurringInterval(""), u.Billing.StripeSubscriptionInterval)
require.Equal(t, int64(0), u.Billing.StripeSubscriptionPaidUntil.Unix())
require.Equal(t, int64(0), u.Billing.StripeSubscriptionCancelAt.Unix())
require.Equal(t, int64(0), u.Stats.Messages) // Messages and emails are not persisted for no-tier users!
@@ -362,8 +365,8 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
require.Equal(t, "starter", u.Tier.Code) // Not "pro"
require.Equal(t, "acct_5555", u.Billing.StripeCustomerID)
require.Equal(t, "sub_1234", u.Billing.StripeSubscriptionID)
require.Equal(t, stripe.SubscriptionStatusActive, u.Billing.StripeSubscriptionStatus)
require.Equal(t, stripe.PriceRecurringIntervalMonth, u.Billing.StripeSubscriptionInterval)
require.Equal(t, payments.SubscriptionStatus(stripe.SubscriptionStatusActive), u.Billing.StripeSubscriptionStatus)
require.Equal(t, payments.PriceRecurringInterval(stripe.PriceRecurringIntervalMonth), u.Billing.StripeSubscriptionInterval)
require.Equal(t, int64(123456789), u.Billing.StripeSubscriptionPaidUntil.Unix())
require.Equal(t, int64(0), u.Billing.StripeSubscriptionCancelAt.Unix())
require.Equal(t, int64(0), u.Stats.Messages)
@@ -461,7 +464,7 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
AttachmentTotalSizeLimit: 1000000,
AttachmentBandwidthLimit: 1000000,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
require.Nil(t, s.userManager.AddReservation("phil", "atopic", user.PermissionDenyAll))
require.Nil(t, s.userManager.AddReservation("phil", "ztopic", user.PermissionDenyAll))
@@ -473,8 +476,8 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
billing := &user.Billing{
StripeCustomerID: "acct_5555",
StripeSubscriptionID: "sub_1234",
StripeSubscriptionStatus: stripe.SubscriptionStatusPastDue,
StripeSubscriptionInterval: stripe.PriceRecurringIntervalMonth,
StripeSubscriptionStatus: payments.SubscriptionStatus(stripe.SubscriptionStatusPastDue),
StripeSubscriptionInterval: payments.PriceRecurringInterval(stripe.PriceRecurringIntervalMonth),
StripeSubscriptionPaidUntil: time.Unix(123, 0),
StripeSubscriptionCancelAt: time.Unix(456, 0),
}
@@ -517,10 +520,10 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
require.Equal(t, "starter", u.Tier.Code) // Not "pro"
require.Equal(t, "acct_5555", u.Billing.StripeCustomerID)
require.Equal(t, "sub_1234", u.Billing.StripeSubscriptionID)
require.Equal(t, stripe.SubscriptionStatusActive, u.Billing.StripeSubscriptionStatus) // Not "past_due"
require.Equal(t, stripe.PriceRecurringIntervalYear, u.Billing.StripeSubscriptionInterval) // Not "month"
require.Equal(t, int64(1674268231), u.Billing.StripeSubscriptionPaidUntil.Unix()) // Updated
require.Equal(t, int64(1674299999), u.Billing.StripeSubscriptionCancelAt.Unix()) // Updated
require.Equal(t, payments.SubscriptionStatus(stripe.SubscriptionStatusActive), u.Billing.StripeSubscriptionStatus) // Not "past_due"
require.Equal(t, payments.PriceRecurringInterval(stripe.PriceRecurringIntervalYear), u.Billing.StripeSubscriptionInterval) // Not "month"
require.Equal(t, int64(1674268231), u.Billing.StripeSubscriptionPaidUntil.Unix()) // Updated
require.Equal(t, int64(1674299999), u.Billing.StripeSubscriptionCancelAt.Unix()) // Updated
// Verify that reservations were deleted
r, err := s.userManager.Reservations("phil")
@@ -570,7 +573,7 @@ func TestPayments_Webhook_Subscription_Deleted(t *testing.T) {
StripeMonthlyPriceID: "price_1234",
ReservationLimit: 1,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
require.Nil(t, s.userManager.AddReservation("phil", "atopic", user.PermissionDenyAll))
@@ -580,8 +583,8 @@ func TestPayments_Webhook_Subscription_Deleted(t *testing.T) {
require.Nil(t, s.userManager.ChangeBilling(u.Name, &user.Billing{
StripeCustomerID: "acct_5555",
StripeSubscriptionID: "sub_1234",
StripeSubscriptionStatus: stripe.SubscriptionStatusPastDue,
StripeSubscriptionInterval: stripe.PriceRecurringIntervalMonth,
StripeSubscriptionStatus: payments.SubscriptionStatus(stripe.SubscriptionStatusPastDue),
StripeSubscriptionInterval: payments.PriceRecurringInterval(stripe.PriceRecurringIntervalMonth),
StripeSubscriptionPaidUntil: time.Unix(123, 0),
StripeSubscriptionCancelAt: time.Unix(0, 0),
}))
@@ -598,7 +601,7 @@ func TestPayments_Webhook_Subscription_Deleted(t *testing.T) {
require.Nil(t, u.Tier)
require.Equal(t, "acct_5555", u.Billing.StripeCustomerID)
require.Equal(t, "", u.Billing.StripeSubscriptionID)
require.Equal(t, stripe.SubscriptionStatus(""), u.Billing.StripeSubscriptionStatus)
require.Equal(t, payments.SubscriptionStatus(""), u.Billing.StripeSubscriptionStatus)
require.Equal(t, int64(0), u.Billing.StripeSubscriptionPaidUntil.Unix())
require.Equal(t, int64(0), u.Billing.StripeSubscriptionCancelAt.Unix())
@@ -658,7 +661,7 @@ func TestPayments_Subscription_Update_Different_Tier(t *testing.T) {
StripeMonthlyPriceID: "price_456",
StripeYearlyPriceID: "price_457",
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
require.Nil(t, s.userManager.ChangeBilling("phil", &user.Billing{
StripeCustomerID: "acct_123",
@@ -690,7 +693,7 @@ func TestPayments_Subscription_Delete_At_Period_End(t *testing.T) {
Return(&stripe.Subscription{}, nil)
// Create user
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeBilling("phil", &user.Billing{
StripeCustomerID: "acct_123",
StripeSubscriptionID: "sub_123",
@@ -724,7 +727,7 @@ func TestPayments_CreatePortalSession(t *testing.T) {
}, nil)
// Create user
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeBilling("phil", &user.Billing{
StripeCustomerID: "acct_123",
StripeSubscriptionID: "sub_123",

774
server/server_test.go
View File

File diff suppressed because it is too large Load Diff

8
server/server_twilio_test.go
View File

@@ -63,7 +63,7 @@ func TestServer_Twilio_Call_Add_Verify_Call_Delete_Success(t *testing.T) {
MessageLimit: 10,
CallLimit: 1,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
u, err := s.userManager.User("phil")
require.Nil(t, err)
@@ -140,7 +140,7 @@ func TestServer_Twilio_Call_Success(t *testing.T) {
MessageLimit: 10,
CallLimit: 1,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
u, err := s.userManager.User("phil")
require.Nil(t, err)
@@ -185,7 +185,7 @@ func TestServer_Twilio_Call_Success_With_Yes(t *testing.T) {
MessageLimit: 10,
CallLimit: 1,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
u, err := s.userManager.User("phil")
require.Nil(t, err)
@@ -277,7 +277,7 @@ func TestServer_Twilio_Call_UnverifiedNumber(t *testing.T) {
MessageLimit: 10,
CallLimit: 1,
}))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser, false))
require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
// Do the thing

8
server/server_webpush.go
View File

@@ -1,3 +1,5 @@
//go:build !nowebpush
package server
import (
@@ -13,6 +15,10 @@ import (
)
const (
// WebPushAvailable is a constant used to indicate that WebPush support is available.
// It can be disabled with the 'nowebpush' build tag.
WebPushAvailable = true
webPushTopicSubscribeLimit = 50
)
@@ -83,7 +89,7 @@ func (s *Server) publishToWebPushEndpoints(v *visitor, m *message) {
return
}
log.Tag(tagWebPush).With(v, m).Debug("Publishing web push message to %d subscribers", len(subscriptions))
payload, err := json.Marshal(newWebPushPayload(fmt.Sprintf("%s/%s", s.config.BaseURL, m.Topic), m))
payload, err := json.Marshal(newWebPushPayload(fmt.Sprintf("%s/%s", s.config.BaseURL, m.Topic), m.forJSON()))
if err != nil {
log.Tag(tagWebPush).Err(err).With(v, m).Warn("Unable to marshal expiring payload")
return

