[ { "path": ".dockerignore", "content": "dist\n*/node_modules\nDockerfile*\n" }, { "path": ".git-blame-ignore-revs", "content": "# https://docs.github.com/en/repositories/working-with-files/using-files/viewing-a-file#ignore-commits-in-the-blame-view\n\n# Run prettier (https://github.com/binwiederhier/ntfy/pull/746)\n6f6a2d1f693070bf72e89d86748080e4825c9164\nc87549e71a10bc789eac8036078228f06e515a8e\nca5d736a7169eb6b4b0d849e061d5bf9565dcc53\n2e27f58963feb9e4d1c573d4745d07770777fa7d\n\n# Run eslint (https://github.com/binwiederhier/ntfy/pull/748)\nf558b4dbe9bb5b9e0e87fada1215de2558353173\n8319f1cf26113167fb29fe12edaff5db74caf35f\n" }, { "path": ".github/FUNDING.yml", "content": "github: [binwiederhier]\nliberapay: ntfy\n" }, { "path": ".github/ISSUE_TEMPLATE/1_bug_report.md", "content": "---\nname: 🐛 Bug Report\nabout: Report any errors and problems\ntitle: ''\nlabels: '🪲 bug'\nassignees: ''\n\n---\n\n:lady_beetle: **Describe the bug**\n\n\n:computer: **Components impacted**\n\n\n:bulb: **Screenshots and/or logs**\n\n\n:crystal_ball: **Additional context**\n\n" }, { "path": ".github/ISSUE_TEMPLATE/2_enhancement_request.md", "content": "---\nname: 💡 Feature/Enhancement Request\nabout: Got a great idea? Let us know!\ntitle: ''\nlabels: 'enhancement'\nassignees: ''\n\n---\n\n\n\n:bulb: **Idea**\n\n\n:computer: **Target components**\n\n\n\n" }, { "path": ".github/ISSUE_TEMPLATE/3_tech_support.md", "content": "---\nname: 🆘 I need help with ...\nabout: Installing ntfy, configuring the app, etc.\ntitle: ''\nlabels: 'tech-support'\nassignees: ''\n\n---\n\n\n\n" }, { "path": ".github/ISSUE_TEMPLATE/4_question.md", "content": "---\nname: ❓ Question\nabout: Ask a question about ntfy\ntitle: ''\nlabels: 'question'\nassignees: ''\n\n---\n\n\n\n:question: **Question**\n\n" }, { "path": ".github/workflows/build.yaml", "content": "name: build\non: [ push, pull_request ]\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions/checkout@v3\n - name: Install Go\n uses: actions/setup-go@v4\n with:\n go-version: '1.24.x'\n - name: Install node\n uses: actions/setup-node@v3\n with:\n node-version: '20'\n cache: 'npm'\n cache-dependency-path: './web/package-lock.json'\n - name: Install dependencies\n run: make build-deps-ubuntu\n - name: Build all the things\n run: make build\n - name: Print build results and checksums\n run: make cli-build-results\n" }, { "path": ".github/workflows/docs.yaml", "content": "name: docs\non:\n push:\n branches:\n - main\njobs:\n publish-docs:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout ntfy code\n uses: actions/checkout@v3\n -\n name: Checkout docs pages code\n uses: actions/checkout@v3\n with:\n repository: binwiederhier/ntfy-docs.github.io\n path: build/ntfy-docs.github.io\n token: ${{secrets.NTFY_DOCS_PUSH_TOKEN}}\n # Expires after 1 year, re-generate via\n # User -> Settings -> Developer options -> Personal Access Tokens -> Fine Grained Token\n -\n name: Build docs\n run: make docs\n -\n name: Copy generated docs\n run: rsync -av --exclude CNAME --delete server/docs/ build/ntfy-docs.github.io/docs/\n -\n name: Publish docs\n run: |\n cd build/ntfy-docs.github.io\n git config user.name \"GitHub Actions Bot\"\n git config user.email \"\" \n git add docs/\n git commit -m \"Updated docs\"\n git push origin main\n" }, { "path": ".github/workflows/release.yaml", "content": "name: release\non:\n push:\n tags:\n - 'v[0-9]+.[0-9]+.[0-9]+'\njobs:\n release:\n runs-on: ubuntu-latest\n services:\n postgres:\n image: postgres:17\n env:\n POSTGRES_USER: ntfy\n POSTGRES_PASSWORD: ntfy\n POSTGRES_DB: ntfy_test\n ports:\n - 5432:5432\n options: >-\n --health-cmd \"pg_isready -U ntfy\"\n --health-interval 10s\n --health-timeout 5s\n --health-retries 5\n env:\n NTFY_TEST_DATABASE_URL: \"postgres://ntfy:ntfy@localhost:5432/ntfy_test?sslmode=disable\"\n steps:\n - name: Checkout code\n uses: actions/checkout@v3\n - name: Install Go\n uses: actions/setup-go@v4\n with:\n go-version: '1.24.x'\n - name: Install node\n uses: actions/setup-node@v3\n with:\n node-version: '20'\n cache: 'npm'\n cache-dependency-path: './web/package-lock.json'\n - name: Docker login\n uses: docker/login-action@v2\n with:\n username: ${{ github.repository_owner }}\n password: ${{ secrets.DOCKER_HUB_TOKEN }}\n - name: Install dependencies\n run: make build-deps-ubuntu\n - name: Build and publish\n run: make release\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n - name: Print build results and checksums\n run: make cli-build-results\n" }, { "path": ".github/workflows/test.yaml", "content": "name: test\non: [ push, pull_request ]\njobs:\n test:\n runs-on: ubuntu-latest\n services:\n postgres:\n image: postgres:17\n env:\n POSTGRES_USER: ntfy\n POSTGRES_PASSWORD: ntfy\n POSTGRES_DB: ntfy_test\n ports:\n - 5432:5432\n options: >-\n --health-cmd \"pg_isready -U ntfy\"\n --health-interval 10s\n --health-timeout 5s\n --health-retries 5\n env:\n NTFY_TEST_DATABASE_URL: \"postgres://ntfy:ntfy@localhost:5432/ntfy_test?sslmode=disable\"\n steps:\n - name: Checkout code\n uses: actions/checkout@v3\n - name: Install Go\n uses: actions/setup-go@v4\n with:\n go-version: '1.24.x'\n - name: Install node\n uses: actions/setup-node@v3\n with:\n node-version: '20'\n cache: 'npm'\n cache-dependency-path: './web/package-lock.json'\n - name: Install dependencies\n run: make build-deps-ubuntu\n - name: Build docs (required for tests)\n run: make docs\n - name: Build web app (required for tests)\n run: make web\n - name: Run tests, formatting, vetting and linting\n run: make checkv\n - name: Run coverage\n run: make coverage\n" }, { "path": ".gitignore", "content": "dist/\ndev-dist/\nbuild/\n.idea/\n.vscode/\n*.swp\nserver/docs/\nserver/site/\ntools/fbsend/fbsend\ntools/pgimport/pgimport\ntools/loadtest/loadtest\nplayground/\nsecrets/\n*.iml\nnode_modules/\n.DS_Store\n__pycache__\nweb/dev-dist/\nvenv/\ncmd/key-file.yaml\n" }, { "path": ".gitpod.yml", "content": "tasks:\n - name: docs\n before: make docs-deps\n command: mkdocs serve\n - name: binary\n before: |\n npm install --global nodemon\n make cli-deps-static-sites\n command: |\n nodemon --watch './**/*.go' --ext go --signal SIGTERM --exec \"CGO_ENABLED=1 go run main.go serve --listen-http :2586 --debug --base-url $(gp url 2586)\"\n openMode: split-right\n - name: web\n before: make web-deps\n command: cd web && npm start\n openMode: split-right\n\nvscode:\n extensions:\n - golang.go\n - ms-azuretools.vscode-docker\n\nports:\n - name: docs\n port: 8000\n - name: binary\n port: 2586\n - name: web\n port: 3000" }, { "path": ".goreleaser.yml", "content": "version: 2\nbefore:\n hooks:\n - go mod download\n - go mod tidy\nbuilds:\n - id: ntfy_linux_amd64\n binary: ntfy\n env:\n - CGO_ENABLED=1 # required for go-sqlite3\n tags: [ sqlite_omit_load_extension,osusergo,netgo ]\n ldflags:\n - \"-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}\"\n goos: [ linux ]\n goarch: [ amd64 ]\n - id: ntfy_linux_armv6\n binary: ntfy\n env:\n - CGO_ENABLED=1 # required for go-sqlite3\n - CC=arm-linux-gnueabi-gcc # apt install gcc-arm-linux-gnueabi\n tags: [ sqlite_omit_load_extension,osusergo,netgo ]\n ldflags:\n - \"-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}\"\n goos: [ linux ]\n goarch: [ arm ]\n goarm: [ 6 ]\n - id: ntfy_linux_armv7\n binary: ntfy\n env:\n - CGO_ENABLED=1 # required for go-sqlite3\n - CC=arm-linux-gnueabi-gcc # apt install gcc-arm-linux-gnueabi\n tags: [ sqlite_omit_load_extension,osusergo,netgo ]\n ldflags:\n - \"-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}\"\n goos: [ linux ]\n goarch: [ arm ]\n goarm: [ 7 ]\n - id: ntfy_linux_arm64\n binary: ntfy\n env:\n - CGO_ENABLED=1 # required for go-sqlite3\n - CC=aarch64-linux-gnu-gcc # apt install gcc-aarch64-linux-gnu\n tags: [ sqlite_omit_load_extension,osusergo,netgo ]\n ldflags:\n - \"-linkmode=external -extldflags=-static -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}\"\n goos: [ linux ]\n goarch: [ arm64 ]\n - id: ntfy_windows_amd64\n binary: ntfy\n env:\n - CGO_ENABLED=1 # required for go-sqlite3\n - CC=x86_64-w64-mingw32-gcc # apt install gcc-mingw-w64-x86-64\n tags: [ sqlite_omit_load_extension,osusergo,netgo ]\n ldflags:\n - \"-s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}\"\n goos: [ windows ]\n goarch: [amd64 ]\n -\n id: ntfy_darwin_all\n binary: ntfy\n env:\n - CGO_ENABLED=0 # explicitly disable, since we don't need go-sqlite3\n tags: [ noserver ] # don't include server files\n ldflags:\n - \"-X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}\"\n goos: [ darwin ]\n goarch: [ amd64, arm64 ] # will be combined to \"universal binary\" (see below)\nnfpms:\n - package_name: ntfy\n homepage: https://heckel.io/ntfy\n maintainer: Philipp C. Heckel \n description: Simple pub-sub notification service\n license: Apache 2.0\n formats:\n - deb\n - rpm\n bindir: /usr/bin\n contents:\n - src: server/server.yml\n dst: /etc/ntfy/server.yml\n type: \"config|noreplace\"\n - src: server/ntfy.service\n dst: /lib/systemd/system/ntfy.service\n - src: client/client.yml\n dst: /etc/ntfy/client.yml\n type: \"config|noreplace\"\n - src: client/ntfy-client.service\n dst: /lib/systemd/system/ntfy-client.service\n - src: client/user/ntfy-client.service\n dst: /lib/systemd/user/ntfy-client.service\n - dst: /var/cache/ntfy\n type: dir\n - dst: /var/cache/ntfy/attachments\n type: dir\n - dst: /var/lib/ntfy\n type: dir\n - dst: /usr/share/ntfy/logo.png\n src: web/public/static/images/ntfy.png\n scripts:\n preinstall: \"scripts/preinst.sh\"\n postinstall: \"scripts/postinst.sh\"\n preremove: \"scripts/prerm.sh\"\n postremove: \"scripts/postrm.sh\"\narchives:\n - id: ntfy_linux\n ids:\n - ntfy_linux_amd64\n - ntfy_linux_armv6\n - ntfy_linux_armv7\n - ntfy_linux_arm64\n wrap_in_directory: true\n files:\n - LICENSE\n - README.md\n - server/server.yml\n - server/ntfy.service\n - client/client.yml\n - client/ntfy-client.service\n - client/user/ntfy-client.service\n - id: ntfy_windows\n ids:\n - ntfy_windows_amd64\n formats: [ zip ]\n wrap_in_directory: true\n files:\n - LICENSE\n - README.md\n - client/client.yml\n - id: ntfy_darwin\n ids:\n - ntfy_darwin_all\n wrap_in_directory: true\n files:\n - LICENSE\n - README.md\n - client/client.yml\nuniversal_binaries:\n - id: ntfy_darwin_all\n replace: true\n name_template: ntfy\nchecksum:\n name_template: 'checksums.txt'\nsnapshot:\n version_template: \"{{ .Tag }}-next\"\nchangelog:\n sort: asc\n filters:\n exclude:\n - '^docs:'\n - '^test:'\ndockers:\n - image_templates:\n - &amd64_image \"binwiederhier/ntfy:{{ .Tag }}-amd64\"\n use: buildx\n dockerfile: Dockerfile\n goarch: amd64\n build_flag_templates:\n - \"--platform=linux/amd64\"\n - image_templates:\n - &arm64v8_image \"binwiederhier/ntfy:{{ .Tag }}-arm64v8\"\n use: buildx\n dockerfile: Dockerfile-arm\n goarch: arm64\n build_flag_templates:\n - \"--platform=linux/arm64/v8\"\n - image_templates:\n - &armv7_image \"binwiederhier/ntfy:{{ .Tag }}-armv7\"\n use: buildx\n dockerfile: Dockerfile-arm\n goarch: arm\n goarm: 7\n build_flag_templates:\n - \"--platform=linux/arm/v7\"\n - image_templates:\n - &armv6_image \"binwiederhier/ntfy:{{ .Tag }}-armv6\"\n use: buildx\n dockerfile: Dockerfile-arm\n goarch: arm\n goarm: 6\n build_flag_templates:\n - \"--platform=linux/arm/v6\"\ndocker_manifests:\n - name_template: \"binwiederhier/ntfy:latest\"\n image_templates:\n - *amd64_image\n - *arm64v8_image\n - *armv7_image\n - *armv6_image\n - name_template: \"binwiederhier/ntfy:{{ .Tag }}\"\n image_templates:\n - *amd64_image\n - *arm64v8_image\n - *armv7_image\n - *armv6_image\n - name_template: \"binwiederhier/ntfy:v{{ .Major }}\"\n image_templates:\n - *amd64_image\n - *arm64v8_image\n - *armv7_image\n - *armv6_image\n - name_template: \"binwiederhier/ntfy:v{{ .Major }}.{{ .Minor }}\"\n image_templates:\n - *amd64_image\n - *arm64v8_image\n - *armv7_image\n - *armv6_image\n" }, { "path": "CODE_OF_CONDUCT.md", "content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participation in our\ncommunity a harassment-free experience for everyone, regardless of age, body\nsize, visible or invisible disability, ethnicity, sex characteristics, gender\nidentity and expression, level of experience, education, socio-economic status,\nnationality, personal appearance, race, caste, color, religion, or sexual\nidentity and orientation.\n\nWe pledge to act and interact in ways that contribute to an open, welcoming,\ndiverse, inclusive, and healthy community.\n\n## Our Standards\n\nExamples of behavior that contributes to a positive environment for our\ncommunity include:\n\n* Demonstrating empathy and kindness toward other people\n* Being respectful of differing opinions, viewpoints, and experiences\n* Giving and gracefully accepting constructive feedback\n* Accepting responsibility and apologizing to those affected by our mistakes,\n and learning from the experience\n* Focusing on what is best not just for us as individuals, but for the overall\n community\n\nExamples of unacceptable behavior include:\n\n* The use of sexualized language or imagery, and sexual attention or advances of\n any kind\n* Trolling, insulting or derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or email address,\n without their explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Enforcement Responsibilities\n\nCommunity leaders are responsible for clarifying and enforcing our standards of\nacceptable behavior and will take appropriate and fair corrective action in\nresponse to any behavior that they deem inappropriate, threatening, offensive,\nor harmful.\n\nCommunity leaders have the right and responsibility to remove, edit, or reject\ncomments, commits, code, wiki edits, issues, and other contributions that are\nnot aligned to this Code of Conduct, and will communicate reasons for moderation\ndecisions when appropriate.\n\n## Scope\n\nThis Code of Conduct applies within all community spaces, and also applies when\nan individual is officially representing the community in public spaces.\nExamples of representing our community include using an official e-mail address,\nposting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported to the community leaders responsible for enforcement via Discord/Matrix (binwiederhier),\nor email (ntfy@heckel.io). All complaints will be reviewed and investigated promptly \nand fairly.\n\nAll community leaders are obligated to respect the privacy and security of the\nreporter of any incident.\n\n## Enforcement Guidelines\n\nCommunity leaders will follow these Community Impact Guidelines in determining\nthe consequences for any action they deem in violation of this Code of Conduct:\n\n### 1. Correction\n\n**Community Impact**: Use of inappropriate language or other behavior deemed\nunprofessional or unwelcome in the community.\n\n**Consequence**: A private, written warning from community leaders, providing\nclarity around the nature of the violation and an explanation of why the\nbehavior was inappropriate. A public apology may be requested.\n\n### 2. Warning\n\n**Community Impact**: A violation through a single incident or series of\nactions.\n\n**Consequence**: A warning with consequences for continued behavior. No\ninteraction with the people involved, including unsolicited interaction with\nthose enforcing the Code of Conduct, for a specified period of time. This\nincludes avoiding interactions in community spaces as well as external channels\nlike social media. Violating these terms may lead to a temporary or permanent\nban.\n\n### 3. Temporary Ban\n\n**Community Impact**: A serious violation of community standards, including\nsustained inappropriate behavior.\n\n**Consequence**: A temporary ban from any sort of interaction or public\ncommunication with the community for a specified period of time. No public or\nprivate interaction with the people involved, including unsolicited interaction\nwith those enforcing the Code of Conduct, is allowed during this period.\nViolating these terms may lead to a permanent ban.\n\n### 4. Permanent Ban\n\n**Community Impact**: Demonstrating a pattern of violation of community\nstandards, including sustained inappropriate behavior, harassment of an\nindividual, or aggression toward or disparagement of classes of individuals.\n\n**Consequence**: A permanent ban from any sort of public interaction within the\ncommunity.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage],\nversion 2.1, available at\n[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].\n\nCommunity Impact Guidelines were inspired by\n[Mozilla's code of conduct enforcement ladder][Mozilla CoC].\n\nFor answers to common questions about this code of conduct, see the FAQ at\n[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at\n[https://www.contributor-covenant.org/translations][translations].\n\n[homepage]: https://www.contributor-covenant.org\n[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html\n[Mozilla CoC]: https://github.com/mozilla/diversity\n[FAQ]: https://www.contributor-covenant.org/faq\n[translations]: https://www.contributor-covenant.org/translations\n\n" }, { "path": "Dockerfile", "content": "FROM alpine\n\nLABEL org.opencontainers.image.authors=\"philipp.heckel@gmail.com\"\nLABEL org.opencontainers.image.url=\"https://ntfy.sh/\"\nLABEL org.opencontainers.image.documentation=\"https://docs.ntfy.sh/\"\nLABEL org.opencontainers.image.source=\"https://github.com/binwiederhier/ntfy\"\nLABEL org.opencontainers.image.vendor=\"Philipp C. Heckel\"\nLABEL org.opencontainers.image.licenses=\"Apache-2.0, GPL-2.0\"\nLABEL org.opencontainers.image.title=\"ntfy\"\nLABEL org.opencontainers.image.description=\"Send push notifications to your phone or desktop using PUT/POST\"\n\nRUN apk add --no-cache tzdata\nCOPY ntfy /usr/bin\n\nEXPOSE 80/tcp\nENTRYPOINT [\"ntfy\"]\n" }, { "path": "Dockerfile-arm", "content": "FROM alpine\n\nLABEL org.opencontainers.image.authors=\"philipp.heckel@gmail.com\"\nLABEL org.opencontainers.image.url=\"https://ntfy.sh/\"\nLABEL org.opencontainers.image.documentation=\"https://docs.ntfy.sh/\"\nLABEL org.opencontainers.image.source=\"https://github.com/binwiederhier/ntfy\"\nLABEL org.opencontainers.image.vendor=\"Philipp C. Heckel\"\nLABEL org.opencontainers.image.licenses=\"Apache-2.0, GPL-2.0\"\nLABEL org.opencontainers.image.title=\"ntfy\"\nLABEL org.opencontainers.image.description=\"Send push notifications to your phone or desktop using PUT/POST\"\n\n# Alpine does not support adding \"tzdata\" on ARM anymore, see\n# https://github.com/binwiederhier/ntfy/issues/894\n\nCOPY ntfy /usr/bin\n\nEXPOSE 80/tcp\nENTRYPOINT [\"ntfy\"]\n" }, { "path": "Dockerfile-build", "content": "FROM golang:1.24-bullseye as builder\n\nARG VERSION=dev\nARG COMMIT=unknown\nARG NODE_MAJOR=18\n\nRUN apt-get update && apt-get install -y \\\n build-essential ca-certificates curl gnupg \\\n && mkdir -p /etc/apt/keyrings \\\n && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \\\n && echo \"deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main\" >> /etc/apt/sources.list.d/nodesource.list \\\n && apt-get update \\\n && apt-get install -y \\\n python3-pip \\\n python3-venv \\\n nodejs \\\n && rm -rf /var/lib/apt/lists/*\n\nWORKDIR /app\nADD Makefile .\n\n# docs\nADD ./requirements.txt .\nRUN make docs-deps\nADD ./mkdocs.yml .\nADD ./docs ./docs\nRUN make docs-build\n\n# web\nADD ./web/package.json ./web/package-lock.json ./web/\nRUN make web-deps\nADD ./web ./web\nRUN make web-build\n\n# cli & server\nADD go.mod go.sum main.go ./\nADD ./client ./client\nADD ./cmd ./cmd\nADD ./log ./log\nADD ./server ./server\nADD ./user ./user\nADD ./util ./util\nADD ./payments ./payments\nRUN make VERSION=$VERSION COMMIT=$COMMIT cli-linux-server\n\nFROM alpine\n\nARG VERSION=dev\n\nLABEL org.opencontainers.image.authors=\"philipp.heckel@gmail.com\"\nLABEL org.opencontainers.image.url=\"https://ntfy.sh/\"\nLABEL org.opencontainers.image.documentation=\"https://docs.ntfy.sh/\"\nLABEL org.opencontainers.image.source=\"https://github.com/binwiederhier/ntfy\"\nLABEL org.opencontainers.image.vendor=\"Philipp C. Heckel\"\nLABEL org.opencontainers.image.licenses=\"Apache-2.0, GPL-2.0\"\nLABEL org.opencontainers.image.title=\"ntfy\"\nLABEL org.opencontainers.image.description=\"Send push notifications to your phone or desktop using PUT/POST\"\nLABEL org.opencontainers.image.version=\"$VERSION\"\n\nCOPY --from=builder /app/dist/ntfy_linux_server/ntfy /usr/bin/ntfy\n\nEXPOSE 80/tcp\nENTRYPOINT [\"ntfy\"]\n" }, { "path": "LICENSE", "content": " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright 2021 Philipp C. Heckel\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "LICENSE.GPLv2", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The licenses for most software are designed to take away your\nfreedom to share and change it. By contrast, the GNU General Public\nLicense is intended to guarantee your freedom to share and change free\nsoftware--to make sure the software is free for all its users. This\nGeneral Public License applies to most of the Free Software\nFoundation's software and to any other program whose authors commit to\nusing it. (Some other Free Software Foundation software is covered by\nthe GNU Lesser General Public License instead.) You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthis service if you wish), that you receive source code or can get it\nif you want it, that you can change the software or use pieces of it\nin new free programs; and that you know you can do these things.\n\n To protect your rights, we need to make restrictions that forbid\nanyone to deny you these rights or to ask you to surrender the rights.\nThese restrictions translate to certain responsibilities for you if you\ndistribute copies of the software, or if you modify it.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must give the recipients all the rights that\nyou have. You must make sure that they, too, receive or can get the\nsource code. And you must show them these terms so they know their\nrights.\n\n We protect your rights with two steps: (1) copyright the software, and\n(2) offer you this license which gives you legal permission to copy,\ndistribute and/or modify the software.\n\n Also, for each author's protection and ours, we want to make certain\nthat everyone understands that there is no warranty for this free\nsoftware. If the software is modified by someone else and passed on, we\nwant its recipients to know that what they have is not the original, so\nthat any problems introduced by others will not reflect on the original\nauthors' reputations.\n\n Finally, any free program is threatened constantly by software\npatents. We wish to avoid the danger that redistributors of a free\nprogram will individually obtain patent licenses, in effect making the\nprogram proprietary. To prevent this, we have made it clear that any\npatent must be licensed for everyone's free use or not licensed at all.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n GNU GENERAL PUBLIC LICENSE\n TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n 0. This License applies to any program or other work which contains\na notice placed by the copyright holder saying it may be distributed\nunder the terms of this General Public License. The \"Program\", below,\nrefers to any such program or work, and a \"work based on the Program\"\nmeans either the Program or any derivative work under copyright law:\nthat is to say, a work containing the Program or a portion of it,\neither verbatim or with modifications and/or translated into another\nlanguage. (Hereinafter, translation is included without limitation in\nthe term \"modification\".) Each licensee is addressed as \"you\".\n\nActivities other than copying, distribution and modification are not\ncovered by this License; they are outside its scope. The act of\nrunning the Program is not restricted, and the output from the Program\nis covered only if its contents constitute a work based on the\nProgram (independent of having been made by running the Program).\nWhether that is true depends on what the Program does.\n\n 1. You may copy and distribute verbatim copies of the Program's\nsource code as you receive it, in any medium, provided that you\nconspicuously and appropriately publish on each copy an appropriate\ncopyright notice and disclaimer of warranty; keep intact all the\nnotices that refer to this License and to the absence of any warranty;\nand give any other recipients of the Program a copy of this License\nalong with the Program.\n\nYou may charge a fee for the physical act of transferring a copy, and\nyou may at your option offer warranty protection in exchange for a fee.\n\n 2. You may modify your copy or copies of the Program or any portion\nof it, thus forming a work based on the Program, and copy and\ndistribute such modifications or work under the terms of Section 1\nabove, provided that you also meet all of these conditions:\n\n a) You must cause the modified files to carry prominent notices\n stating that you changed the files and the date of any change.\n\n b) You must cause any work that you distribute or publish, that in\n whole or in part contains or is derived from the Program or any\n part thereof, to be licensed as a whole at no charge to all third\n parties under the terms of this License.\n\n c) If the modified program normally reads commands interactively\n when run, you must cause it, when started running for such\n interactive use in the most ordinary way, to print or display an\n announcement including an appropriate copyright notice and a\n notice that there is no warranty (or else, saying that you provide\n a warranty) and that users may redistribute the program under\n these conditions, and telling the user how to view a copy of this\n License. (Exception: if the Program itself is interactive but\n does not normally print such an announcement, your work based on\n the Program is not required to print an announcement.)\n\nThese requirements apply to the modified work as a whole. If\nidentifiable sections of that work are not derived from the Program,\nand can be reasonably considered independent and separate works in\nthemselves, then this License, and its terms, do not apply to those\nsections when you distribute them as separate works. But when you\ndistribute the same sections as part of a whole which is a work based\non the Program, the distribution of the whole must be on the terms of\nthis License, whose permissions for other licensees extend to the\nentire whole, and thus to each and every part regardless of who wrote it.\n\nThus, it is not the intent of this section to claim rights or contest\nyour rights to work written entirely by you; rather, the intent is to\nexercise the right to control the distribution of derivative or\ncollective works based on the Program.