29
server/server_webpush_dummy.go Normal file
View File

@@ -0,0 +1,29 @@
//go:build nowebpush
package server
import (
"net/http"
)
const (
// WebPushAvailable is a constant used to indicate that WebPush support is available.
// It can be disabled with the 'nowebpush' build tag.
WebPushAvailable = false
)
func (s *Server) handleWebPushUpdate(w http.ResponseWriter, r *http.Request, v *visitor) error {
return errHTTPNotFound
}
func (s *Server) handleWebPushDelete(w http.ResponseWriter, r *http.Request, _ *visitor) error {
return errHTTPNotFound
}
func (s *Server) publishToWebPushEndpoints(v *visitor, m *message) {
// Nothing to see here
}
func (s *Server) pruneAndNotifyWebPushSubscriptions() {
// Nothing to see here
}

45
server/server_webpush_test.go
View File

@@ -1,8 +1,11 @@
//go:build !nowebpush
package server
import (
"encoding/json"
"fmt"
"github.com/SherClockHolmes/webpush-go"
"github.com/stretchr/testify/require"
"heckel.io/ntfy/v2/user"
"heckel.io/ntfy/v2/util"
@@ -10,6 +13,7 @@ import (
"net/http"
"net/http/httptest"
"net/netip"
"path/filepath"
"strings"
"sync/atomic"
"testing"
@@ -20,6 +24,28 @@ const (
testWebPushEndpoint = "https://updates.push.services.mozilla.com/wpush/v1/AAABBCCCDDEEEFFF"
)
func TestServer_WebPush_Enabled(t *testing.T) {
conf := newTestConfig(t)
conf.WebRoot = "" // Disable web app
s := newTestServer(t, conf)
rr := request(t, s, "GET", "/manifest.webmanifest", "", nil)
require.Equal(t, 404, rr.Code)
conf2 := newTestConfig(t)
s2 := newTestServer(t, conf2)
rr = request(t, s2, "GET", "/manifest.webmanifest", "", nil)
require.Equal(t, 404, rr.Code)
conf3 := newTestConfigWithWebPush(t)
s3 := newTestServer(t, conf3)
rr = request(t, s3, "GET", "/manifest.webmanifest", "", nil)
require.Equal(t, 200, rr.Code)
require.Equal(t, "application/manifest+json", rr.Header().Get("Content-Type"))
}
func TestServer_WebPush_Disabled(t *testing.T) {
s := newTestServer(t, newTestConfig(t))
@@ -96,7 +122,7 @@ func TestServer_WebPush_TopicSubscribeProtected_Allowed(t *testing.T) {
config.AuthDefault = user.PermissionDenyAll
s := newTestServer(t, config)
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
require.Nil(t, s.userManager.AllowAccess("ben", "test-topic", user.PermissionReadWrite))
response := request(t, s, "POST", "/v1/webpush", payloadForTopics(t, []string{"test-topic"}, testWebPushEndpoint), map[string]string{
@@ -126,7 +152,7 @@ func TestServer_WebPush_DeleteAccountUnsubscribe(t *testing.T) {
config := configureAuth(t, newTestConfigWithWebPush(t))
s := newTestServer(t, config)
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser, false))
require.Nil(t, s.userManager.AllowAccess("ben", "test-topic", user.PermissionReadWrite))
response := request(t, s, "POST", "/v1/webpush", payloadForTopics(t, []string{"test-topic"}, testWebPushEndpoint), map[string]string{
@@ -212,7 +238,7 @@ func TestServer_WebPush_Expiry(t *testing.T) {
addSubscription(t, s, pushService.URL+"/push-receive", "test-topic")
requireSubscriptionCount(t, s, "test-topic", 1)
_, err := s.webPush.db.Exec("UPDATE subscription SET updated_at = ?", time.Now().Add(-7*24*time.Hour).Unix())
_, err := s.webPush.db.Exec("UPDATE subscription SET updated_at = ?", time.Now().Add(-55*24*time.Hour).Unix())
require.Nil(t, err)
s.pruneAndNotifyWebPushSubscriptions()
@@ -222,7 +248,7 @@ func TestServer_WebPush_Expiry(t *testing.T) {
return received.Load()
})
_, err = s.webPush.db.Exec("UPDATE subscription SET updated_at = ?", time.Now().Add(-9*24*time.Hour).Unix())
_, err = s.webPush.db.Exec("UPDATE subscription SET updated_at = ?", time.Now().Add(-60*24*time.Hour).Unix())
require.Nil(t, err)
s.pruneAndNotifyWebPushSubscriptions()
@@ -254,3 +280,14 @@ func requireSubscriptionCount(t *testing.T, s *Server, topic string, expectedLen
require.Nil(t, err)
require.Len(t, subs, expectedLength)
}
func newTestConfigWithWebPush(t *testing.T) *Config {
conf := newTestConfig(t)
privateKey, publicKey, err := webpush.GenerateVAPIDKeys()
require.Nil(t, err)
conf.WebPushFile = filepath.Join(t.TempDir(), "webpush.db")
conf.WebPushEmailAddress = "testing@example.com"
conf.WebPushPrivateKey = privateKey
conf.WebPushPublicKey = publicKey
return conf
}

11
server/smtp_server.go
View File

@@ -5,8 +5,6 @@ import (
"encoding/base64"
"errors"
"fmt"
"github.com/emersion/go-smtp"
"github.com/microcosm-cc/bluemonday"
"io"
"mime"
"mime/multipart"
@@ -18,6 +16,9 @@ import (
"regexp"
"strings"
"sync"
"github.com/emersion/go-smtp"
"github.com/microcosm-cc/bluemonday"
)
var (
@@ -191,12 +192,12 @@ func (s *smtpSession) publishMessage(m *message) error {
// Call HTTP handler with fake HTTP request
url := fmt.Sprintf("%s/%s", s.backend.config.BaseURL, m.Topic)
req, err := http.NewRequest("POST", url, strings.NewReader(m.Message))
req.RequestURI = "/" + m.Topic // just for the logs
req.RemoteAddr = remoteAddr // rate limiting!!
req.Header.Set("X-Forwarded-For", remoteAddr)
if err != nil {
return err
}
req.RequestURI = "/" + m.Topic // just for the logs
req.RemoteAddr = remoteAddr // rate limiting!!
req.Header.Set(s.backend.config.ProxyForwardedHeader, remoteAddr) // Set X-Forwarded-For header
if m.Title != "" {
req.Header.Set("Title", m.Title)
}

27
server/templates/alertmanager.yml Normal file
View File

@@ -0,0 +1,27 @@
title: |
{{- if eq .status "firing" }}
🚨 Alert: {{ (first .alerts).labels.alertname }}
{{- else if eq .status "resolved" }}
✅ Resolved: {{ (first .alerts).labels.alertname }}
{{- else }}
{{ fail "Unsupported Alertmanager status." }}
{{- end }}
message: |
Status: {{ .status | title }}
Receiver: {{ .receiver }}
{{- range .alerts }}
Alert: {{ .labels.alertname }}
Instance: {{ .labels.instance }}
Severity: {{ .labels.severity }}
Starts at: {{ .startsAt }}
{{- if .endsAt }}Ends at: {{ .endsAt }}{{ end }}
{{- if .annotations.summary }}
Summary: {{ .annotations.summary }}
{{- end }}
{{- if .annotations.description }}
Description: {{ .annotations.description }}
{{- end }}
Source: {{ .generatorURL }}
{{ end }}

57
server/templates/github.yml Normal file
View File

@@ -0,0 +1,57 @@
title: |
{{- if and .starred_at (eq .action "created")}}
⭐ {{ .sender.login }} starred {{ .repository.name }}
{{- else if and .repository (eq .action "started")}}
👀 {{ .sender.login }} started watching {{ .repository.name }}
{{- else if and .comment (eq .action "created") }}
💬 New comment on issue #{{ .issue.number }} {{ .issue.title }}
{{- else if .pull_request }}
🔀 Pull request {{ .action }}: #{{ .pull_request.number }} {{ .pull_request.title }}
{{- else if .issue }}
🐛 Issue {{ .action }}: #{{ .issue.number }} {{ .issue.title }}
{{- else }}
{{ fail "Unsupported GitHub event type or action." }}
{{- end }}
message: |
{{ if and .starred_at (eq .action "created")}}
Stargazer: {{ .sender.html_url }}
Repository: {{ .repository.html_url }}
{{- else if and .repository (eq .action "started")}}
Watcher: {{ .sender.html_url }}
Repository: {{ .repository.html_url }}
{{- else if and .comment (eq .action "created") }}
Commenter: {{ .comment.user.html_url }}
Repository: {{ .repository.html_url }}
Comment link: {{ .comment.html_url }}
{{ if .comment.body }}
Comment:
{{ .comment.body | trunc 2000 }}{{ end }}
{{- else if .pull_request }}
Branch: {{ .pull_request.head.ref }} → {{ .pull_request.base.ref }}
{{ .action | title }} by: {{ .pull_request.user.html_url }}
Repository: {{ .repository.html_url }}
Pull request: {{ .pull_request.html_url }}
{{ if .pull_request.body }}
Description:
{{ .pull_request.body | trunc 2000 }}{{ end }}
{{- else if .issue }}
{{ .action | title }} by: {{ .issue.user.html_url }}
Repository: {{ .repository.html_url }}
Issue link: {{ .issue.html_url }}
{{ if .issue.labels }}Labels: {{ range .issue.labels }}{{ .name }} {{ end }}{{ end }}
{{ if .issue.body }}
Description:
{{ .issue.body | trunc 2000 }}{{ end }}
{{- else }}
{{ fail "Unsupported GitHub event type or action." }}
{{- end }}