\n\nIn addition, mere aggregation of another work not based on the Program\nwith the Program (or with a work based on the Program) on a volume of\na storage or distribution medium does not bring the other work under\nthe scope of this License.\n\n 3. You may copy and distribute the Program (or a work based on it,\nunder Section 2) in object code or executable form under the terms of\nSections 1 and 2 above provided that you also do one of the following:\n\n a) Accompany it with the complete corresponding machine-readable\n source code, which must be distributed under the terms of Sections\n 1 and 2 above on a medium customarily used for software interchange; or,\n\n b) Accompany it with a written offer, valid for at least three\n years, to give any third party, for a charge no more than your\n cost of physically performing source distribution, a complete\n machine-readable copy of the corresponding source code, to be\n distributed under the terms of Sections 1 and 2 above on a medium\n customarily used for software interchange; or,\n\n c) Accompany it with the information you received as to the offer\n to distribute corresponding source code. (This alternative is\n allowed only for noncommercial distribution and only if you\n received the program in object code or executable form with such\n an offer, in accord with Subsection b above.)\n\nThe source code for a work means the preferred form of the work for\nmaking modifications to it. For an executable work, complete source\ncode means all the source code for all modules it contains, plus any\nassociated interface definition files, plus the scripts used to\ncontrol compilation and installation of the executable. However, as a\nspecial exception, the source code distributed need not include\nanything that is normally distributed (in either source or binary\nform) with the major components (compiler, kernel, and so on) of the\noperating system on which the executable runs, unless that component\nitself accompanies the executable.\n\nIf distribution of executable or object code is made by offering\naccess to copy from a designated place, then offering equivalent\naccess to copy the source code from the same place counts as\ndistribution of the source code, even though third parties are not\ncompelled to copy the source along with the object code.\n\n 4. You may not copy, modify, sublicense, or distribute the Program\nexcept as expressly provided under this License. Any attempt\notherwise to copy, modify, sublicense or distribute the Program is\nvoid, and will automatically terminate your rights under this License.\nHowever, parties who have received copies, or rights, from you under\nthis License will not have their licenses terminated so long as such\nparties remain in full compliance.\n\n 5. You are not required to accept this License, since you have not\nsigned it. However, nothing else grants you permission to modify or\ndistribute the Program or its derivative works. These actions are\nprohibited by law if you do not accept this License. Therefore, by\nmodifying or distributing the Program (or any work based on the\nProgram), you indicate your acceptance of this License to do so, and\nall its terms and conditions for copying, distributing or modifying\nthe Program or works based on it.\n\n 6. Each time you redistribute the Program (or any work based on the\nProgram), the recipient automatically receives a license from the\noriginal licensor to copy, distribute or modify the Program subject to\nthese terms and conditions. You may not impose any further\nrestrictions on the recipients' exercise of the rights granted herein.\nYou are not responsible for enforcing compliance by third parties to\nthis License.\n\n 7. If, as a consequence of a court judgment or allegation of patent\ninfringement or for any other reason (not limited to patent issues),\nconditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot\ndistribute so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you\nmay not distribute the Program at all. For example, if a patent\nlicense would not permit royalty-free redistribution of the Program by\nall those who receive copies directly or indirectly through you, then\nthe only way you could satisfy both it and this License would be to\nrefrain entirely from distribution of the Program.\n\nIf any portion of this section is held invalid or unenforceable under\nany particular circumstance, the balance of the section is intended to\napply and the section as a whole is intended to apply in other\ncircumstances.\n\nIt is not the purpose of this section to induce you to infringe any\npatents or other property right claims or to contest validity of any\nsuch claims; this section has the sole purpose of protecting the\nintegrity of the free software distribution system, which is\nimplemented by public license practices. Many people have made\ngenerous contributions to the wide range of software distributed\nthrough that system in reliance on consistent application of that\nsystem; it is up to the author/donor to decide if he or she is willing\nto distribute software through any other system and a licensee cannot\nimpose that choice.\n\nThis section is intended to make thoroughly clear what is believed to\nbe a consequence of the rest of this License.\n\n 8. If the distribution and/or use of the Program is restricted in\ncertain countries either by patents or by copyrighted interfaces, the\noriginal copyright holder who places the Program under this License\nmay add an explicit geographical distribution limitation excluding\nthose countries, so that distribution is permitted only in or among\ncountries not thus excluded. In such case, this License incorporates\nthe limitation as if written in the body of this License.\n\n 9. The Free Software Foundation may publish revised and/or new versions\nof the General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\nEach version is given a distinguishing version number. If the Program\nspecifies a version number of this License which applies to it and \"any\nlater version\", you have the option of following the terms and conditions\neither of that version or of any later version published by the Free\nSoftware Foundation. If the Program does not specify a version number of\nthis License, you may choose any version ever published by the Free Software\nFoundation.\n\n 10. If you wish to incorporate parts of the Program into other free\nprograms whose distribution conditions are different, write to the author\nto ask for permission. For software which is copyrighted by the Free\nSoftware Foundation, write to the Free Software Foundation; we sometimes\nmake exceptions for this. Our decision will be guided by the two goals\nof preserving the free status of all derivatives of our free software and\nof promoting the sharing and reuse of software generally.\n\n NO WARRANTY\n\n 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY\nFOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN\nOTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES\nPROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED\nOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS\nTO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE\nPROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,\nREPAIR OR CORRECTION.\n\n 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR\nREDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,\nINCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING\nOUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED\nTO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY\nYOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER\nPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nconvey the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n ntfy\n Copyright (C) 2021 Philipp C. Heckel\n\n This program is free software; you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation; either version 2 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License along\n with this program; if not, write to the Free Software Foundation, Inc.,\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n\nAlso add information on how to contact you by electronic and paper mail.\n\nIf the program is interactive, make it output a short notice like this\nwhen it starts in an interactive mode:\n\n Gnomovision version 69, Copyright (C) year name of author\n Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n This is free software, and you are welcome to redistribute it\n under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License. Of course, the commands you use may\nbe called something other than `show w' and `show c'; they could even be\nmouse-clicks or menu items--whatever suits your program.\n\nYou should also get your employer (if you work as a programmer) or your\nschool, if any, to sign a \"copyright disclaimer\" for the program, if\nnecessary. Here is a sample; alter the names:\n\n Yoyodyne, Inc., hereby disclaims all copyright interest in the program\n `Gnomovision' (which makes passes at compilers) written by James Hacker.\n\n , 1 April 1989\n Ty Coon, President of Vice\n\nThis General Public License does not permit incorporating your program into\nproprietary programs. If your program is a subroutine library, you may\nconsider it more useful to permit linking proprietary applications with the\nlibrary. If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License.\n\n" }, { "path": "Makefile", "content": "MAKEFLAGS := --jobs=1\nNPM := npm\nPYTHON := python3\nPIP := pip3\nVERSION := $(shell git describe --tag)\nCOMMIT := $(shell git rev-parse --short HEAD)\n\n.PHONY:\n\nhelp:\n\t@echo \"Typical commands (more see below):\"\n\t@echo \" make build - Build web app, documentation and server/client (sloowwww)\"\n\t@echo \" make cli-linux-amd64 - Build server/client binary (amd64, no web app or docs)\"\n\t@echo \" make install-linux-amd64 - Install ntfy binary to /usr/bin/ntfy (amd64)\"\n\t@echo \" make web - Build the web app\"\n\t@echo \" make docs - Build the documentation\"\n\t@echo \" make check - Run all tests, vetting/formatting checks and linters\"\n\t@echo\n\t@echo \"Build everything:\"\n\t@echo \" make build - Build web app, documentation and server/client\"\n\t@echo \" make clean - Clean build/dist folders\"\n\t@echo\n\t@echo \"Build server & client (using GoReleaser, not release version):\"\n\t@echo \" make cli - Build server & client (all architectures)\"\n\t@echo \" make cli-linux-amd64 - Build server & client (Linux, amd64 only)\"\n\t@echo \" make cli-linux-armv6 - Build server & client (Linux, armv6 only)\"\n\t@echo \" make cli-linux-armv7 - Build server & client (Linux, armv7 only)\"\n\t@echo \" make cli-linux-arm64 - Build server & client (Linux, arm64 only)\"\n\t@echo \" make cli-windows-amd64 - Build client (Windows, amd64 only)\"\n\t@echo \" make cli-darwin-all - Build client (macOS, arm64+amd64 universal binary)\"\n\t@echo\n\t@echo \"Build server & client (without GoReleaser):\"\n\t@echo \" make cli-linux-server - Build client & server (no GoReleaser, current arch, Linux)\"\n\t@echo \" make cli-darwin-server - Build client & server (no GoReleaser, current arch, macOS)\"\n\t@echo \" make cli-windows-server - Build client & server (no GoReleaser, amd64 only, Windows)\"\n\t@echo \" make cli-client - Build client only (no GoReleaser, current arch, Linux/macOS/Windows)\"\n\t@echo\n\t@echo \"Build dev Docker:\"\n\t@echo \" make docker-dev - Build client & server for current architecture using Docker only\"\n\t@echo\n\t@echo \"Build web app:\"\n\t@echo \" make web - Build the web app\"\n\t@echo \" make web-deps - Install web app dependencies (npm install the universe)\"\n\t@echo \" make web-build - Actually build the web app\"\n\t@echo \" make web-lint - Run eslint on the web app\"\n\t@echo \" make web-fmt - Run prettier on the web app\"\n\t@echo \" make web-fmt-check - Run prettier on the web app, but don't change anything\"\n\t@echo\n\t@echo \"Build documentation:\"\n\t@echo \" make docs - Build the documentation\"\n\t@echo \" make docs-deps - Install Python dependencies (pip3 install)\"\n\t@echo \" make docs-build - Actually build the documentation\"\n\t@echo\n\t@echo \"Test/check:\"\n\t@echo \" make test - Run tests\"\n\t@echo \" make race - Run tests with -race flag\"\n\t@echo \" make coverage - Run tests and show coverage\"\n\t@echo \" make coverage-html - Run tests and show coverage (as HTML)\"\n\t@echo \" make coverage-upload - Upload coverage results to codecov.io\"\n\t@echo\n\t@echo \"Lint/format:\"\n\t@echo \" make fmt - Run 'go fmt'\"\n\t@echo \" make fmt-check - Run 'go fmt', but don't change anything\"\n\t@echo \" make vet - Run 'go vet'\"\n\t@echo \" make lint - Run 'golint'\"\n\t@echo \" make staticcheck - Run 'staticcheck'\"\n\t@echo\n\t@echo \"Releasing:\"\n\t@echo \" make release - Create a release\"\n\t@echo \" make release-snapshot - Create a test release\"\n\t@echo\n\t@echo \"Install locally (requires sudo):\"\n\t@echo \" make install-linux-amd64 - Copy amd64 binary from dist/ to /usr/bin/ntfy\"\n\t@echo \" make install-linux-armv6 - Copy armv6 binary from dist/ to /usr/bin/ntfy\"\n\t@echo \" make install-linux-armv7 - Copy armv7 binary from dist/ to /usr/bin/ntfy\"\n\t@echo \" make install-linux-arm64 - Copy arm64 binary from dist/ to /usr/bin/ntfy\"\n\t@echo \" make install-linux-deb-amd64 - Install .deb from dist/ (amd64 only)\"\n\t@echo \" make install-linux-deb-armv6 - Install .deb from dist/ (armv6 only)\"\n\t@echo \" make install-linux-deb-armv7 - Install .deb from dist/ (armv7 only)\"\n\t@echo \" make install-linux-deb-arm64 - Install .deb from dist/ (arm64 only)\"\n\n\n# Building everything\n\nclean: .PHONY\n\trm -rf dist build server/docs server/site\n\nbuild: web docs cli\n\nupdate: web-deps-update cli-deps-update docs-deps-update\n\tdocker pull alpine\n\ndocker-dev:\n\tdocker build \\\n\t\t--file ./Dockerfile-build \\\n\t\t--tag binwiederhier/ntfy:$(VERSION) \\\n\t\t--tag binwiederhier/ntfy:dev \\\n\t\t--build-arg VERSION=$(VERSION) \\\n\t\t--build-arg COMMIT=$(COMMIT) \\\n\t\t./\n\n\n# Ubuntu-specific\n\nbuild-deps-ubuntu:\n\tsudo apt-get update\n\tsudo apt-get install -y \\\n\t\tcurl \\\n\t\tgcc-aarch64-linux-gnu \\\n\t\tgcc-arm-linux-gnueabi \\\n\t\tgcc-mingw-w64-x86-64 \\\n\t\tpython3 \\\n\t\tpython3-venv \\\n\t\tjq\n\twhich pip3 || sudo apt-get install -y python3-pip\n\n\n# Documentation\n\ndocs: docs-deps docs-build\n\ndocs-venv: .PHONY\n\t$(PYTHON) -m venv ./venv\n\ndocs-build: docs-venv\n\t(. venv/bin/activate && $(PYTHON) -m mkdocs build)\n\ndocs-deps: docs-venv\n\t(. venv/bin/activate && $(PIP) install -r requirements.txt)\n\ndocs-deps-update: .PHONY\n\t(. venv/bin/activate && $(PIP) install -r requirements.txt --upgrade)\n\n\n# Web app\n\nweb: web-deps web-build\n\nweb-build:\n\tcd web \\\n\t\t&& $(NPM) run build \\\n\t\t&& mv build/index.html build/app.html \\\n\t\t&& rm -rf ../server/site \\\n\t\t&& mv build ../server/site \\\n\t\t&& rm \\\n\t\t\t../server/site/config.js\n\nweb-deps:\n\tcd web && $(NPM) install\n\t# If this fails for .svg files, optimize them with svgo\n\nweb-deps-update:\n\tcd web && $(NPM) update\n\nweb-fmt:\n\tcd web && $(NPM) run format\n\nweb-fmt-check:\n\tcd web && $(NPM) run format:check\n\nweb-lint:\n\tcd web && $(NPM) run lint\n\n# Main server/client build\n\ncli: cli-deps\n\tgoreleaser build --snapshot --clean\n\ncli-linux-amd64: cli-deps-static-sites\n\tgoreleaser build --snapshot --clean --id ntfy_linux_amd64\n\ncli-linux-armv6: cli-deps-static-sites cli-deps-gcc-armv6-armv7\n\tgoreleaser build --snapshot --clean --id ntfy_linux_armv6\n\ncli-linux-armv7: cli-deps-static-sites cli-deps-gcc-armv6-armv7\n\tgoreleaser build --snapshot --clean --id ntfy_linux_armv7\n\ncli-linux-arm64: cli-deps-static-sites cli-deps-gcc-arm64\n\tgoreleaser build --snapshot --clean --id ntfy_linux_arm64\n\ncli-windows-amd64: cli-deps-static-sites\n\tgoreleaser build --snapshot --clean --id ntfy_windows_amd64\n\ncli-darwin-all: cli-deps-static-sites\n\tgoreleaser build --snapshot --clean --id ntfy_darwin_all\n\ncli-linux-server: cli-deps-static-sites\n\t# This is a target to build the CLI (including the server) manually.\n\t# Use this for development, if you really don't want to install GoReleaser ...\n\tmkdir -p dist/ntfy_linux_server server/docs\n\tCGO_ENABLED=1 go build \\\n\t\t-o dist/ntfy_linux_server/ntfy \\\n\t\t-tags sqlite_omit_load_extension,osusergo,netgo \\\n\t\t-ldflags \\\n\t\t\"-linkmode=external -extldflags=-static -s -w -X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)\"\n\ncli-darwin-server: cli-deps-static-sites\n\t# This is a target to build the CLI (including the server) manually.\n\t# Use this for macOS/iOS development, so you have a local server to test with.\n\tmkdir -p dist/ntfy_darwin_server server/docs\n\tCGO_ENABLED=1 go build \\\n\t\t-o dist/ntfy_darwin_server/ntfy \\\n\t\t-tags sqlite_omit_load_extension,osusergo,netgo \\\n\t\t-ldflags \\\n\t\t\"-linkmode=external -s -w -X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)\"\n\ncli-windows-server: cli-deps-static-sites\n\t# This is a target to build the CLI (including the server) for Windows.\n\t# Use this for Windows development, if you really don't want to install GoReleaser ...\n\tmkdir -p dist/ntfy_windows_server server/docs\n\tCC=x86_64-w64-mingw32-gcc GOOS=windows GOARCH=amd64 CGO_ENABLED=1 go build \\\n\t\t-o dist/ntfy_windows_server/ntfy.exe \\\n\t\t-tags sqlite_omit_load_extension,osusergo,netgo \\\n\t\t-ldflags \\\n\t\t\"-s -w -X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)\"\n\ncli-client: cli-deps-static-sites\n\t# This is a target to build the CLI (excluding the server) manually. This should work on Linux/macOS/Windows.\n\t# Use this for development, if you really don't want to install GoReleaser ...\n\tmkdir -p dist/ntfy_client server/docs\n\tCGO_ENABLED=0 go build \\\n\t\t-o dist/ntfy_client/ntfy \\\n\t\t-tags noserver \\\n\t\t-ldflags \\\n\t\t\"-X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(shell date +%s)\"\n\ncli-deps: cli-deps-static-sites cli-deps-all cli-deps-gcc\n\ncli-deps-gcc: cli-deps-gcc-armv6-armv7 cli-deps-gcc-arm64 cli-deps-gcc-windows\n\ncli-deps-static-sites:\n\tmkdir -p server/docs server/site\n\ttouch server/docs/index.html server/site/app.html\n\ncli-deps-all:\n\tgo install github.com/goreleaser/goreleaser/v2@latest\n\ncli-deps-gcc-armv6-armv7:\n\twhich arm-linux-gnueabi-gcc || { echo \"ERROR: ARMv6/ARMv7 cross compiler not installed. On Ubuntu, run: apt install gcc-arm-linux-gnueabi\"; exit 1; }\n\ncli-deps-gcc-arm64:\n\twhich aarch64-linux-gnu-gcc || { echo \"ERROR: ARM64 cross compiler not installed. On Ubuntu, run: apt install gcc-aarch64-linux-gnu\"; exit 1; }\n\ncli-deps-gcc-windows:\n\twhich x86_64-w64-mingw32-gcc || { echo \"ERROR: Windows cross compiler not installed. On Ubuntu, run: apt install gcc-mingw-w64-x86-64\"; exit 1; }\n\ncli-deps-update:\n\tgo get -u\n\tgo mod tidy\n\tgo install honnef.co/go/tools/cmd/staticcheck@latest\n\tgo install golang.org/x/lint/golint@latest\n\tgo install github.com/goreleaser/goreleaser/v2@latest\n\ncli-build-results:\n\tcat dist/config.yaml\n\t[ -f dist/artifacts.json ] && cat dist/artifacts.json | jq . || true\n\t[ -f dist/metadata.json ] && cat dist/metadata.json | jq . || true\n\t[ -f dist/checksums.txt ] && cat dist/checksums.txt || true\n\tfind dist -maxdepth 2 -type f \\\n\t\t\\( -name '*.deb' -or -name '*.rpm' -or -name '*.zip' -or -name '*.tar.gz' -or -name 'ntfy' \\) \\\n\t\t-and -not -path 'dist/goreleaserdocker*' \\\n\t\t-exec sha256sum {} \\;\n\n# Test/check targets\n\ncheck: test web-fmt-check fmt-check vet web-lint lint staticcheck\n\ncheckv: testv web-fmt-check fmt-check vet web-lint lint staticcheck\n\ntest: .PHONY\n\tgo test $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')\n\ntestv: .PHONY\n\tgo test -v $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')\n\nrace: .PHONY\n\tgo test -v -race $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')\n\ncoverage:\n\tmkdir -p build/coverage\n\tgo test -v -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools|web)')\n\tgo tool cover -func build/coverage/coverage.txt\n\ncoverage-html:\n\tmkdir -p build/coverage\n\tgo test -race -coverprofile=build/coverage/coverage.txt -covermode=atomic $(shell go list -f '{{if .TestGoFiles}}{{.ImportPath}}{{end}}' ./... | grep -vE 'ntfy/v2/(test|examples|tools)')\n\tgo tool cover -html build/coverage/coverage.txt\n\ncoverage-upload:\n\tcd build/coverage && (curl -s https://codecov.io/bash | bash)\n\n\n# Lint/formatting targets\n\nfmt: web-fmt\n\tgofmt -s -w .\n\nfmt-check:\n\ttest -z $(shell gofmt -l .)\n\nvet:\n\tgo vet ./...\n\nlint:\n\twhich golint || go install golang.org/x/lint/golint@latest\n\tgo list ./... | grep -v /vendor/ | xargs -L1 golint -set_exit_status\n\nstaticcheck: .PHONY\n\trm -rf build/staticcheck\n\twhich staticcheck || go install honnef.co/go/tools/cmd/staticcheck@latest\n\tmkdir -p build/staticcheck\n\tln -s \"go\" build/staticcheck/go\n\tPATH=\"$(PWD)/build/staticcheck:$(PATH)\" staticcheck ./...\n\trm -rf build/staticcheck\n\n\n# Releasing targets\n\nrelease: clean cli-deps release-checks docs web check\n\tgoreleaser release --clean\n\nrelease-snapshot: clean cli-deps docs web check\n\tgoreleaser release --snapshot --clean\n\nrelease-checks:\n\t$(eval LATEST_TAG := $(shell git describe --abbrev=0 --tags | cut -c2-))\n\tif ! grep -q $(LATEST_TAG) docs/install.md; then\\\n\t \techo \"ERROR: Must update docs/install.md with latest tag first.\";\\\n\t \texit 1;\\\n\tfi\n\tif ! grep -q $(LATEST_TAG) docs/releases.md; then\\\n\t\techo \"ERROR: Must update docs/releases.md with latest tag first.\";\\\n\t\texit 1;\\\n\tfi\n\tif [ -n \"$(shell git status -s)\" ]; then\\\n\t echo \"ERROR: Git repository is in an unclean state.\";\\\n\t exit 1;\\\n\tfi\n\n\n# Installing targets\n\ninstall-linux-amd64: remove-binary\n\tsudo cp -a dist/ntfy_linux_amd64_linux_amd64_v1/ntfy /usr/bin/ntfy\n\ninstall-linux-armv6: remove-binary\n\tsudo cp -a dist/ntfy_linux_armv6_linux_arm_6/ntfy /usr/bin/ntfy\n\ninstall-linux-armv7: remove-binary\n\tsudo cp -a dist/ntfy_linux_armv7_linux_arm_7/ntfy /usr/bin/ntfy\n\ninstall-linux-arm64: remove-binary\n\tsudo cp -a dist/ntfy_linux_arm64_linux_arm64/ntfy /usr/bin/ntfy\n\nremove-binary:\n\tsudo rm -f /usr/bin/ntfy\n\ninstall-linux-amd64-deb: purge-package\n\tsudo dpkg -i dist/ntfy_*_linux_amd64.deb\n\ninstall-linux-armv6-deb: purge-package\n\tsudo dpkg -i dist/ntfy_*_linux_armv6.deb\n\ninstall-linux-armv7-deb: purge-package\n\tsudo dpkg -i dist/ntfy_*_linux_armv7.deb\n\ninstall-linux-arm64-deb: purge-package\n\tsudo dpkg -i dist/ntfy_*_linux_arm64.deb\n\npurge-package:\n\tsudo systemctl stop ntfy || true\n\tsudo apt-get purge ntfy || true\n" }, { "path": "README.md", "content": "
\nSpecial thanks to:\n
\n
\n\n \"Warp\n\n\n### [Warp, built for coding with multiple AI agents.](https://go.warp.dev/ntfy)\n[Available for MacOS, Linux, & Windows](https://go.warp.dev/ntfy)
\n
\n
\n\n![ntfy](web/public/static/images/ntfy.png)\n\n# ntfy.sh | Send push notifications to your phone or desktop via PUT/POST\n[![Release](https://img.shields.io/github/release/binwiederhier/ntfy.svg?color=success&style=flat-square)](https://github.com/binwiederhier/ntfy/releases/latest)\n[![Go Reference](https://pkg.go.dev/badge/heckel.io/ntfy.svg)](https://pkg.go.dev/heckel.io/ntfy/v2)\n[![Tests](https://github.com/binwiederhier/ntfy/workflows/test/badge.svg)](https://github.com/binwiederhier/ntfy/actions)\n[![Go Report Card](https://goreportcard.com/badge/github.com/binwiederhier/ntfy)](https://goreportcard.com/report/github.com/binwiederhier/ntfy)\n[![codecov](https://codecov.io/gh/binwiederhier/ntfy/branch/main/graph/badge.svg?token=A597KQ463G)](https://codecov.io/gh/binwiederhier/ntfy)\n[![Discord](https://img.shields.io/discord/874398661709295626?label=Discord)](https://discord.gg/cT7ECsZj9w)\n[![Matrix](https://img.shields.io/matrix/ntfy:matrix.org?label=Matrix)](https://matrix.to/#/#ntfy:matrix.org)\n[![Matrix space](https://img.shields.io/matrix/ntfy-space:matrix.org?label=Matrix+space)](https://matrix.to/#/#ntfy-space:matrix.org)\n[![Healthcheck](https://healthchecks.io/badge/68b65976-b3b0-4102-aec9-980921/kcoEgrLY.svg)](https://ntfy.statuspage.io/)\n[![Gitpod](https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod)](https://gitpod.io/#https://github.com/binwiederhier/ntfy)\n\n**ntfy** (pronounced \"*notify*\") is a simple HTTP-based [pub-sub](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) \nnotification service. With ntfy, you can **send notifications to your phone or desktop via scripts** from any computer, \n**without having to sign up or pay any fees**. If you'd like to run your own instance of the service, you can easily do \nso since ntfy is open source.\n\nYou can access the free version of ntfy at **[ntfy.sh](https://ntfy.sh)**. There is also an [open-source Android app](https://github.com/binwiederhier/ntfy-android)\navailable on [Google Play](https://play.google.com/store/apps/details?id=io.heckel.ntfy) or [F-Droid](https://f-droid.org/en/packages/io.heckel.ntfy/),\nas well as an [open source iOS app](https://github.com/binwiederhier/ntfy-ios) available on the [App Store](https://apps.apple.com/us/app/ntfy/id1625396347).\n\n

\n \n \n \n

\n\n

\n \n \n \n \n \n