10
server/templates/grafana.yml Normal file
View File

@@ -0,0 +1,10 @@
title: |
{{- if eq .status "firing" }}
🚨 {{ .title | default "Alert firing" }}
{{- else if eq .status "resolved" }}
✅ {{ .title | default "Alert resolved" }}
{{- else }}
⚠️ Unknown alert: {{ .title | default "Alert" }}
{{- end }}
message: |
{{ .message | trunc 2000 }}

33
server/testdata/webhook_alertmanager_firing.json vendored Normal file
View File

@@ -0,0 +1,33 @@
{
"version": "4",
"groupKey": "...",
"status": "firing",
"receiver": "webhook-receiver",
"groupLabels": {
"alertname": "HighCPUUsage"
},
"commonLabels": {
"alertname": "HighCPUUsage",
"instance": "server01",
"severity": "critical"
},
"commonAnnotations": {
"summary": "High CPU usage detected"
},
"alerts": [
{
"status": "firing",
"labels": {
"alertname": "HighCPUUsage",
"instance": "server01",
"severity": "critical"
},
"annotations": {
"summary": "High CPU usage detected"
},
"startsAt": "2025-07-17T07:00:00Z",
"endsAt": "0001-01-01T00:00:00Z",
"generatorURL": "http://prometheus.local/graph?g0.expr=..."
}
]
}

261
server/testdata/webhook_github_comment_created.json vendored Normal file
View File

@@ -0,0 +1,261 @@
{
"action": "created",
"issue": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389",
"repository_url": "https://api.github.com/repos/binwiederhier/ntfy",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389/labels{/name}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389/comments",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389/events",
"html_url": "https://github.com/binwiederhier/ntfy/issues/1389",
"id": 3230655753,
"node_id": "I_kwDOGRBhi87Aj-UJ",
"number": 1389,
"title": "instant alerts without Pull to refresh",
"user": {
"login": "edbraunh",
"id": 8795846,
"node_id": "MDQ6VXNlcjg3OTU4NDY=",
"avatar_url": "https://avatars.githubusercontent.com/u/8795846?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/edbraunh",
"html_url": "https://github.com/edbraunh",
"followers_url": "https://api.github.com/users/edbraunh/followers",
"following_url": "https://api.github.com/users/edbraunh/following{/other_user}",
"gists_url": "https://api.github.com/users/edbraunh/gists{/gist_id}",
"starred_url": "https://api.github.com/users/edbraunh/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/edbraunh/subscriptions",
"organizations_url": "https://api.github.com/users/edbraunh/orgs",
"repos_url": "https://api.github.com/users/edbraunh/repos",
"events_url": "https://api.github.com/users/edbraunh/events{/privacy}",
"received_events_url": "https://api.github.com/users/edbraunh/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"labels": [
{
"id": 3480884105,
"node_id": "LA_kwDOGRBhi87PehOJ",
"url": "https://api.github.com/repos/binwiederhier/ntfy/labels/enhancement",
"name": "enhancement",
"color": "a2eeef",
"default": true,
"description": "New feature or request"
}
],
"state": "open",
"locked": false,
"assignee": null,
"assignees": [
],
"milestone": null,
"comments": 3,
"created_at": "2025-07-15T03:46:30Z",
"updated_at": "2025-07-16T11:45:57Z",
"closed_at": null,
"author_association": "NONE",
"active_lock_reason": null,
"sub_issues_summary": {
"total": 0,
"completed": 0,
"percent_completed": 0
},
"body": "Hello ntfy Team,\n\nFirst off, thank you for developing such a powerful and lightweight notification app — its been invaluable for receiving timely alerts.\n\nIm a user who relies heavily on ntfy for real-time trading alerts and have noticed that while push notifications arrive instantly, the in-app alert list does not automatically refresh with new messages. Currently, I need to manually pull-to-refresh the alert list to see the latest alerts.\n\nWould it be possible to add a feature that enables automatic refreshing of the alert list as new notifications arrive? This would greatly enhance usability and streamline the user experience, especially for users monitoring time-sensitive information.\n\nThank you for considering this request. I appreciate your hard work and look forward to future updates!",
"reactions": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389/reactions",
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
},
"timeline_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389/timeline",
"performed_via_github_app": null,
"state_reason": null
},
"comment": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments/3078214289",
"html_url": "https://github.com/binwiederhier/ntfy/issues/1389#issuecomment-3078214289",
"issue_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1389",
"id": 3078214289,
"node_id": "IC_kwDOGRBhi863edKR",
"user": {
"login": "wunter8",
"id": 8421688,
"node_id": "MDQ6VXNlcjg0MjE2ODg=",
"avatar_url": "https://avatars.githubusercontent.com/u/8421688?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/wunter8",
"html_url": "https://github.com/wunter8",
"followers_url": "https://api.github.com/users/wunter8/followers",
"following_url": "https://api.github.com/users/wunter8/following{/other_user}",
"gists_url": "https://api.github.com/users/wunter8/gists{/gist_id}",
"starred_url": "https://api.github.com/users/wunter8/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/wunter8/subscriptions",
"organizations_url": "https://api.github.com/users/wunter8/orgs",
"repos_url": "https://api.github.com/users/wunter8/repos",
"events_url": "https://api.github.com/users/wunter8/events{/privacy}",
"received_events_url": "https://api.github.com/users/wunter8/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"created_at": "2025-07-16T11:45:57Z",
"updated_at": "2025-07-16T11:45:57Z",
"author_association": "CONTRIBUTOR",
"body": "These are the things you need to do to get iOS push notifications to work:\n1. open a browser to the web app of your ntfy instance and copy the URL (including \"http://\" or \"https://\", your domain or IP address, and any ports, and excluding any trailing slashes)\n2. put the URL you copied in the ntfy `base-url` config in server.yml or NTFY_BASE_URL in env variables\n3. put the URL you copied in the default server URL setting in the iOS ntfy app\n4. set `upstream-base-url` in server.yml or NTFY_UPSTREAM_BASE_URL in env variables to \"https://ntfy.sh\" (without a trailing slash)",
"reactions": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments/3078214289/reactions",
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
},
"performed_via_github_app": null
},
"repository": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T10:18:34Z",
"pushed_at": "2025-07-13T13:56:19Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36740,
"stargazers_count": 25111,
"watchers_count": 25111,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 367,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 367,
"watchers": 25111,
"default_branch": "main"
},
"sender": {
"login": "wunter8",
"id": 8421688,
"node_id": "MDQ6VXNlcjg0MjE2ODg=",
"avatar_url": "https://avatars.githubusercontent.com/u/8421688?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/wunter8",
"html_url": "https://github.com/wunter8",
"followers_url": "https://api.github.com/users/wunter8/followers",
"following_url": "https://api.github.com/users/wunter8/following{/other_user}",
"gists_url": "https://api.github.com/users/wunter8/gists{/gist_id}",
"starred_url": "https://api.github.com/users/wunter8/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/wunter8/subscriptions",
"organizations_url": "https://api.github.com/users/wunter8/orgs",
"repos_url": "https://api.github.com/users/wunter8/repos",
"events_url": "https://api.github.com/users/wunter8/events{/privacy}",
"received_events_url": "https://api.github.com/users/wunter8/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
}
}

216
server/testdata/webhook_github_issue_opened.json vendored Normal file
View File