\n\n## [ntfy Pro](https://ntfy.sh/app) 💸 🎉\nI now offer paid plans for [ntfy.sh](https://ntfy.sh/) if you don't want to self-host, or you want to support the development of \nntfy (→ [Purchase via web app](https://ntfy.sh/app)). You can **buy a plan for as low as $5/month**.\nYou can also donate via [GitHub Sponsors](https://github.com/sponsors/binwiederhier), and [Liberapay](https://liberapay.com/ntfy).\nI would be very humbled by your sponsorship. ❤️ \n\n## **[Documentation](https://ntfy.sh/docs/)**\n\n[Getting started](https://ntfy.sh/docs/) |\n[Android/iOS](https://ntfy.sh/docs/subscribe/phone/) |\n[API](https://ntfy.sh/docs/publish/) |\n[Install / Self-hosting](https://ntfy.sh/docs/install/) |\n[Building](https://ntfy.sh/docs/develop/)\n\n## Chat/forum\nThere are a few ways to get in touch with me and/or the rest of the community. Feel free to use any of these methods. Whatever\nworks best for you:\n\n* [Discord server](https://discord.gg/cT7ECsZj9w) - direct chat with the community\n* [Matrix room #ntfy](https://matrix.to/#/#ntfy:matrix.org) (+ [Matrix space](https://matrix.to/#/#ntfy-space:matrix.org)) - same chat, bridged from Discord\n* [GitHub issues](https://github.com/binwiederhier/ntfy/issues) - questions, features, bugs\n\n## Announcements/beta testers\nFor announcements of new releases and cutting-edge beta versions, please subscribe to the [ntfy.sh/announcements](https://ntfy.sh/announcements) \ntopic. If you'd like to test the iOS app, join [TestFlight](https://testflight.apple.com/join/P1fFnAm9). For Android betas,\njoin Discord/Matrix (I'll eventually make a testing channel in Google Play).\n\n## Sponsors\nIf you'd like to support the ntfy maintainers, please consider donating to [GitHub Sponsors](https://github.com/sponsors/binwiederhier) or\nand [Liberapay](https://liberapay.com/ntfy). We would be humbled if you helped carry the server and developer \naccount costs. Even small donations are very much appreciated. \n\nThank you to our commercial sponsors, who help keep the service running and the development going:\n\n\n\n\n\n\n\nAnd a big fat **Thank You** to the individuals who have sponsored ntfy in the past, or are still sponsoring ntfy:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n## Contributing\nI welcome any contributions. Just create a PR or an issue. For larger features/ideas, please reach out\non Discord/Matrix first to see if I'd accept them. To contribute code, check out the [build instructions](https://ntfy.sh/docs/develop/)\nfor the server and the Android app. Or, if you'd like to help translate 🇩🇪 🇺🇸 🇧🇬, you can start immediately in\n[Hosted Weblate](https://hosted.weblate.org/projects/ntfy/).\n\n\n\"Translation\n\n\n## Code of Conduct\nWe as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for\neveryone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity\nand expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste,\ncolor, religion, or sexual identity and orientation.\n\n**We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.**\n\n_Please be sure to read the complete [Code of Conduct](CODE_OF_CONDUCT.md)._ \n\n## License\nMade with ❤️ by [Philipp C. Heckel](https://heckel.io). \nThe project is dual licensed under the [Apache License 2.0](LICENSE) and the [GPLv2 License](LICENSE.GPLv2).\n\nThird-party libraries and resources:\n* [github.com/urfave/cli](https://github.com/urfave/cli) (MIT) is used to drive the CLI\n* [Mixkit sounds](https://mixkit.co/free-sound-effects/notification/) (Mixkit Free License) are used as notification sounds\n* [Sounds from notificationsounds.com](https://notificationsounds.com) (Creative Commons Attribution) are used as notification sounds\n* [Roboto Font](https://fonts.google.com/specimen/Roboto) (Apache 2.0) is used as a font in everything web\n* [React](https://reactjs.org/) (MIT) is used for the web app\n* [Material UI components](https://mui.com/) (MIT) are used in the web app\n* [MUI dashboard template](https://github.com/mui/material-ui/tree/master/docs/data/material/getting-started/templates/dashboard) (MIT) was used as a basis for the web app\n* [Dexie.js](https://github.com/dexie/Dexie.js) (Apache 2.0) is used for web app persistence in IndexedDB\n* [GoReleaser](https://goreleaser.com/) (MIT) is used to create releases\n* [go-smtp](https://github.com/emersion/go-smtp) (MIT) is used to receive e-mails\n* [stretchr/testify](https://github.com/stretchr/testify) (MIT) is used for unit and integration tests\n* [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) (MIT) is used to provide the persistent message cache\n* [Firebase Admin SDK](https://github.com/firebase/firebase-admin-go) (Apache 2.0) is used to send FCM messages\n* [github/gemoji](https://github.com/github/gemoji) (MIT) is used for emoji support (specifically the [emoji.json](https://raw.githubusercontent.com/github/gemoji/master/db/emoji.json) file)\n* [Lightbox with vanilla JS](https://yossiabramov.com/blog/vanilla-js-lightbox) as a lightbox on the landing page \n* [HTTP middleware for gzip compression](https://gist.github.com/CJEnright/bc2d8b8dc0c1389a9feeddb110f822d7) (MIT) is used for serving static files\n* [Regex for auto-linking](https://github.com/bryanwoods/autolink-js) (MIT) is used to highlight links (the library is not used)\n* [Statically linking go-sqlite3](https://www.arp242.net/static-go.html)\n* [Linked tabs in mkdocs](https://facelessuser.github.io/pymdown-extensions/extensions/tabbed/#linked-tabs)\n* [webpush-go](https://github.com/SherClockHolmes/webpush-go) (MIT) is used to send web push notifications\n* [Sprig](https://github.com/Masterminds/sprig) (MIT) is used to add template parsing functions\n" }, { "path": "SECURITY.md", "content": "# Security Policy\n\n## Supported Versions\n\nAs of today, I only support the latest version of ntfy. Please make sure you stay up-to-date.\n\n## Reporting a Vulnerability\n\nPlease report security vulnerabilities privately via email to [security@mail.ntfy.sh](mailto:security@mail.ntfy.sh).\n\nYou can also reach me on [Discord](https://discord.gg/cT7ECsZj9w) or [Matrix](https://matrix.to/#/#ntfy:matrix.org) \n(my username is `binwiederhier`).\n" }, { "path": "client/client.go", "content": "// Package client provides a ntfy client to publish and subscribe to topics\npackage client\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/util\"\n\t\"io\"\n\t\"net/http\"\n\t\"regexp\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n)\n\nconst (\n\t// MessageEvent identifies a message event\n\tMessageEvent = \"message\"\n)\n\nconst (\n\tmaxResponseBytes = 4096\n)\n\nvar (\n\ttopicRegex = regexp.MustCompile(`^[-_A-Za-z0-9]{1,64}$`) // Same as in server/server.go\n)\n\n// Client is the ntfy client that can be used to publish and subscribe to ntfy topics\ntype Client struct {\n\tMessages chan *Message\n\tconfig *Config\n\tsubscriptions map[string]*subscription\n\tmu sync.Mutex\n}\n\n// Message is a struct that represents a ntfy message\ntype Message struct { // TODO combine with server.message\n\tID string\n\tEvent string\n\tTime int64\n\tTopic string\n\tMessage string\n\tTitle string\n\tPriority int\n\tTags []string\n\tClick string\n\tIcon string\n\tAttachment *Attachment\n\n\t// Additional fields\n\tTopicURL string\n\tSubscriptionID string\n\tRaw string\n}\n\n// Attachment represents a message attachment\ntype Attachment struct {\n\tName string `json:\"name\"`\n\tType string `json:\"type,omitempty\"`\n\tSize int64 `json:\"size,omitempty\"`\n\tExpires int64 `json:\"expires,omitempty\"`\n\tURL string `json:\"url\"`\n\tOwner string `json:\"-\"` // IP address of uploader, used for rate limiting\n}\n\ntype subscription struct {\n\tID string\n\ttopicURL string\n\tcancel context.CancelFunc\n}\n\n// New creates a new Client using a given Config\nfunc New(config *Config) *Client {\n\treturn &Client{\n\t\tMessages: make(chan *Message, 50), // Allow reading a few messages\n\t\tconfig: config,\n\t\tsubscriptions: make(map[string]*subscription),\n\t}\n}\n\n// Publish sends a message to a specific topic, optionally using options.\n// See PublishReader for details.\nfunc (c *Client) Publish(topic, message string, options ...PublishOption) (*Message, error) {\n\treturn c.PublishReader(topic, strings.NewReader(message), options...)\n}\n\n// PublishReader sends a message to a specific topic, optionally using options.\n//\n// A topic can be either a full URL (e.g. https://myhost.lan/mytopic), a short URL which is then prepended https://\n// (e.g. myhost.lan -> https://myhost.lan), or a short name which is expanded using the default host in the\n// config (e.g. mytopic -> https://ntfy.sh/mytopic).\n//\n// To pass title, priority and tags, check out WithTitle, WithPriority, WithTagsList, WithDelay, WithNoCache,\n// WithNoFirebase, and the generic WithHeader.\nfunc (c *Client) PublishReader(topic string, body io.Reader, options ...PublishOption) (*Message, error) {\n\ttopicURL, err := c.expandTopicURL(topic)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq, err := http.NewRequest(\"POST\", topicURL, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfor _, option := range options {\n\t\tif err := option(req); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tlog.Debug(\"%s Publishing message with headers %s\", util.ShortTopicURL(topicURL), req.Header)\n\tresp, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tb, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBytes))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, errors.New(strings.TrimSpace(string(b)))\n\t}\n\tm, err := toMessage(string(b), topicURL, \"\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn m, nil\n}\n\n// Poll queries a topic for all (or a limited set) of messages. Unlike Subscribe, this method only polls for\n// messages and does not subscribe to messages that arrive after this call.\n//\n// A topic can be either a full URL (e.g. https://myhost.lan/mytopic), a short URL which is then prepended https://\n// (e.g. myhost.lan -> https://myhost.lan), or a short name which is expanded using the default host in the\n// config (e.g. mytopic -> https://ntfy.sh/mytopic).\n//\n// By default, all messages will be returned, but you can change this behavior using a SubscribeOption.\n// See WithSince, WithSinceAll, WithSinceUnixTime, WithScheduled, and the generic WithQueryParam.\nfunc (c *Client) Poll(topic string, options ...SubscribeOption) ([]*Message, error) {\n\ttopicURL, err := c.expandTopicURL(topic)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tctx := context.Background()\n\tmessages := make([]*Message, 0)\n\tmsgChan := make(chan *Message)\n\terrChan := make(chan error)\n\tlog.Debug(\"%s Polling from topic\", util.ShortTopicURL(topicURL))\n\toptions = append(options, WithPoll())\n\tgo func() {\n\t\terr := performSubscribeRequest(ctx, msgChan, topicURL, \"\", options...)\n\t\tclose(msgChan)\n\t\terrChan <- err\n\t}()\n\tfor m := range msgChan {\n\t\tmessages = append(messages, m)\n\t}\n\treturn messages, <-errChan\n}\n\n// Subscribe subscribes to a topic to listen for newly incoming messages. The method starts a connection in the\n// background and returns new messages via the Messages channel.\n//\n// A topic can be either a full URL (e.g. https://myhost.lan/mytopic), a short URL which is then prepended https://\n// (e.g. myhost.lan -> https://myhost.lan), or a short name which is expanded using the default host in the\n// config (e.g. mytopic -> https://ntfy.sh/mytopic).\n//\n// By default, only new messages will be returned, but you can change this behavior using a SubscribeOption.\n// See WithSince, WithSinceAll, WithSinceUnixTime, WithScheduled, and the generic WithQueryParam.\n//\n// The method returns a unique subscriptionID that can be used in Unsubscribe.\n//\n// Example:\n//\n//\tc := client.New(client.NewConfig())\n//\tsubscriptionID, _ := c.Subscribe(\"mytopic\")\n//\tfor m := range c.Messages {\n//\t fmt.Printf(\"New message: %s\", m.Message)\n//\t}\nfunc (c *Client) Subscribe(topic string, options ...SubscribeOption) (string, error) {\n\ttopicURL, err := c.expandTopicURL(topic)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\tsubscriptionID := util.RandomString(10)\n\tlog.Debug(\"%s Subscribing to topic\", util.ShortTopicURL(topicURL))\n\tctx, cancel := context.WithCancel(context.Background())\n\tc.subscriptions[subscriptionID] = &subscription{\n\t\tID: subscriptionID,\n\t\ttopicURL: topicURL,\n\t\tcancel: cancel,\n\t}\n\tgo handleSubscribeConnLoop(ctx, c.Messages, topicURL, subscriptionID, options...)\n\treturn subscriptionID, nil\n}\n\n// Unsubscribe unsubscribes from a topic that has been previously subscribed to using the unique\n// subscriptionID returned in Subscribe.\nfunc (c *Client) Unsubscribe(subscriptionID string) {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\tsub, ok := c.subscriptions[subscriptionID]\n\tif !ok {\n\t\treturn\n\t}\n\tdelete(c.subscriptions, subscriptionID)\n\tsub.cancel()\n}\n\nfunc (c *Client) expandTopicURL(topic string) (string, error) {\n\tif strings.HasPrefix(topic, \"http://\") || strings.HasPrefix(topic, \"https://\") {\n\t\treturn topic, nil\n\t} else if strings.Contains(topic, \"/\") {\n\t\treturn fmt.Sprintf(\"https://%s\", topic), nil\n\t}\n\tif !topicRegex.MatchString(topic) {\n\t\treturn \"\", fmt.Errorf(\"invalid topic name: %s\", topic)\n\t}\n\treturn fmt.Sprintf(\"%s/%s\", c.config.DefaultHost, topic), nil\n}\n\nfunc handleSubscribeConnLoop(ctx context.Context, msgChan chan *Message, topicURL, subcriptionID string, options ...SubscribeOption) {\n\tfor {\n\t\t// TODO The retry logic is crude and may lose messages. It should record the last message like the\n\t\t// Android client, use since=, and do incremental backoff too\n\t\tif err := performSubscribeRequest(ctx, msgChan, topicURL, subcriptionID, options...); err != nil {\n\t\t\tlog.Warn(\"%s Connection failed: %s\", util.ShortTopicURL(topicURL), err.Error())\n\t\t}\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tlog.Info(\"%s Connection exited\", util.ShortTopicURL(topicURL))\n\t\t\treturn\n\t\tcase <-time.After(10 * time.Second): // TODO Add incremental backoff\n\t\t}\n\t}\n}\n\nfunc performSubscribeRequest(ctx context.Context, msgChan chan *Message, topicURL string, subscriptionID string, options ...SubscribeOption) error {\n\tstreamURL := fmt.Sprintf(\"%s/json\", topicURL)\n\tlog.Debug(\"%s Listening to %s\", util.ShortTopicURL(topicURL), streamURL)\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, streamURL, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, option := range options {\n\t\tif err := option(req); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tresp, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\tb, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBytes))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn errors.New(strings.TrimSpace(string(b)))\n\t}\n\tscanner := bufio.NewScanner(resp.Body)\n\tfor scanner.Scan() {\n\t\tmessageJSON := scanner.Text()\n\t\tm, err := toMessage(messageJSON, topicURL, subscriptionID)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlog.Trace(\"%s Message received: %s\", util.ShortTopicURL(topicURL), messageJSON)\n\t\tif m.Event == MessageEvent {\n\t\t\tmsgChan <- m\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc toMessage(s, topicURL, subscriptionID string) (*Message, error) {\n\tvar m *Message\n\tif err := json.NewDecoder(strings.NewReader(s)).Decode(&m); err != nil {\n\t\treturn nil, err\n\t}\n\tm.TopicURL = topicURL\n\tm.SubscriptionID = subscriptionID\n\tm.Raw = s\n\treturn m, nil\n}\n" }, { "path": "client/client.yml", "content": "# ntfy client config file\n\n# Base URL used to expand short topic names in the \"ntfy publish\" and \"ntfy subscribe\" commands.