@@ -0,0 +1,216 @@
{
"action": "opened",
"issue": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1391",
"repository_url": "https://api.github.com/repos/binwiederhier/ntfy",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1391/labels{/name}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1391/comments",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1391/events",
"html_url": "https://github.com/binwiederhier/ntfy/issues/1391",
"id": 3236389051,
"node_id": "I_kwDOGRBhi87A52C7",
"number": 1391,
"title": "http 500 error (ntfy error 50001)",
"user": {
"login": "TheUser-dev",
"id": 213207407,
"node_id": "U_kgDODLVJbw",
"avatar_url": "https://avatars.githubusercontent.com/u/213207407?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/TheUser-dev",
"html_url": "https://github.com/TheUser-dev",
"followers_url": "https://api.github.com/users/TheUser-dev/followers",
"following_url": "https://api.github.com/users/TheUser-dev/following{/other_user}",
"gists_url": "https://api.github.com/users/TheUser-dev/gists{/gist_id}",
"starred_url": "https://api.github.com/users/TheUser-dev/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/TheUser-dev/subscriptions",
"organizations_url": "https://api.github.com/users/TheUser-dev/orgs",
"repos_url": "https://api.github.com/users/TheUser-dev/repos",
"events_url": "https://api.github.com/users/TheUser-dev/events{/privacy}",
"received_events_url": "https://api.github.com/users/TheUser-dev/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"labels": [
{
"id": 3480884102,
"node_id": "LA_kwDOGRBhi87PehOG",
"url": "https://api.github.com/repos/binwiederhier/ntfy/labels/%F0%9F%AA%B2%20bug",
"name": "🪲 bug",
"color": "d73a4a",
"default": false,
"description": "Something isn't working"
}
],
"state": "open",
"locked": false,
"assignee": null,
"assignees": [
],
"milestone": null,
"comments": 0,
"created_at": "2025-07-16T15:20:56Z",
"updated_at": "2025-07-16T15:20:56Z",
"closed_at": null,
"author_association": "NONE",
"active_lock_reason": null,
"sub_issues_summary": {
"total": 0,
"completed": 0,
"percent_completed": 0
},
"body": ":lady_beetle: **Describe the bug**\nWhen sending a notification (especially when it happens with multiple requests) this error occurs\n\n:computer: **Components impacted**\nntfy server 2.13.0 in docker, debian 12 arm64\n\n:bulb: **Screenshots and/or logs**\n```\nclosed with HTTP 500 (ntfy error 50001) (error=database table is locked, http_method=POST, http_path=/_matrix/push/v1/notify, tag=http, visitor_auth_limiter_limit=0.016666666666666666, visitor_auth_limiter_tokens=30, visitor_id=ip:<edited>, visitor_ip=<edited>, visitor_messages=448, visitor_messages_limit=17280, visitor_messages_remaining=16832, visitor_request_limiter_limit=0.2, visitor_request_limiter_tokens=57.049697891799994, visitor_seen=2025-07-16T15:06:35.429Z)\n```\n\n:crystal_ball: **Additional context**\nLooks like this has already been fixed by #498, regression?\n",
"reactions": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1391/reactions",
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
},
"timeline_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1391/timeline",
"performed_via_github_app": null,
"state_reason": null
},
"repository": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T14:54:16Z",
"pushed_at": "2025-07-16T11:49:26Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36831,
"stargazers_count": 25112,
"watchers_count": 25112,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 369,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 369,
"watchers": 25112,
"default_branch": "main"
},
"sender": {
"login": "TheUser-dev",
"id": 213207407,
"node_id": "U_kgDODLVJbw",
"avatar_url": "https://avatars.githubusercontent.com/u/213207407?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/TheUser-dev",
"html_url": "https://github.com/TheUser-dev",
"followers_url": "https://api.github.com/users/TheUser-dev/followers",
"following_url": "https://api.github.com/users/TheUser-dev/following{/other_user}",
"gists_url": "https://api.github.com/users/TheUser-dev/gists{/gist_id}",
"starred_url": "https://api.github.com/users/TheUser-dev/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/TheUser-dev/subscriptions",
"organizations_url": "https://api.github.com/users/TheUser-dev/orgs",
"repos_url": "https://api.github.com/users/TheUser-dev/repos",
"events_url": "https://api.github.com/users/TheUser-dev/events{/privacy}",
"received_events_url": "https://api.github.com/users/TheUser-dev/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
}
}

541
server/testdata/webhook_github_pr_opened.json vendored Normal file
View File

@@ -0,0 +1,541 @@
{
"action": "opened",
"number": 1390,
"pull_request": {
"url": "https://api.github.com/repos/binwiederhier/ntfy/pulls/1390",
"id": 2670425869,
"node_id": "PR_kwDOGRBhi86fK3cN",
"html_url": "https://github.com/binwiederhier/ntfy/pull/1390",
"diff_url": "https://github.com/binwiederhier/ntfy/pull/1390.diff",
"patch_url": "https://github.com/binwiederhier/ntfy/pull/1390.patch",
"issue_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1390",
"number": 1390,
"state": "open",
"locked": false,
"title": "WIP Template dir",
"user": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"body": null,
"created_at": "2025-07-16T11:49:31Z",
"updated_at": "2025-07-16T11:49:31Z",
"closed_at": null,
"merged_at": null,
"merge_commit_sha": null,
"assignee": null,
"assignees": [
],
"requested_reviewers": [
],
"requested_teams": [
],
"labels": [
],
"milestone": null,
"draft": false,
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls/1390/commits",
"review_comments_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls/1390/comments",
"review_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls/comments{/number}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/1390/comments",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/b1e935da45365c5e7e731d544a1ad4c7ea3643cd",
"head": {
"label": "binwiederhier:template-dir",
"ref": "template-dir",
"sha": "b1e935da45365c5e7e731d544a1ad4c7ea3643cd",
"user": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"repo": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T10:18:34Z",
"pushed_at": "2025-07-16T11:49:26Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36740,
"stargazers_count": 25111,
"watchers_count": 25111,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 368,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 368,
"watchers": 25111,
"default_branch": "main",
"allow_squash_merge": true,
"allow_merge_commit": true,
"allow_rebase_merge": true,
"allow_auto_merge": true,
"delete_branch_on_merge": false,
"allow_update_branch": false,
"use_squash_pr_title_as_default": false,
"squash_merge_commit_message": "COMMIT_MESSAGES",
"squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
"merge_commit_message": "PR_TITLE",
"merge_commit_title": "MERGE_MESSAGE"
}
},
"base": {
"label": "binwiederhier:main",
"ref": "main",
"sha": "81a486adc11fe24efcbedefb28ae946028597c2f",
"user": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"repo": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T10:18:34Z",
"pushed_at": "2025-07-16T11:49:26Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36740,
"stargazers_count": 25111,
"watchers_count": 25111,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 368,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 368,
"watchers": 25111,
"default_branch": "main",
"allow_squash_merge": true,
"allow_merge_commit": true,
"allow_rebase_merge": true,
"allow_auto_merge": true,
"delete_branch_on_merge": false,
"allow_update_branch": false,
"use_squash_pr_title_as_default": false,
"squash_merge_commit_message": "COMMIT_MESSAGES",
"squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
"merge_commit_message": "PR_TITLE",
"merge_commit_title": "MERGE_MESSAGE"
}
},
"_links": {
"self": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/pulls/1390"
},
"html": {
"href": "https://github.com/binwiederhier/ntfy/pull/1390"
},
"issue": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/issues/1390"
},
"comments": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/issues/1390/comments"
},
"review_comments": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/pulls/1390/comments"
},
"review_comment": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/pulls/comments{/number}"
},
"commits": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/pulls/1390/commits"
},
"statuses": {
"href": "https://api.github.com/repos/binwiederhier/ntfy/statuses/b1e935da45365c5e7e731d544a1ad4c7ea3643cd"
}
},
"author_association": "OWNER",
"auto_merge": null,
"active_lock_reason": null,
"merged": false,
"mergeable": null,
"rebaseable": null,
"mergeable_state": "unknown",
"merged_by": null,
"comments": 0,
"review_comments": 0,
"maintainer_can_modify": false,
"commits": 7,
"additions": 5506,
"deletions": 42,
"changed_files": 58
},
"repository": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T10:18:34Z",
"pushed_at": "2025-07-16T11:49:26Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36740,
"stargazers_count": 25111,
"watchers_count": 25111,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 368,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 368,
"watchers": 25111,
"default_branch": "main"
},
"sender": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
}
}

141
server/testdata/webhook_github_star_created.json vendored Normal file
View File