\n# If you self-host a ntfy server, you'll likely want to change this.\n#\n# default-host: https://ntfy.sh\n\n# Default credentials will be used with \"ntfy publish\" and \"ntfy subscribe\" if no other credentials are provided.\n# You can set a default token to use or a default user:password combination, but not both. For an empty password,\n# use empty double-quotes (\"\").\n#\n# To override the default user:password combination or default token for a particular subscription (e.g., to send\n# no Authorization header), set the user:pass/token for the subscription to empty double-quotes (\"\").\n\n# default-token:\n\n# default-user:\n# default-password:\n\n# Default command will execute after \"ntfy subscribe\" receives a message if no command is provided in subscription below\n# default-command:\n\n# Subscriptions to topics and their actions. This option is primarily used by the systemd service,\n# or if you can \"ntfy subscribe --from-config\" directly.\n#\n# Example:\n# subscribe:\n# - topic: mytopic\n# command: /usr/local/bin/mytopic-triggered.sh\n# - topic: myserver.com/anothertopic\n# command: 'echo \"$message\"'\n# if:\n# priority: high,urgent\n# - topic: secret\n# command: 'notify-send \"$m\"'\n# user: phill\n# password: mypass\n# - topic: token_topic\n# token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n#\n# Variables:\n# Variable Aliases Description\n# --------------- --------------------- -----------------------------------\n# $NTFY_ID $id Unique message ID\n# $NTFY_TIME $time Unix timestamp of the message delivery\n# $NTFY_TOPIC $topic Topic name\n# $NTFY_MESSAGE $message, $m Message body\n# $NTFY_TITLE $title, $t Message title\n# $NTFY_PRIORITY $priority, $prio, $p Message priority (1=min, 5=max)\n# $NTFY_TAGS $tags, $tag, $ta Message tags (comma separated list)\n# $NTFY_RAW $raw Raw JSON message\n#\n# Filters ('if:'):\n# You can filter 'message', 'title', 'priority' (comma-separated list, logical OR)\n# and 'tags' (comma-separated list, logical AND). See https://ntfy.sh/docs/subscribe/api/#filter-messages.\n#\n# subscribe:\n" }, { "path": "client/client_test.go", "content": "package client_test\n\nimport (\n\t\"fmt\"\n\t\"github.com/stretchr/testify/require\"\n\t\"heckel.io/ntfy/v2/client\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"os\"\n\t\"testing\"\n\t\"time\"\n)\n\nfunc TestMain(m *testing.M) {\n\tlog.SetLevel(log.ErrorLevel)\n\tos.Exit(m.Run())\n}\n\nfunc TestClient_Publish_Subscribe(t *testing.T) {\n\ts, port := test.StartServer(t)\n\tdefer test.StopServer(t, s, port)\n\tc := client.New(newTestConfig(port))\n\n\tsubscriptionID, _ := c.Subscribe(\"mytopic\")\n\ttime.Sleep(time.Second)\n\n\tmsg, err := c.Publish(\"mytopic\", \"some message\")\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"some message\", msg.Message)\n\n\tmsg, err = c.Publish(\"mytopic\", \"some other message\",\n\t\tclient.WithTitle(\"some title\"),\n\t\tclient.WithPriority(\"high\"),\n\t\tclient.WithTags([]string{\"tag1\", \"tag 2\"}))\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"some other message\", msg.Message)\n\trequire.Equal(t, \"some title\", msg.Title)\n\trequire.Equal(t, []string{\"tag1\", \"tag 2\"}, msg.Tags)\n\trequire.Equal(t, 4, msg.Priority)\n\n\tmsg, err = c.Publish(\"mytopic\", \"some delayed message\",\n\t\tclient.WithDelay(\"25 hours\"))\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"some delayed message\", msg.Message)\n\trequire.True(t, time.Now().Add(24*time.Hour).Unix() < msg.Time)\n\n\ttime.Sleep(200 * time.Millisecond)\n\n\tmsg = nextMessage(c)\n\trequire.NotNil(t, msg)\n\trequire.Equal(t, \"some message\", msg.Message)\n\n\tmsg = nextMessage(c)\n\trequire.NotNil(t, msg)\n\trequire.Equal(t, \"some other message\", msg.Message)\n\trequire.Equal(t, \"some title\", msg.Title)\n\trequire.Equal(t, []string{\"tag1\", \"tag 2\"}, msg.Tags)\n\trequire.Equal(t, 4, msg.Priority)\n\n\tmsg = nextMessage(c)\n\trequire.Nil(t, msg)\n\n\tc.Unsubscribe(subscriptionID)\n\ttime.Sleep(200 * time.Millisecond)\n\n\tmsg, err = c.Publish(\"mytopic\", \"a message that won't be received\")\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"a message that won't be received\", msg.Message)\n\n\tmsg = nextMessage(c)\n\trequire.Nil(t, msg)\n}\n\nfunc TestClient_Publish_Poll(t *testing.T) {\n\ts, port := test.StartServer(t)\n\tdefer test.StopServer(t, s, port)\n\tc := client.New(newTestConfig(port))\n\n\tmsg, err := c.Publish(\"mytopic\", \"some message\", client.WithNoFirebase(), client.WithTagsList(\"tag1,tag2\"))\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"some message\", msg.Message)\n\trequire.Equal(t, []string{\"tag1\", \"tag2\"}, msg.Tags)\n\n\tmsg, err = c.Publish(\"mytopic\", \"this won't be cached\", client.WithNoCache())\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"this won't be cached\", msg.Message)\n\n\tmsg, err = c.Publish(\"mytopic\", \"some delayed message\", client.WithDelay(\"20 min\"))\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"some delayed message\", msg.Message)\n\n\tmessages, err := c.Poll(\"mytopic\")\n\trequire.Nil(t, err)\n\trequire.Equal(t, 1, len(messages))\n\trequire.Equal(t, \"some message\", messages[0].Message)\n\n\tmessages, err = c.Poll(\"mytopic\", client.WithScheduled())\n\trequire.Nil(t, err)\n\trequire.Equal(t, 2, len(messages))\n\trequire.Equal(t, \"some message\", messages[0].Message)\n\trequire.Equal(t, \"some delayed message\", messages[1].Message)\n}\n\nfunc newTestConfig(port int) *client.Config {\n\tc := client.NewConfig()\n\tc.DefaultHost = fmt.Sprintf(\"http://127.0.0.1:%d\", port)\n\treturn c\n}\n\nfunc nextMessage(c *client.Client) *client.Message {\n\tselect {\n\tcase m := <-c.Messages:\n\t\treturn m\n\tdefault:\n\t\treturn nil\n\t}\n}\n" }, { "path": "client/config.go", "content": "package client\n\nimport (\n\t\"gopkg.in/yaml.v2\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"os\"\n)\n\nconst (\n\t// DefaultBaseURL is the base URL used to expand short topic names\n\tDefaultBaseURL = \"https://ntfy.sh\"\n)\n\n// DefaultConfigFile is the default path to the client config file (set in config_*.go)\nvar DefaultConfigFile string\n\n// Config is the config struct for a Client\ntype Config struct {\n\tDefaultHost string `yaml:\"default-host\"`\n\tDefaultUser string `yaml:\"default-user\"`\n\tDefaultPassword *string `yaml:\"default-password\"`\n\tDefaultToken string `yaml:\"default-token\"`\n\tDefaultCommand string `yaml:\"default-command\"`\n\tSubscribe []Subscribe `yaml:\"subscribe\"`\n}\n\n// Subscribe is the struct for a Subscription within Config\ntype Subscribe struct {\n\tTopic string `yaml:\"topic\"`\n\tUser *string `yaml:\"user\"`\n\tPassword *string `yaml:\"password\"`\n\tToken *string `yaml:\"token\"`\n\tCommand string `yaml:\"command\"`\n\tIf map[string]string `yaml:\"if\"`\n}\n\n// NewConfig creates a new Config struct for a Client\nfunc NewConfig() *Config {\n\treturn &Config{\n\t\tDefaultHost: DefaultBaseURL,\n\t\tDefaultUser: \"\",\n\t\tDefaultPassword: nil,\n\t\tDefaultToken: \"\",\n\t\tDefaultCommand: \"\",\n\t\tSubscribe: nil,\n\t}\n}\n\n// LoadConfig loads the Client config from a yaml file\nfunc LoadConfig(filename string) (*Config, error) {\n\tlog.Debug(\"Loading client config from %s\", filename)\n\tb, err := os.ReadFile(filename)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tc := NewConfig()\n\tif err := yaml.Unmarshal(b, c); err != nil {\n\t\treturn nil, err\n\t}\n\treturn c, nil\n}\n" }, { "path": "client/config_darwin.go", "content": "//go:build darwin\n\npackage client\n\nimport (\n\t\"os\"\n\t\"os/user\"\n\t\"path/filepath\"\n)\n\nfunc init() {\n\tu, err := user.Current()\n\tif err == nil && u.Uid == \"0\" {\n\t\tDefaultConfigFile = \"/etc/ntfy/client.yml\"\n\t} else if configDir, err := os.UserConfigDir(); err == nil {\n\t\tDefaultConfigFile = filepath.Join(configDir, \"ntfy\", \"client.yml\")\n\t}\n}\n" }, { "path": "client/config_test.go", "content": "package client_test\n\nimport (\n\t\"github.com/stretchr/testify/require\"\n\t\"heckel.io/ntfy/v2/client\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc TestConfig_Load(t *testing.T) {\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(`\ndefault-host: http://localhost\ndefault-user: philipp\ndefault-password: mypass\ndefault-command: 'echo \"Got the message: $message\"'\nsubscribe:\n - topic: no-command-with-auth\n user: phil\n password: mypass\n - topic: echo-this\n command: 'echo \"Message received: $message\"'\n - topic: alerts\n command: notify-send -i /usr/share/ntfy/logo.png \"Important\" \"$m\"\n if:\n priority: high,urgent\n - topic: defaults\n`), 0600))\n\n\tconf, err := client.LoadConfig(filename)\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"http://localhost\", conf.DefaultHost)\n\trequire.Equal(t, \"philipp\", conf.DefaultUser)\n\trequire.Equal(t, \"mypass\", *conf.DefaultPassword)\n\trequire.Equal(t, `echo \"Got the message: $message\"`, conf.DefaultCommand)\n\trequire.Equal(t, 4, len(conf.Subscribe))\n\trequire.Equal(t, \"no-command-with-auth\", conf.Subscribe[0].Topic)\n\trequire.Equal(t, \"\", conf.Subscribe[0].Command)\n\trequire.Equal(t, \"phil\", *conf.Subscribe[0].User)\n\trequire.Equal(t, \"mypass\", *conf.Subscribe[0].Password)\n\trequire.Equal(t, \"echo-this\", conf.Subscribe[1].Topic)\n\trequire.Equal(t, `echo \"Message received: $message\"`, conf.Subscribe[1].Command)\n\trequire.Equal(t, \"alerts\", conf.Subscribe[2].Topic)\n\trequire.Equal(t, `notify-send -i /usr/share/ntfy/logo.png \"Important\" \"$m\"`, conf.Subscribe[2].Command)\n\trequire.Equal(t, \"high,urgent\", conf.Subscribe[2].If[\"priority\"])\n\trequire.Equal(t, \"defaults\", conf.Subscribe[3].Topic)\n}\n\nfunc TestConfig_EmptyPassword(t *testing.T) {\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(`\ndefault-host: http://localhost\ndefault-user: philipp\ndefault-password: \"\"\nsubscribe:\n - topic: no-command-with-auth\n user: phil\n password: \"\"\n`), 0600))\n\n\tconf, err := client.LoadConfig(filename)\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"http://localhost\", conf.DefaultHost)\n\trequire.Equal(t, \"philipp\", conf.DefaultUser)\n\trequire.Equal(t, \"\", *conf.DefaultPassword)\n\trequire.Equal(t, 1, len(conf.Subscribe))\n\trequire.Equal(t, \"no-command-with-auth\", conf.Subscribe[0].Topic)\n\trequire.Equal(t, \"\", conf.Subscribe[0].Command)\n\trequire.Equal(t, \"phil\", *conf.Subscribe[0].User)\n\trequire.Equal(t, \"\", *conf.Subscribe[0].Password)\n}\n\nfunc TestConfig_NullPassword(t *testing.T) {\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(`\ndefault-host: http://localhost\ndefault-user: philipp\ndefault-password: ~\nsubscribe:\n - topic: no-command-with-auth\n user: phil\n password: ~\n`), 0600))\n\n\tconf, err := client.LoadConfig(filename)\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"http://localhost\", conf.DefaultHost)\n\trequire.Equal(t, \"philipp\", conf.DefaultUser)\n\trequire.Nil(t, conf.DefaultPassword)\n\trequire.Equal(t, 1, len(conf.Subscribe))\n\trequire.Equal(t, \"no-command-with-auth\", conf.Subscribe[0].Topic)\n\trequire.Equal(t, \"\", conf.Subscribe[0].Command)\n\trequire.Equal(t, \"phil\", *conf.Subscribe[0].User)\n\trequire.Nil(t, conf.Subscribe[0].Password)\n}\n\nfunc TestConfig_NoPassword(t *testing.T) {\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(`\ndefault-host: http://localhost\ndefault-user: philipp\nsubscribe:\n - topic: no-command-with-auth\n user: phil\n`), 0600))\n\n\tconf, err := client.LoadConfig(filename)\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"http://localhost\", conf.DefaultHost)\n\trequire.Equal(t, \"philipp\", conf.DefaultUser)\n\trequire.Nil(t, conf.DefaultPassword)\n\trequire.Equal(t, 1, len(conf.Subscribe))\n\trequire.Equal(t, \"no-command-with-auth\", conf.Subscribe[0].Topic)\n\trequire.Equal(t, \"\", conf.Subscribe[0].Command)\n\trequire.Equal(t, \"phil\", *conf.Subscribe[0].User)\n\trequire.Nil(t, conf.Subscribe[0].Password)\n}\n\nfunc TestConfig_DefaultToken(t *testing.T) {\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(`\ndefault-host: http://localhost\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\nsubscribe:\n - topic: mytopic\n`), 0600))\n\n\tconf, err := client.LoadConfig(filename)\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"http://localhost\", conf.DefaultHost)\n\trequire.Equal(t, \"\", conf.DefaultUser)\n\trequire.Nil(t, conf.DefaultPassword)\n\trequire.Equal(t, \"tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", conf.DefaultToken)\n\trequire.Equal(t, 1, len(conf.Subscribe))\n\trequire.Equal(t, \"mytopic\", conf.Subscribe[0].Topic)\n\trequire.Nil(t, conf.Subscribe[0].User)\n\trequire.Nil(t, conf.Subscribe[0].Password)\n\trequire.Nil(t, conf.Subscribe[0].Token)\n}\n" }, { "path": "client/config_unix.go", "content": "//go:build linux || dragonfly || freebsd || netbsd || openbsd\n\npackage client\n\nimport (\n\t\"os\"\n\t\"os/user\"\n\t\"path/filepath\"\n)\n\nfunc init() {\n\tu, err := user.Current()\n\tif err == nil && u.Uid == \"0\" {\n\t\tDefaultConfigFile = \"/etc/ntfy/client.yml\"\n\t} else if configDir, err := os.UserConfigDir(); err == nil {\n\t\tDefaultConfigFile = filepath.Join(configDir, \"ntfy\", \"client.yml\")\n\t}\n}\n" }, { "path": "client/config_windows.go", "content": "//go:build windows\n\npackage client\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n)\n\nfunc init() {\n\tif configDir, err := os.UserConfigDir(); err == nil {\n\t\tDefaultConfigFile = filepath.Join(configDir, \"ntfy\", \"client.yml\")\n\t}\n}\n" }, { "path": "client/ntfy-client.service", "content": "[Unit]\nDescription=ntfy client\nAfter=network.target\n\n[Service]\nUser=ntfy\nGroup=ntfy\nExecStart=/usr/bin/ntfy subscribe --config /etc/ntfy/client.yml --from-config\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n" }, { "path": "client/options.go", "content": "package client\n\nimport (\n\t\"fmt\"\n\t\"heckel.io/ntfy/v2/util\"\n\t\"net/http\"\n\t\"strings\"\n\t\"time\"\n)\n\n// RequestOption is a generic request option that can be added to Client calls\ntype RequestOption = func(r *http.Request) error\n\n// PublishOption is an option that can be passed to the Client.Publish call\ntype PublishOption = RequestOption\n\n// SubscribeOption is an option that can be passed to a Client.Subscribe or Client.Poll call\ntype SubscribeOption = RequestOption\n\n// WithMessage sets the notification message. This is an alternative way to passing the message body.\nfunc WithMessage(message string) PublishOption {\n\treturn WithHeader(\"X-Message\", message)\n}\n\n// WithTitle adds a title to a message\nfunc WithTitle(title string) PublishOption {\n\treturn WithHeader(\"X-Title\", title)\n}\n\n// WithPriority adds a priority to a message. The priority can be either a number (1=min, 5=max),\n// or the corresponding names (see util.ParsePriority).\nfunc WithPriority(priority string) PublishOption {\n\treturn WithHeader(\"X-Priority\", priority)\n}\n\n// WithTagsList adds a list of tags to a message. The tags parameter must be a comma-separated list\n// of tags. To use a slice, use WithTags instead\nfunc WithTagsList(tags string) PublishOption {\n\treturn WithHeader(\"X-Tags\", tags)\n}\n\n// WithTags adds a list of a tags to a message\nfunc WithTags(tags []string) PublishOption {\n\treturn WithTagsList(strings.Join(tags, \",\"))\n}\n\n// WithDelay instructs the server to send the message at a later date. The delay parameter can be a\n// Unix timestamp, a duration string or a natural langage string. See https://ntfy.sh/docs/publish/#scheduled-delivery\n// for details.\nfunc WithDelay(delay string) PublishOption {\n\treturn WithHeader(\"X-Delay\", delay)\n}\n\n// WithClick makes the notification action open the given URL as opposed to entering the detail view\nfunc WithClick(url string) PublishOption {\n\treturn WithHeader(\"X-Click\", url)\n}\n\n// WithIcon makes the notification use the given URL as its icon\nfunc WithIcon(icon string) PublishOption {\n\treturn WithHeader(\"X-Icon\", icon)\n}\n\n// WithActions adds custom user actions to the notification. The value can be either a JSON array or the\n// simple format definition. See https://ntfy.sh/docs/publish/#action-buttons for details.\nfunc WithActions(value string) PublishOption {\n\treturn WithHeader(\"X-Actions\", value)\n}\n\n// WithAttach sets a URL that will be used by the client to download an attachment\nfunc WithAttach(attach string) PublishOption {\n\treturn WithHeader(\"X-Attach\", attach)\n}\n\n// WithMarkdown instructs the server to interpret the message body as Markdown\nfunc WithMarkdown() PublishOption {\n\treturn WithHeader(\"X-Markdown\", \"yes\")\n}\n\n// WithTemplate instructs the server to use a specific template for the message. If templateName is is \"yes\" or \"1\",\n// the server will interpret the message and title as a template.\nfunc WithTemplate(templateName string) PublishOption {\n\treturn WithHeader(\"X-Template\", templateName)\n}\n\n// WithFilename sets a filename for the attachment, and/or forces the HTTP body to interpreted as an attachment\nfunc WithFilename(filename string) PublishOption {\n\treturn WithHeader(\"X-Filename\", filename)\n}\n\n// WithSequenceID sets a sequence ID for the message, allowing updates to existing notifications\nfunc WithSequenceID(sequenceID string) PublishOption {\n\treturn WithHeader(\"X-Sequence-ID\", sequenceID)\n}\n\n// WithEmail instructs the server to also send the message to the given e-mail address\nfunc WithEmail(email string) PublishOption {\n\treturn WithHeader(\"X-Email\", email)\n}\n\n// WithBasicAuth adds the Authorization header for basic auth to the request\nfunc WithBasicAuth(user, pass string) PublishOption {\n\treturn WithHeader(\"Authorization\", util.BasicAuth(user, pass))\n}\n\n// WithBearerAuth adds the Authorization header for Bearer auth to the request\nfunc WithBearerAuth(token string) PublishOption {\n\treturn WithHeader(\"Authorization\", fmt.Sprintf(\"Bearer %s\", token))\n}\n\n// WithEmptyAuth clears the Authorization header\nfunc WithEmptyAuth() PublishOption {\n\treturn RemoveHeader(\"Authorization\")\n}\n\n// WithNoCache instructs the server not to cache the message server-side\nfunc WithNoCache() PublishOption {\n\treturn WithHeader(\"X-Cache\", \"no\")\n}\n\n// WithNoFirebase instructs the server not to forward the message to Firebase\nfunc WithNoFirebase() PublishOption {\n\treturn WithHeader(\"X-Firebase\", \"no\")\n}\n\n// WithSince limits the number of messages returned from the server. The parameter since can be a Unix\n// timestamp (see WithSinceUnixTime), a duration (WithSinceDuration) the word \"all\" (see WithSinceAll).\nfunc WithSince(since string) SubscribeOption {\n\treturn WithQueryParam(\"since\", since)\n}\n\n// WithSinceAll instructs the server to return all messages for the given topic from the server\nfunc WithSinceAll() SubscribeOption {\n\treturn WithSince(\"all\")\n}\n\n// WithSinceDuration instructs the server to return all messages since the given duration ago\nfunc WithSinceDuration(since time.Duration) SubscribeOption {\n\treturn WithSinceUnixTime(time.Now().Add(-1 * since).Unix())\n}\n\n// WithSinceUnixTime instructs the server to return only messages newer or equal to the given timestamp\nfunc WithSinceUnixTime(since int64) SubscribeOption {\n\treturn WithSince(fmt.Sprintf(\"%d\", since))\n}\n\n// WithPoll instructs the server to close the connection after messages have been returned. Don't use this option\n// directly. Use Client.Poll instead.\nfunc WithPoll() SubscribeOption {\n\treturn WithQueryParam(\"poll\", \"1\")\n}\n\n// WithScheduled instructs the server to also return messages that have not been sent yet, i.e. delayed/scheduled\n// messages (see WithDelay). The messages will have a future date.\nfunc WithScheduled() SubscribeOption {\n\treturn WithQueryParam(\"scheduled\", \"1\")\n}\n\n// WithFilter is a generic subscribe option meant to be used to filter for certain messages only\nfunc WithFilter(param, value string) SubscribeOption {\n\treturn WithQueryParam(param, value)\n}\n\n// WithMessageFilter instructs the server to only return messages that match the exact message\nfunc WithMessageFilter(message string) SubscribeOption {\n\treturn WithQueryParam(\"message\", message)\n}\n\n// WithTitleFilter instructs the server to only return messages with a title that match the exact string\nfunc WithTitleFilter(title string) SubscribeOption {\n\treturn WithQueryParam(\"title\", title)\n}\n\n// WithPriorityFilter instructs the server to only return messages with the matching priority. Not that messages\n// without priority also implicitly match priority 3.\nfunc WithPriorityFilter(priority int) SubscribeOption {\n\treturn WithQueryParam(\"priority\", fmt.Sprintf(\"%d\", priority))\n}\n\n// WithTagsFilter instructs the server to only return messages that contain all of the given tags\nfunc WithTagsFilter(tags []string) SubscribeOption {\n\treturn WithQueryParam(\"tags\", strings.Join(tags, \",\"))\n}\n\n// WithHeader is a generic option to add headers to a request\nfunc WithHeader(header, value string) RequestOption {\n\treturn func(r *http.Request) error {\n\t\tif value != \"\" {\n\t\t\tr.Header.Set(header, value)\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// WithQueryParam is a generic option to add query parameters to a request\nfunc WithQueryParam(param, value string) RequestOption {\n\treturn func(r *http.Request) error {\n\t\tif value != \"\" {\n\t\t\tq := r.URL.Query()\n\t\t\tq.Add(param, value)\n\t\t\tr.URL.RawQuery = q.Encode()\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// RemoveHeader is a generic option to remove a header from a request\nfunc RemoveHeader(header string) RequestOption {\n\treturn func(r *http.Request) error {\n\t\tif header != \"\" {\n\t\t\tdelete(r.Header, header)\n\t\t}\n\t\treturn nil\n\t}\n}\n" }, { "path": "client/user/ntfy-client.service", "content": "[Unit]\nDescription=ntfy client\nAfter=network.target\n\n[Service]\nExecStart=/usr/bin/ntfy subscribe --config \"%h/.config/ntfy/client.yml\" --from-config\nRestart=on-failure\n\n[Install]\nWantedBy=default.target\n" }, { "path": "cmd/access.go", "content": "//go:build !noserver\n\npackage cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdAccess)\n}\n\nconst (\n\tuserEveryone = \"everyone\"\n)\n\nvar flagsAccess = append(\n\tappend([]cli.Flag{}, flagsUser...),\n\t&cli.BoolFlag{Name: \"reset\", Aliases: []string{\"r\"}, Usage: \"reset access for user (and topic)\"},\n)\n\nvar cmdAccess = &cli.Command{\n\tName: \"access\",\n\tUsage: \"Grant/revoke access to a topic, or show access\",\n\tUsageText: \"ntfy access [USERNAME [TOPIC [PERMISSION]]]\",\n\tFlags: flagsAccess,\n\tBefore: initConfigFileInputSourceFunc(\"config\", flagsAccess, initLogFunc),\n\tAction: execUserAccess,\n\tCategory: categoryServer,\n\tDescription: `Manage the access control list for the ntfy server.\n\nThis is a server-only command. It directly manages the user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined. Please also refer\nto the related command 'ntfy user'.\n\nThe command allows you to show the access control list, as well as change it, depending on how\nit is called.\n\nUsage:\n ntfy access # Shows access control list (alias: 'ntfy user list')\n ntfy access USERNAME # Shows access control entries for USERNAME\n ntfy access USERNAME TOPIC PERMISSION # Allow/deny access for USERNAME to TOPIC\n\nArguments:\n USERNAME an existing user, as created with 'ntfy user add', or \"everyone\"/\"*\"\n to define access rules for anonymous/unauthenticated clients\n TOPIC name of a topic with optional wildcards, e.g. \"mytopic*\"\n PERMISSION one of the following:\n - read-write (alias: rw) \n - read-only (aliases: read, ro)\n - write-only (aliases: write, wo)\n - deny (alias: none)\n\nExamples:\n ntfy access # Shows access control list (alias: 'ntfy user list')\n ntfy access phil # Shows access for user phil\n ntfy access phil mytopic rw # Allow read-write access to mytopic for user phil\n ntfy access everyone mytopic rw # Allow anonymous read-write access to mytopic\n ntfy access everyone \"up*\" write # Allow anonymous write-only access to topics \"up...\" \n ntfy access --reset # Reset entire access control list\n ntfy access --reset phil # Reset all access for user phil\n ntfy access --reset phil mytopic # Reset access for user phil and topic mytopic\n`,\n}\n\nfunc execUserAccess(c *cli.Context) error {\n\tif c.NArg() > 3 {\n\t\treturn errors.New(\"too many arguments, please check 'ntfy access --help' for usage details\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tusername := c.Args().Get(0)\n\tif username == userEveryone {\n\t\tusername = user.Everyone\n\t}\n\ttopic := c.Args().Get(1)\n\tperms := c.Args().Get(2)\n\treset := c.Bool(\"reset\")\n\tif reset {\n\t\tif perms != \"\" {\n\t\t\treturn errors.New(\"too many arguments, please check 'ntfy access --help' for usage details\")\n\t\t}\n\t\treturn resetAccess(c, manager, username, topic)\n\t} else if perms == \"\" {\n\t\tif topic != \"\" {\n\t\t\treturn errors.New(\"invalid syntax, please check 'ntfy access --help' for usage details\")\n\t\t}\n\t\treturn showAccess(c, manager, username)\n\t}\n\treturn changeAccess(c, manager, username, topic, perms)\n}\n\nfunc changeAccess(c *cli.Context, manager *user.Manager, username string, topic string, perms string) error {\n\tif !util.Contains([]string{\"\", \"read-write\", \"rw\", \"read-only\", \"read\", \"ro\", \"write-only\", \"write\", \"wo\", \"none\", \"deny\"}, perms) {\n\t\treturn errors.New(\"permission must be one of: read-write, read-only, write-only, or deny (or the aliases: read, ro, write, wo, none)\")\n\t}\n\tpermission, err := user.ParsePermission(perms)\n\tif err != nil {\n\t\treturn err\n\t}\n\tu, err := manager.User(username)\n\tif errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t} else if err != nil {\n\t\treturn err\n\t} else if u.Role == user.RoleAdmin {\n\t\treturn fmt.Errorf(\"user %s is an admin user, access control entries have no effect\", username)\n\t}\n\tif err := manager.AllowAccess(username, topic, permission); err != nil {\n\t\treturn err\n\t}\n\tif permission.IsReadWrite() {\n\t\tfmt.Fprintf(c.App.Writer, \"granted read-write access to topic %s\\n\\n\", topic)\n\t} else if permission.IsRead() {\n\t\tfmt.Fprintf(c.App.Writer, \"granted read-only