@@ -0,0 +1,141 @@
{
"action": "created",
"starred_at": "2025-07-16T12:57:43Z",
"repository": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T12:57:43Z",
"pushed_at": "2025-07-16T11:49:26Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36831,
"stargazers_count": 25112,
"watchers_count": 25112,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 368,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 368,
"watchers": 25112,
"default_branch": "main"
},
"sender": {
"login": "mbilby",
"id": 51273322,
"node_id": "MDQ6VXNlcjUxMjczMzIy",
"avatar_url": "https://avatars.githubusercontent.com/u/51273322?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/mbilby",
"html_url": "https://github.com/mbilby",
"followers_url": "https://api.github.com/users/mbilby/followers",
"following_url": "https://api.github.com/users/mbilby/following{/other_user}",
"gists_url": "https://api.github.com/users/mbilby/gists{/gist_id}",
"starred_url": "https://api.github.com/users/mbilby/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/mbilby/subscriptions",
"organizations_url": "https://api.github.com/users/mbilby/orgs",
"repos_url": "https://api.github.com/users/mbilby/repos",
"events_url": "https://api.github.com/users/mbilby/events{/privacy}",
"received_events_url": "https://api.github.com/users/mbilby/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
}
}

139
server/testdata/webhook_github_watch_created.json vendored Normal file
View File

@@ -0,0 +1,139 @@
{
"action": "started",
"repository": {
"id": 420503947,
"node_id": "R_kgDOGRBhiw",
"name": "ntfy",
"full_name": "binwiederhier/ntfy",
"private": false,
"owner": {
"login": "binwiederhier",
"id": 664597,
"node_id": "MDQ6VXNlcjY2NDU5Nw==",
"avatar_url": "https://avatars.githubusercontent.com/u/664597?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/binwiederhier",
"html_url": "https://github.com/binwiederhier",
"followers_url": "https://api.github.com/users/binwiederhier/followers",
"following_url": "https://api.github.com/users/binwiederhier/following{/other_user}",
"gists_url": "https://api.github.com/users/binwiederhier/gists{/gist_id}",
"starred_url": "https://api.github.com/users/binwiederhier/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/binwiederhier/subscriptions",
"organizations_url": "https://api.github.com/users/binwiederhier/orgs",
"repos_url": "https://api.github.com/users/binwiederhier/repos",
"events_url": "https://api.github.com/users/binwiederhier/events{/privacy}",
"received_events_url": "https://api.github.com/users/binwiederhier/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/binwiederhier/ntfy",
"description": "Send push notifications to your phone or desktop using PUT/POST",
"fork": false,
"url": "https://api.github.com/repos/binwiederhier/ntfy",
"forks_url": "https://api.github.com/repos/binwiederhier/ntfy/forks",
"keys_url": "https://api.github.com/repos/binwiederhier/ntfy/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/binwiederhier/ntfy/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/binwiederhier/ntfy/teams",
"hooks_url": "https://api.github.com/repos/binwiederhier/ntfy/hooks",
"issue_events_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/events{/number}",
"events_url": "https://api.github.com/repos/binwiederhier/ntfy/events",
"assignees_url": "https://api.github.com/repos/binwiederhier/ntfy/assignees{/user}",
"branches_url": "https://api.github.com/repos/binwiederhier/ntfy/branches{/branch}",
"tags_url": "https://api.github.com/repos/binwiederhier/ntfy/tags",
"blobs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/binwiederhier/ntfy/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/binwiederhier/ntfy/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/binwiederhier/ntfy/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/binwiederhier/ntfy/statuses/{sha}",
"languages_url": "https://api.github.com/repos/binwiederhier/ntfy/languages",
"stargazers_url": "https://api.github.com/repos/binwiederhier/ntfy/stargazers",
"contributors_url": "https://api.github.com/repos/binwiederhier/ntfy/contributors",
"subscribers_url": "https://api.github.com/repos/binwiederhier/ntfy/subscribers",
"subscription_url": "https://api.github.com/repos/binwiederhier/ntfy/subscription",
"commits_url": "https://api.github.com/repos/binwiederhier/ntfy/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/binwiederhier/ntfy/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/binwiederhier/ntfy/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/binwiederhier/ntfy/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/binwiederhier/ntfy/contents/{+path}",
"compare_url": "https://api.github.com/repos/binwiederhier/ntfy/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/binwiederhier/ntfy/merges",
"archive_url": "https://api.github.com/repos/binwiederhier/ntfy/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/binwiederhier/ntfy/downloads",
"issues_url": "https://api.github.com/repos/binwiederhier/ntfy/issues{/number}",
"pulls_url": "https://api.github.com/repos/binwiederhier/ntfy/pulls{/number}",
"milestones_url": "https://api.github.com/repos/binwiederhier/ntfy/milestones{/number}",
"notifications_url": "https://api.github.com/repos/binwiederhier/ntfy/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/binwiederhier/ntfy/labels{/name}",
"releases_url": "https://api.github.com/repos/binwiederhier/ntfy/releases{/id}",
"deployments_url": "https://api.github.com/repos/binwiederhier/ntfy/deployments",
"created_at": "2021-10-23T19:25:32Z",
"updated_at": "2025-07-16T12:57:43Z",
"pushed_at": "2025-07-16T11:49:26Z",
"git_url": "git://github.com/binwiederhier/ntfy.git",
"ssh_url": "git@github.com:binwiederhier/ntfy.git",
"clone_url": "https://github.com/binwiederhier/ntfy.git",
"svn_url": "https://github.com/binwiederhier/ntfy",
"homepage": "https://ntfy.sh",
"size": 36831,
"stargazers_count": 25112,
"watchers_count": 25112,
"language": "Go",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"has_discussions": false,
"forks_count": 984,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 368,
"license": {
"key": "apache-2.0",
"name": "Apache License 2.0",
"spdx_id": "Apache-2.0",
"url": "https://api.github.com/licenses/apache-2.0",
"node_id": "MDc6TGljZW5zZTI="
},
"allow_forking": true,
"is_template": false,
"web_commit_signoff_required": false,
"topics": [
"curl",
"notifications",
"ntfy",
"ntfysh",
"pubsub",
"push-notifications",
"rest-api"
],
"visibility": "public",
"forks": 984,
"open_issues": 368,
"watchers": 25112,
"default_branch": "main"
},
"sender": {
"login": "mbilby",
"id": 51273322,
"node_id": "MDQ6VXNlcjUxMjczMzIy",
"avatar_url": "https://avatars.githubusercontent.com/u/51273322?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/mbilby",
"html_url": "https://github.com/mbilby",
"followers_url": "https://api.github.com/users/mbilby/followers",
"following_url": "https://api.github.com/users/mbilby/following{/other_user}",
"gists_url": "https://api.github.com/users/mbilby/gists{/gist_id}",
"starred_url": "https://api.github.com/users/mbilby/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/mbilby/subscriptions",
"organizations_url": "https://api.github.com/users/mbilby/orgs",
"repos_url": "https://api.github.com/users/mbilby/repos",
"events_url": "https://api.github.com/users/mbilby/events{/privacy}",
"received_events_url": "https://api.github.com/users/mbilby/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
}
}

51
server/testdata/webhook_grafana_resolved.json vendored Normal file
View File

@@ -0,0 +1,51 @@
{
"receiver": "ntfy\\.example\\.com/alerts",
"status": "resolved",
"alerts": [
{
"status": "resolved",
"labels": {
"alertname": "Load avg 15m too high",
"grafana_folder": "Node alerts",
"instance": "10.108.0.2:9100",
"job": "node-exporter"
},
"annotations": {
"summary": "15m load average too high"
},
"startsAt": "2024-03-15T02:28:00Z",
"endsAt": "2024-03-15T02:42:00Z",
"generatorURL": "localhost:3000/alerting/grafana/NW9oDw-4z/view",
"fingerprint": "becbfb94bd81ef48",
"silenceURL": "localhost:3000/alerting/silence/new?alertmanager=grafana&matcher=alertname%3DLoad+avg+15m+too+high&matcher=grafana_folder%3DNode+alerts&matcher=instance%3D10.108.0.2%3A9100&matcher=job%3Dnode-exporter",
"dashboardURL": "",
"panelURL": "",
"values": {
"B": 18.98211314475876,
"C": 0
},
"valueString": "[ var='B' labels={__name__=node_load15, instance=10.108.0.2:9100, job=node-exporter} value=18.98211314475876 ], [ var='C' labels={__name__=node_load15, instance=10.108.0.2:9100, job=node-exporter} value=0 ]"
}
],
"groupLabels": {
"alertname": "Load avg 15m too high",
"grafana_folder": "Node alerts"
},
"commonLabels": {
"alertname": "Load avg 15m too high",
"grafana_folder": "Node alerts",
"instance": "10.108.0.2:9100",
"job": "node-exporter"
},
"commonAnnotations": {
"summary": "15m load average too high"
},
"externalURL": "localhost:3000/",
"version": "1",
"groupKey": "{}:{alertname=\"Load avg 15m too high\", grafana_folder=\"Node alerts\"}",
"truncatedAlerts": 0,
"orgId": 1,
"title": "[RESOLVED] Load avg 15m too high Node alerts (10.108.0.2:9100 node-exporter)",
"state": "ok",
"message": "**Resolved**\n\nValue: B=18.98211314475876, C=0\nLabels:\n - alertname = Load avg 15m too high\n - grafana_folder = Node alerts\n - instance = 10.108.0.2:9100\n - job = node-exporter\n"
}

156
server/types.go
View File

@@ -7,16 +7,17 @@ import (
"heckel.io/ntfy/v2/log"
"heckel.io/ntfy/v2/user"
"heckel.io/ntfy/v2/util"
)
// List of possible events
const (
openEvent = "open"
keepaliveEvent = "keepalive"
messageEvent = "message"
pollRequestEvent = "poll_request"
openEvent = "open"
keepaliveEvent = "keepalive"
messageEvent = "message"
messageDeleteEvent = "message_delete"
messageClearEvent = "message_clear"
pollRequestEvent = "poll_request"
)
const (
@@ -25,10 +26,11 @@ const (
// message represents a message published to a topic
type message struct {
ID string `json:"id"` // Random message ID
Time int64 `json:"time"` // Unix time in seconds
Expires int64 `json:"expires,omitempty"` // Unix time in seconds (not required for open/keepalive)
Event string `json:"event"` // One of the above
ID string `json:"id"` // Random message ID
SequenceID string `json:"sequence_id,omitempty"` // Message sequence ID for updating message contents (omitted if same as ID)
Time int64 `json:"time"` // Unix time in seconds
Expires int64 `json:"expires,omitempty"` // Unix time in seconds (not required for open/keepalive)
Event string `json:"event"` // One of the above
Topic string `json:"topic"`
Title string `json:"title,omitempty"`
Message string `json:"message,omitempty"`
@@ -40,18 +42,19 @@ type message struct {
Attachment *attachment `json:"attachment,omitempty"`
PollID string `json:"poll_id,omitempty"`
ContentType string `json:"content_type,omitempty"` // text/plain by default (if empty), or text/markdown
Encoding string `json:"encoding,omitempty"` // empty for raw UTF-8, or "base64" for encoded bytes
Encoding string `json:"encoding,omitempty"` // Empty for raw UTF-8, or "base64" for encoded bytes
Sender netip.Addr `json:"-"` // IP address of uploader, used for rate limiting
User string `json:"-"` // UserID of the uploader, used to associated attachments
}
func (m *message) Context() log.Context {
fields := map[string]any{
"topic": m.Topic,
"message_id": m.ID,
"message_time": m.Time,
"message_event": m.Event,
"message_body_size": len(m.Message),
"topic": m.Topic,
"message_id": m.ID,
"message_sequence_id": m.SequenceID,
"message_time": m.Time,
"message_event": m.Event,
"message_body_size": len(m.Message),
}
if m.Sender.IsValid() {
fields["message_sender"] = m.Sender.String()
@@ -62,6 +65,17 @@ func (m *message) Context() log.Context {
return fields
}
// forJSON returns a copy of the message suitable for JSON output.
// It clears the SequenceID if it equals the ID to reduce redundancy.
func (m *message) forJSON() *message {
if m.SequenceID == m.ID {
clone := *m
clone.SequenceID = ""
return &clone
}
return m
}
type attachment struct {
Name string `json:"name"`
Type string `json:"type,omitempty"`
@@ -92,20 +106,23 @@ func newAction() *action {
// publishMessage is used as input when publishing as JSON
type publishMessage struct {
Topic string `json:"topic"`
Title string `json:"title"`
Message string `json:"message"`
Priority int `json:"priority"`
Tags []string `json:"tags"`
Click string `json:"click"`
Icon string `json:"icon"`
Actions []action `json:"actions"`
Attach string `json:"attach"`
Markdown bool `json:"markdown"`
Filename string `json:"filename"`
Email string `json:"email"`
Call string `json:"call"`
Delay string `json:"delay"`
Topic string `json:"topic"`
SequenceID string `json:"sequence_id"`
Title string `json:"title"`
Message string `json:"message"`
Priority int `json:"priority"`
Tags []string `json:"tags"`
Click string `json:"click"`
Icon string `json:"icon"`
Actions []action `json:"actions"`
Attach string `json:"attach"`
Markdown bool `json:"markdown"`
Filename string `json:"filename"`
Email string `json:"email"`
Call string `json:"call"`
Cache string `json:"cache"` // use string as it defaults to true (or use &bool instead)
Firebase string `json:"firebase"` // use string as it defaults to true (or use &bool instead)
Delay string `json:"delay"`
}
// messageEncoder is a function that knows how to encode a message
@@ -144,6 +161,13 @@ func newPollRequestMessage(topic, pollID string) *message {
return m
}
// newActionMessage creates a new action message (message_delete or message_clear)
func newActionMessage(event, topic, sequenceID string) *message {
m := newMessage(event, topic, "")
m.SequenceID = sequenceID
return m
}
func validMessageID(s string) bool {
return util.ValidRandomString(s, messageIDLength)
}
@@ -169,8 +193,12 @@ func (t sinceMarker) IsNone() bool {
return t == sinceNoMessages
}
func (t sinceMarker) IsLatest() bool {
return t == sinceLatestMessage
}
func (t sinceMarker) IsID() bool {
return t.id != ""
return t.id != "" && t.id != "latest"
}
func (t sinceMarker) Time() time.Time {
@@ -182,8 +210,9 @@ func (t sinceMarker) ID() string {
}
var (
sinceAllMessages = sinceMarker{time.Unix(0, 0), ""}
sinceNoMessages = sinceMarker{time.Unix(1, 0), ""}
sinceAllMessages = sinceMarker{time.Unix(0, 0), ""}
sinceNoMessages = sinceMarker{time.Unix(1, 0), ""}
sinceLatestMessage = sinceMarker{time.Unix(0, 0), "latest"}
)
type queryFilter struct {
@@ -217,7 +246,7 @@ func parseQueryFilters(r *http.Request) (*queryFilter, error) {
}
func (q *queryFilter) Pass(msg *message) bool {
if msg.Event != messageEvent {
if msg.Event != messageEvent && msg.Event != messageDeleteEvent && msg.Event != messageClearEvent {
return true // filters only apply to messages
} else if q.ID != "" && msg.ID != q.ID {
return false
@@ -239,6 +268,51 @@ func (q *queryFilter) Pass(msg *message) bool {
return true
}
// templateMode represents the mode in which templates are used
//
// It can be
// - empty: templating is disabled
// - a boolean string (yes/1/true/no/0/false): inline-templating mode
// - a filename (e.g. grafana): template mode with a file
type templateMode string
// Enabled returns true if templating is enabled
func (t templateMode) Enabled() bool {
return t != ""
}
// InlineMode returns true if inline-templating mode is enabled
func (t templateMode) InlineMode() bool {
return t.Enabled() && isBoolValue(string(t))
}
// FileMode returns true if file-templating mode is enabled
func (t templateMode) FileMode() bool {
return t.Enabled() && !isBoolValue(string(t))
}
// FileName returns the filename if file-templating mode is enabled, or an empty string otherwise
func (t templateMode) FileName() string {
if t.FileMode() {
return string(t)
}
return ""
}
// templateFile represents a template file with title and message
// It is used for file-based templates, e.g. grafana, influxdb, etc.
//
// Example YAML:
//
// title: "Alert: {{ .Title }}"
// message: |
// This is a {{ .Type }} alert.
// It can be multiline.
type templateFile struct {
Title *string `yaml:"title"`
Message *string `yaml:"message"`
}
type apiHealthResponse struct {
Healthy bool `json:"healthy"`
}
@@ -248,9 +322,10 @@ type apiStatsResponse struct {
MessagesRate float64 `json:"messages_rate"` // Average number of messages per second
}
type apiUserAddRequest struct {
type apiUserAddOrUpdateRequest struct {
Username string `json:"username"`
Password string `json:"password"`
Hash string `json:"hash"`
Tier string `json:"tier"`
// Do not add 'role' here. We don't want to add admins via the API.
}
@@ -308,11 +383,12 @@ type apiAccountTokenUpdateRequest struct {
}
type apiAccountTokenResponse struct {
Token string `json:"token"`
Label string `json:"label,omitempty"`
LastAccess int64 `json:"last_access,omitempty"`
LastOrigin string `json:"last_origin,omitempty"`
Expires int64 `json:"expires,omitempty"` // Unix timestamp
Token string `json:"token"`
Label string `json:"label,omitempty"`
LastAccess int64 `json:"last_access,omitempty"`
LastOrigin string `json:"last_origin,omitempty"`
Expires int64 `json:"expires,omitempty"` // Unix timestamp
Provisioned bool `json:"provisioned,omitempty"` // True if this token was provisioned by the server config
}
type apiAccountPhoneNumberVerifyRequest struct {
@@ -374,6 +450,7 @@ type apiAccountResponse struct {
Username string `json:"username"`
Role string `json:"role,omitempty"`
SyncTopic string `json:"sync_topic,omitempty"`
Provisioned bool `json:"provisioned,omitempty"`
Language string `json:"language,omitempty"`
Notification *user.NotificationPrefs `json:"notification,omitempty"`
Subscriptions []*user.Subscription `json:"subscriptions,omitempty"`
@@ -395,6 +472,7 @@ type apiConfigResponse struct {
BaseURL string `json:"base_url"`
AppRoot string `json:"app_root"`
EnableLogin bool `json:"enable_login"`
RequireLogin bool `json:"require_login"`
EnableSignup bool `json:"enable_signup"`
EnablePayments bool `json:"enable_payments"`
EnableCalls bool `json:"enable_calls"`

114
server/util.go
View File

@@ -4,18 +4,30 @@ import (
"context"
"errors"
"fmt"
"heckel.io/ntfy/v2/util"
"io"
"mime"
"net/http"
"net/netip"
"regexp"
"strings"
"heckel.io/ntfy/v2/util"
)
var (
mimeDecoder mime.WordDecoder
mimeDecoder mime.WordDecoder
// priorityHeaderIgnoreRegex matches specific patterns of the "Priority" header (RFC 9218), so that it can be ignored
priorityHeaderIgnoreRegex = regexp.MustCompile(`^u=\d,\s*(i|\d)$|^u=\d$`)
// forwardedHeaderRegex parses IPv4 and IPv6 addresses from the "Forwarded" header (RFC 7239)
// IPv6 addresses in Forwarded header are enclosed in square brackets. The port is optional.
//
// Examples:
// for="1.2.3.4"
// for="[2001:db8::1]"; for=1.2.3.4:8080, by=phil
// for="1.2.3.4:8080"
forwardedHeaderRegex = regexp.MustCompile(`(?i)\bfor="?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\[[0-9a-f:]+])(?::\d+)?"?`)
)
func readBoolParam(r *http.Request, defaultValue bool, names ...string) bool {
@@ -34,15 +46,11 @@ func toBool(value string) bool {
return value == "1" || value == "yes" || value == "true"
}
func readCommaSeparatedParam(r *http.Request, names ...string) (params []string) {
paramStr := readParam(r, names...)
if paramStr != "" {
params = make([]string, 0)
for _, s := range util.SplitNoEmpty(paramStr, ",") {
params = append(params, strings.TrimSpace(s))
}
func readCommaSeparatedParam(r *http.Request, names ...string) []string {
if paramStr := readParam(r, names...); paramStr != "" {
return util.Map(util.SplitNoEmpty(paramStr, ","), strings.TrimSpace)
}
return params
return []string{}
}
func readParam(r *http.Request, names ...string) string {
@@ -73,34 +81,68 @@ func readQueryParam(r *http.Request, names ...string) string {
return ""
}
func extractIPAddress(r *http.Request, behindProxy bool) netip.Addr {
remoteAddr := r.RemoteAddr
addrPort, err := netip.ParseAddrPort(remoteAddr)
ip := addrPort.Addr()
// extractIPAddress extracts the IP address of the visitor from the request,
// either from the TCP socket or from a proxy header.
func extractIPAddress(r *http.Request, behindProxy bool, proxyForwardedHeader string, proxyTrustedPrefixes []netip.Prefix) netip.Addr {
if behindProxy && proxyForwardedHeader != "" {
if addr, err := extractIPAddressFromHeader(r, proxyForwardedHeader, proxyTrustedPrefixes); err == nil {
return addr
}
// Fall back to the remote address if the header is not found or invalid
}
addrPort, err := netip.ParseAddrPort(r.RemoteAddr)
if err != nil {
// This should not happen in real life; only in tests. So, using falling back to 0.0.0.0 if address unspecified
ip, err = netip.ParseAddr(remoteAddr)
if err != nil {
ip = netip.IPv4Unspecified()
if remoteAddr != "@" || !behindProxy { // RemoteAddr is @ when unix socket is used
logr(r).Err(err).Warn("unable to parse IP (%s), new visitor with unspecified IP (0.0.0.0) created", remoteAddr)
logr(r).Err(err).Warn("unable to parse IP (%s), new visitor with unspecified IP (0.0.0.0) created", r.RemoteAddr)
return netip.IPv4Unspecified()
}
return addrPort.Addr()
}
// extractIPAddressFromHeader extracts the last IP address from the specified header.
//
// It supports multiple formats:
// - single IP address
// - comma-separated list
// - RFC 7239-style list (Forwarded header)
//
// If there are multiple addresses, we first remove the trusted IP addresses from the list, and
// then take the right-most address in the list (as this is the one added by our proxy server).
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details.
func extractIPAddressFromHeader(r *http.Request, forwardedHeader string, trustedPrefixes []netip.Prefix) (netip.Addr, error) {
value := strings.TrimSpace(strings.ToLower(r.Header.Get(forwardedHeader)))
if value == "" {
return netip.IPv4Unspecified(), fmt.Errorf("no %s header found", forwardedHeader)
}
// Extract valid addresses
addrsStrs := util.Map(util.SplitNoEmpty(value, ","), strings.TrimSpace)
var validAddrs []netip.Addr
for _, addrStr := range addrsStrs {
// Handle Forwarded header with for="[IPv6]" or for="IPv4"
if m := forwardedHeaderRegex.FindStringSubmatch(addrStr); len(m) == 2 {
addrRaw := m[1]
if strings.HasPrefix(addrRaw, "[") && strings.HasSuffix(addrRaw, "]") {
addrRaw = addrRaw[1 : len(addrRaw)-1]
}
if addr, err := netip.ParseAddr(addrRaw); err == nil {
validAddrs = append(validAddrs, addr)
}
} else if addr, err := netip.ParseAddr(addrStr); err == nil {
validAddrs = append(validAddrs, addr)
}
}
// Filter out proxy addresses
clientAddrs := util.Filter(validAddrs, func(addr netip.Addr) bool {
for _, prefix := range trustedPrefixes {
if prefix.Contains(addr) {
return false // Address is in the trusted range, ignore it
}
}
return true
})
if len(clientAddrs) == 0 {
return netip.IPv4Unspecified(), fmt.Errorf("no client IP address found in %s header: %s", forwardedHeader, value)
}
if behindProxy && strings.TrimSpace(r.Header.Get("X-Forwarded-For")) != "" {
// X-Forwarded-For can contain multiple addresses (see #328). If we are behind a proxy,
// only the right-most address can be trusted (as this is the one added by our proxy server).
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details.
ips := util.SplitNoEmpty(r.Header.Get("X-Forwarded-For"), ",")
realIP, err := netip.ParseAddr(strings.TrimSpace(util.LastString(ips, remoteAddr)))
if err != nil {
logr(r).Err(err).Error("invalid IP address %s received in X-Forwarded-For header", ip)
// Fall back to regular remote address if X-Forwarded-For is damaged
} else {
ip = realIP
}
}
return ip
return clientAddrs[len(clientAddrs)-1], nil
}
func readJSONWithLimit[T any](r io.ReadCloser, limit int, allowEmpty bool) (*T, error) {
@@ -133,7 +175,7 @@ func fromContext[T any](r *http.Request, key contextKey) (T, error) {
// maybeDecodeHeader decodes the given header value if it is MIME encoded, e.g. "=?utf-8?q?Hello_World?=",
// or returns the original header value if it is not MIME encoded. It also calls maybeIgnoreSpecialHeader
// to ignore new HTTP "Priority" header.
// to ignore the new HTTP "Priority" header.
func maybeDecodeHeader(name, value string) string {
decoded, err := mimeDecoder.DecodeHeader(value)
if err != nil {
@@ -142,7 +184,7 @@ func maybeDecodeHeader(name, value string) string {
return maybeIgnoreSpecialHeader(name, decoded)
}
// maybeIgnoreSpecialHeader ignores new HTTP "Priority" header (see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-priority)
// maybeIgnoreSpecialHeader ignores the new HTTP "Priority" header (RFC 9218, see https://datatracker.ietf.org/doc/html/rfc9218)
//
// Cloudflare (and potentially other providers) add this to requests when forwarding to the backend (ntfy),
// so we just ignore it. If the "Priority" header is set to "u=*, i" or "u=*" (by Cloudflare), the header will be ignored.

76
server/util_test.go
View File

@@ -4,10 +4,13 @@ import (
"bytes"
"crypto/rand"
"fmt"
"github.com/stretchr/testify/require"
"heckel.io/ntfy/v2/user"
"net/http"
"net/netip"
"strings"
"testing"
"github.com/stretchr/testify/require"
)
func TestReadBoolParam(t *testing.T) {
@@ -88,3 +91,74 @@ func TestMaybeDecodeHeaders(t *testing.T) {
r.Header.Set("X-Priority", "5") // ntfy priority header
require.Equal(t, "5", readHeaderParam(r, "x-priority", "priority", "p"))
}
func TestExtractIPAddress(t *testing.T) {
r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
r.RemoteAddr = "10.0.0.1:1234"
r.Header.Set("X-Forwarded-For", " 1.2.3.4 , 5.6.7.8")
r.Header.Set("X-Client-IP", "9.10.11.12")
r.Header.Set("X-Real-IP", "13.14.15.16, 1.1.1.1")
r.Header.Set("Forwarded", "for=17.18.19.20;by=proxy.example.com, by=2.2.2.2;for=1.1.1.1")
trustedProxies := []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")}
require.Equal(t, "5.6.7.8", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
require.Equal(t, "9.10.11.12", extractIPAddress(r, true, "X-Client-IP", trustedProxies).String())
require.Equal(t, "13.14.15.16", extractIPAddress(r, true, "X-Real-IP", trustedProxies).String())
require.Equal(t, "17.18.19.20", extractIPAddress(r, true, "Forwarded", trustedProxies).String())
require.Equal(t, "10.0.0.1", extractIPAddress(r, false, "X-Forwarded-For", trustedProxies).String())
}
func TestExtractIPAddress_UnixSocket(t *testing.T) {
r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
r.RemoteAddr = "@"
r.Header.Set("X-Forwarded-For", "1.2.3.4, 5.6.7.8, 1.1.1.1")
r.Header.Set("Forwarded", "by=bla.example.com;for=17.18.19.20")
trustedProxies := []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")}
require.Equal(t, "5.6.7.8", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
require.Equal(t, "17.18.19.20", extractIPAddress(r, true, "Forwarded", trustedProxies).String())
require.Equal(t, "0.0.0.0", extractIPAddress(r, false, "X-Forwarded-For", trustedProxies).String())
}
func TestExtractIPAddress_MixedIPv4IPv6(t *testing.T) {
r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
r.RemoteAddr = "[2001:db8:abcd::1]:1234"
r.Header.Set("X-Forwarded-For", "1.2.3.4, 2001:db8:abcd::2, 5.6.7.8")
trustedProxies := []netip.Prefix{netip.MustParsePrefix("1.2.3.0/24")}
require.Equal(t, "5.6.7.8", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
}
func TestExtractIPAddress_TrustedIPv6Prefix(t *testing.T) {
r, _ := http.NewRequest("GET", "http://ntfy.sh/mytopic/json?since=all", nil)
r.RemoteAddr = "[2001:db8:abcd::1]:1234"
r.Header.Set("X-Forwarded-For", "2001:db8:aaaa::1, 2001:db8:aaaa::2, 2001:db8:abcd:2::3")
trustedProxies := []netip.Prefix{netip.MustParsePrefix("2001:db8:aaaa::/48")}
require.Equal(t, "2001:db8:abcd:2::3", extractIPAddress(r, true, "X-Forwarded-For", trustedProxies).String())
}
func TestVisitorID(t *testing.T) {
confWithDefaults := &Config{
VisitorPrefixBitsIPv4: 32,
VisitorPrefixBitsIPv6: 64,
}
confWithShortenedPrefixes := &Config{
VisitorPrefixBitsIPv4: 16,
VisitorPrefixBitsIPv6: 56,
}
userWithTier := &user.User{
ID: "u_123",
Tier: &user.Tier{},
}
require.Equal(t, "ip:1.2.3.4", visitorID(netip.MustParseAddr("1.2.3.4"), nil, confWithDefaults))
require.Equal(t, "ip:2a01:599:b26:2397::", visitorID(netip.MustParseAddr("2a01:599:b26:2397:dbe7:5aa2:95ce:1e83"), nil, confWithDefaults))
require.Equal(t, "ip:2001:db8:25:86::", visitorID(netip.MustParseAddr("2001:db8:25:86:1::1"), nil, confWithDefaults))
require.Equal(t, "ip:2001:db8:25:86::", visitorID(netip.MustParseAddr("2001:db8:25:86:2::1"), nil, confWithDefaults))
require.Equal(t, "user:u_123", visitorID(netip.MustParseAddr("1.2.3.4"), userWithTier, confWithDefaults))
require.Equal(t, "user:u_123", visitorID(netip.MustParseAddr("2a01:599:b26:2397:dbe7:5aa2:95ce:1e83"), userWithTier, confWithDefaults))
require.Equal(t, "ip:1.2.0.0", visitorID(netip.MustParseAddr("1.2.3.4"), nil, confWithShortenedPrefixes))
require.Equal(t, "ip:2a01:599:b26:2300::", visitorID(netip.MustParseAddr("2a01:599:b26:2397:dbe7:5aa2:95ce:1e83"), nil, confWithShortenedPrefixes))
}

14
server/visitor.go
View File

@@ -2,13 +2,13 @@ package server
import (
"fmt"
"heckel.io/ntfy/v2/log"
"heckel.io/ntfy/v2/user"
"net/netip"
"sync"
"time"
"golang.org/x/time/rate"
"heckel.io/ntfy/v2/log"
"heckel.io/ntfy/v2/user"
"heckel.io/ntfy/v2/util"
)
@@ -151,7 +151,7 @@ func (v *visitor) Context() log.Context {
func (v *visitor) contextNoLock() log.Context {
info := v.infoLightNoLock()
fields := log.Context{
"visitor_id": visitorID(v.ip, v.user),
"visitor_id": visitorID(v.ip, v.user, v.config),
"visitor_ip": v.ip.String(),
"visitor_seen": util.FormatTime(v.seen),
"visitor_messages": info.Stats.Messages,
@@ -524,9 +524,15 @@ func dailyLimitToRate(limit int64) rate.Limit {
return rate.Limit(limit) * rate.Every(oneDay)
}
func visitorID(ip netip.Addr, u *user.User) string {
// visitorID returns a unique identifier for a visitor based on user or IP, using configurable prefix bits for IPv4/IPv6
func visitorID(ip netip.Addr, u *user.User, conf *Config) string {
if u != nil && u.Tier != nil {
return fmt.Sprintf("user:%s", u.ID)
}
if ip.Is4() {
ip = netip.PrefixFrom(ip, conf.VisitorPrefixBitsIPv4).Masked().Addr()
} else if ip.Is6() {
ip = netip.PrefixFrom(ip, conf.VisitorPrefixBitsIPv6).Masked().Addr()
}
return fmt.Sprintf("ip:%s", ip.String())
}

9
server/webpush_store.go
View File

@@ -79,8 +79,9 @@ const (
deleteWebPushSubscriptionByUserIDQuery = `DELETE FROM subscription WHERE user_id = ?`
deleteWebPushSubscriptionByAgeQuery = `DELETE FROM subscription WHERE updated_at <= ?` // Full table scan!
insertWebPushSubscriptionTopicQuery = `INSERT INTO subscription_topic (subscription_id, topic) VALUES (?, ?)`
deleteWebPushSubscriptionTopicAllQuery = `DELETE FROM subscription_topic WHERE subscription_id = ?`
insertWebPushSubscriptionTopicQuery = `INSERT INTO subscription_topic (subscription_id, topic) VALUES (?, ?)`
deleteWebPushSubscriptionTopicAllQuery = `DELETE FROM subscription_topic WHERE subscription_id = ?`
deleteWebPushSubscriptionTopicWithoutSubscription = `DELETE FROM subscription_topic WHERE subscription_id NOT IN (SELECT id FROM subscription)`
)
// Schema management queries
@@ -271,6 +272,10 @@ func (c *webPushStore) RemoveSubscriptionsByUserID(userID string) error {
// RemoveExpiredSubscriptions removes all subscriptions that have not been updated for a given time period
func (c *webPushStore) RemoveExpiredSubscriptions(expireAfter time.Duration) error {
_, err := c.db.Exec(deleteWebPushSubscriptionByAgeQuery, time.Now().Add(-expireAfter).Unix())
if err != nil {
return err
}
_, err = c.db.Exec(deleteWebPushSubscriptionTopicWithoutSubscription)
return err
}