access to topic %s\\n\\n\", topic)\n\t} else if permission.IsWrite() {\n\t\tfmt.Fprintf(c.App.Writer, \"granted write-only access to topic %s\\n\\n\", topic)\n\t} else {\n\t\tfmt.Fprintf(c.App.Writer, \"revoked all access to topic %s\\n\\n\", topic)\n\t}\n\treturn showUserAccess(c, manager, username)\n}\n\nfunc resetAccess(c *cli.Context, manager *user.Manager, username, topic string) error {\n\tif username == \"\" {\n\t\treturn resetAllAccess(c, manager)\n\t} else if topic == \"\" {\n\t\treturn resetUserAccess(c, manager, username)\n\t}\n\treturn resetUserTopicAccess(c, manager, username, topic)\n}\n\nfunc resetAllAccess(c *cli.Context, manager *user.Manager) error {\n\tif err := manager.ResetAccess(\"\", \"\"); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintln(c.App.Writer, \"reset access for all users\")\n\treturn nil\n}\n\nfunc resetUserAccess(c *cli.Context, manager *user.Manager, username string) error {\n\tif err := manager.ResetAccess(username, \"\"); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"reset access for user %s\\n\\n\", username)\n\treturn showUserAccess(c, manager, username)\n}\n\nfunc resetUserTopicAccess(c *cli.Context, manager *user.Manager, username string, topic string) error {\n\tif err := manager.ResetAccess(username, topic); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"reset access for user %s and topic %s\\n\\n\", username, topic)\n\treturn showUserAccess(c, manager, username)\n}\n\nfunc showAccess(c *cli.Context, manager *user.Manager, username string) error {\n\tif username == \"\" {\n\t\treturn showAllAccess(c, manager)\n\t}\n\treturn showUserAccess(c, manager, username)\n}\n\nfunc showAllAccess(c *cli.Context, manager *user.Manager) error {\n\tusers, err := manager.Users()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn showUsers(c, manager, users)\n}\n\nfunc showUserAccess(c *cli.Context, manager *user.Manager, username string) error {\n\tusers, err := manager.User(username)\n\tif errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t} else if err != nil {\n\t\treturn err\n\t}\n\treturn showUsers(c, manager, []*user.User{users})\n}\n\nfunc showUsers(c *cli.Context, manager *user.Manager, users []*user.User) error {\n\tfor _, u := range users {\n\t\tgrants, err := manager.Grants(u.Name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttier := \"none\"\n\t\tif u.Tier != nil {\n\t\t\ttier = u.Tier.Name\n\t\t}\n\t\tprovisioned := \"\"\n\t\tif u.Provisioned {\n\t\t\tprovisioned = \", server config\"\n\t\t}\n\t\tfmt.Fprintf(c.App.Writer, \"user %s (role: %s, tier: %s%s)\\n\", u.Name, u.Role, tier, provisioned)\n\t\tif u.Role == user.RoleAdmin {\n\t\t\tfmt.Fprintf(c.App.Writer, \"- read-write access to all topics (admin role)\\n\")\n\t\t} else if len(grants) > 0 {\n\t\t\tfor _, grant := range grants {\n\t\t\t\tgrantProvisioned := \"\"\n\t\t\t\tif grant.Provisioned {\n\t\t\t\t\tgrantProvisioned = \" (server config)\"\n\t\t\t\t}\n\t\t\t\tif grant.Permission.IsReadWrite() {\n\t\t\t\t\tfmt.Fprintf(c.App.Writer, \"- read-write access to topic %s%s\\n\", grant.TopicPattern, grantProvisioned)\n\t\t\t\t} else if grant.Permission.IsRead() {\n\t\t\t\t\tfmt.Fprintf(c.App.Writer, \"- read-only access to topic %s%s\\n\", grant.TopicPattern, grantProvisioned)\n\t\t\t\t} else if grant.Permission.IsWrite() {\n\t\t\t\t\tfmt.Fprintf(c.App.Writer, \"- write-only access to topic %s%s\\n\", grant.TopicPattern, grantProvisioned)\n\t\t\t\t} else {\n\t\t\t\t\tfmt.Fprintf(c.App.Writer, \"- no access to topic %s%s\\n\", grant.TopicPattern, grantProvisioned)\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfmt.Fprintf(c.App.Writer, \"- no topic-specific permissions\\n\")\n\t\t}\n\t\tif u.Name == user.Everyone {\n\t\t\taccess := manager.DefaultAccess()\n\t\t\tif access.IsReadWrite() {\n\t\t\t\tfmt.Fprintln(c.App.Writer, \"- read-write access to all (other) topics (server config)\")\n\t\t\t} else if access.IsRead() {\n\t\t\t\tfmt.Fprintln(c.App.Writer, \"- read-only access to all (other) topics (server config)\")\n\t\t\t} else if access.IsWrite() {\n\t\t\t\tfmt.Fprintln(c.App.Writer, \"- write-only access to all (other) topics (server config)\")\n\t\t\t} else {\n\t\t\t\tfmt.Fprintln(c.App.Writer, \"- no access to any (other) topics (server config)\")\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/access_test.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/server\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"testing\"\n)\n\nfunc TestCLI_Access_Show(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, runAccessCommand(app, conf))\n\trequire.Contains(t, stdout.String(), \"user * (role: anonymous, tier: none)\\n- no topic-specific permissions\\n- no access to any (other) topics (server config)\")\n}\n\nfunc TestCLI_Access_Grant_And_Publish(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, stdin, _, _ := newTestApp()\n\tstdin.WriteString(\"philpass\\nphilpass\\nbenpass\\nbenpass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"--role=admin\", \"phil\"))\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"ben\"))\n\trequire.Nil(t, runAccessCommand(app, conf, \"ben\", \"announcements\", \"rw\"))\n\trequire.Nil(t, runAccessCommand(app, conf, \"ben\", \"sometopic\", \"read\"))\n\trequire.Nil(t, runAccessCommand(app, conf, \"everyone\", \"announcements\", \"read\"))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, runAccessCommand(app, conf))\n\texpected := `user phil (role: admin, tier: none)\n- read-write access to all topics (admin role)\nuser ben (role: user, tier: none)\n- read-write access to topic announcements\n- read-only access to topic sometopic\nuser * (role: anonymous, tier: none)\n- read-only access to topic announcements\n- no access to any (other) topics (server config)\n`\n\trequire.Equal(t, expected, stdout.String())\n\n\t// See if access permissions match\n\tapp, _, _, _ = newTestApp()\n\trequire.Error(t, app.Run([]string{\n\t\t\"ntfy\",\n\t\t\"publish\",\n\t\tfmt.Sprintf(\"http://127.0.0.1:%d/announcements\", port),\n\t}))\n\trequire.Nil(t, app.Run([]string{\n\t\t\"ntfy\",\n\t\t\"publish\",\n\t\t\"-u\", \"ben:benpass\",\n\t\tfmt.Sprintf(\"http://127.0.0.1:%d/announcements\", port),\n\t}))\n\trequire.Nil(t, app.Run([]string{\n\t\t\"ntfy\",\n\t\t\"publish\",\n\t\t\"-u\", \"phil:philpass\",\n\t\tfmt.Sprintf(\"http://127.0.0.1:%d/announcements\", port),\n\t}))\n\trequire.Nil(t, app.Run([]string{\n\t\t\"ntfy\",\n\t\t\"subscribe\",\n\t\t\"--poll\",\n\t\tfmt.Sprintf(\"http://127.0.0.1:%d/announcements\", port),\n\t}))\n\trequire.Error(t, app.Run([]string{\n\t\t\"ntfy\",\n\t\t\"subscribe\",\n\t\t\"--poll\",\n\t\tfmt.Sprintf(\"http://127.0.0.1:%d/something-else\", port),\n\t}))\n}\n\nfunc runAccessCommand(app *cli.App, conf *server.Config, args ...string) error {\n\tuserArgs := []string{\n\t\t\"ntfy\",\n\t\t\"--log-level=ERROR\",\n\t\t\"access\",\n\t\t\"--config=\" + conf.File, // Dummy config file to avoid lookups of real file\n\t\t\"--auth-file=\" + conf.AuthFile,\n\t\t\"--auth-default-access=\" + conf.AuthDefault.String(),\n\t}\n\treturn app.Run(append(userArgs, args...))\n}\n" }, { "path": "cmd/app.go", "content": "// Package cmd provides the ntfy CLI application\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"regexp\"\n\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"heckel.io/ntfy/v2/log\"\n)\n\nconst (\n\tcategoryClient = \"Client commands\"\n\tcategoryServer = \"Server commands\"\n)\n\n// Build metadata keys for app.Metadata\nconst (\n\tMetadataKeyCommit = \"commit\"\n\tMetadataKeyDate = \"date\"\n)\n\nvar commands = make([]*cli.Command, 0)\n\nvar flagsDefault = []cli.Flag{\n\t&cli.BoolFlag{Name: \"debug\", Aliases: []string{\"d\"}, EnvVars: []string{\"NTFY_DEBUG\"}, Usage: \"enable debug logging\"},\n\t&cli.BoolFlag{Name: \"trace\", EnvVars: []string{\"NTFY_TRACE\"}, Usage: \"enable tracing (very verbose, be careful)\"},\n\t&cli.BoolFlag{Name: \"no-log-dates\", Aliases: []string{\"no_log_dates\"}, EnvVars: []string{\"NTFY_NO_LOG_DATES\"}, Usage: \"disable the date/time prefix\"},\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"log-level\", Aliases: []string{\"log_level\"}, Value: log.InfoLevel.String(), EnvVars: []string{\"NTFY_LOG_LEVEL\"}, Usage: \"set log level\"}),\n\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: \"log-level-overrides\", Aliases: []string{\"log_level_overrides\"}, EnvVars: []string{\"NTFY_LOG_LEVEL_OVERRIDES\"}, Usage: \"set log level overrides\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"log-format\", Aliases: []string{\"log_format\"}, Value: log.TextFormat.String(), EnvVars: []string{\"NTFY_LOG_FORMAT\"}, Usage: \"set log format\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"log-file\", Aliases: []string{\"log_file\"}, EnvVars: []string{\"NTFY_LOG_FILE\"}, Usage: \"set log file, default is STDOUT\"}),\n}\n\nvar (\n\tlogLevelOverrideRegex = regexp.MustCompile(`(?i)^([^=\\s]+)(?:\\s*=\\s*(\\S+))?\\s*->\\s*(TRACE|DEBUG|INFO|WARN|ERROR)$`)\n)\n\n// New creates a new CLI application\nfunc New() *cli.App {\n\treturn &cli.App{\n\t\tName: \"ntfy\",\n\t\tUsage: \"Simple pub-sub notification service\",\n\t\tUsageText: \"ntfy [OPTION..]\",\n\t\tHideVersion: true,\n\t\tUseShortOptionHandling: true,\n\t\tReader: os.Stdin,\n\t\tWriter: os.Stdout,\n\t\tErrWriter: os.Stderr,\n\t\tCommands: commands,\n\t\tFlags: flagsDefault,\n\t\tBefore: initLogFunc,\n\t}\n}\n\nfunc initLogFunc(c *cli.Context) error {\n\tlog.SetLevel(log.ToLevel(c.String(\"log-level\")))\n\tlog.SetFormat(log.ToFormat(c.String(\"log-format\")))\n\tif c.Bool(\"trace\") {\n\t\tlog.SetLevel(log.TraceLevel)\n\t} else if c.Bool(\"debug\") {\n\t\tlog.SetLevel(log.DebugLevel)\n\t}\n\tif c.Bool(\"no-log-dates\") {\n\t\tlog.DisableDates()\n\t}\n\tif err := applyLogLevelOverrides(c.StringSlice(\"log-level-overrides\")); err != nil {\n\t\treturn err\n\t}\n\tlogFile := c.String(\"log-file\")\n\tif logFile != \"\" {\n\t\tw, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tlog.SetOutput(w)\n\t}\n\treturn nil\n}\n\nfunc applyLogLevelOverrides(rawOverrides []string) error {\n\tfor _, override := range rawOverrides {\n\t\tm := logLevelOverrideRegex.FindStringSubmatch(override)\n\t\tif len(m) == 4 {\n\t\t\tfield, value, level := m[1], m[2], m[3]\n\t\t\tlog.SetLevelOverride(field, value, log.ToLevel(level))\n\t\t} else if len(m) == 3 {\n\t\t\tfield, level := m[1], m[2]\n\t\t\tlog.SetLevelOverride(field, \"\", log.ToLevel(level)) // Matches any value\n\t\t} else {\n\t\t\treturn fmt.Errorf(`invalid log level override \"%s\", must be \"field=value -> loglevel\", e.g. \"user_id=u_123 -> DEBUG\"`, override)\n\t\t}\n\t}\n\treturn nil\n}\n" }, { "path": "cmd/app_test.go", "content": "package cmd\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/client\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n)\n\n// This only contains helpers so far\n\nfunc TestMain(m *testing.M) {\n\tlog.SetLevel(log.ErrorLevel)\n\tos.Exit(m.Run())\n}\n\nfunc newTestApp() (*cli.App, *bytes.Buffer, *bytes.Buffer, *bytes.Buffer) {\n\tvar stdin, stdout, stderr bytes.Buffer\n\tapp := New()\n\tapp.Reader = &stdin\n\tapp.Writer = &stdout\n\tapp.ErrWriter = &stderr\n\treturn app, &stdin, &stdout, &stderr\n}\n\nfunc toMessage(t *testing.T, s string) *client.Message {\n\tvar m *client.Message\n\tif err := json.NewDecoder(strings.NewReader(s)).Decode(&m); err != nil {\n\t\tt.Fatal(err)\n\t}\n\treturn m\n}\n" }, { "path": "cmd/config_loader.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"gopkg.in/yaml.v2\"\n\t\"heckel.io/ntfy/v2/util\"\n\t\"os\"\n)\n\n// initConfigFileInputSourceFunc is like altsrc.InitInputSourceWithContext and altsrc.NewYamlSourceFromFlagFunc, but checks\n// if the config flag is exists and only loads it if it does. If the flag is set and the file exists, it fails.\nfunc initConfigFileInputSourceFunc(configFlag string, flags []cli.Flag, next cli.BeforeFunc) cli.BeforeFunc {\n\treturn func(context *cli.Context) error {\n\t\tconfigFile := context.String(configFlag)\n\t\tif context.IsSet(configFlag) && !util.FileExists(configFile) {\n\t\t\treturn fmt.Errorf(\"config file %s does not exist\", configFile)\n\t\t} else if !context.IsSet(configFlag) && !util.FileExists(configFile) {\n\t\t\treturn nil\n\t\t}\n\t\tinputSource, err := newYamlSourceFromFile(configFile, flags)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := altsrc.ApplyInputSourceValues(context, inputSource, flags); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif next != nil {\n\t\t\tif err := next(context); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n}\n\n// newYamlSourceFromFile creates a new Yaml InputSourceContext from a filepath.\n//\n// This function also maps aliases, so a .yml file can contain short options, or options with underscores\n// instead of dashes. See https://github.com/binwiederhier/ntfy/issues/255.\nfunc newYamlSourceFromFile(file string, flags []cli.Flag) (altsrc.InputSourceContext, error) {\n\tvar rawConfig map[any]any\n\tb, err := os.ReadFile(file)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif err := yaml.Unmarshal(b, &rawConfig); err != nil {\n\t\treturn nil, err\n\t}\n\tfor _, f := range flags {\n\t\tflagName := f.Names()[0]\n\t\tfor _, flagAlias := range f.Names()[1:] {\n\t\t\tif _, ok := rawConfig[flagAlias]; ok {\n\t\t\t\trawConfig[flagName] = rawConfig[flagAlias]\n\t\t\t}\n\t\t}\n\t}\n\treturn altsrc.NewMapInputSource(file, rawConfig), nil\n}\n" }, { "path": "cmd/config_loader_test.go", "content": "package cmd\n\nimport (\n\t\"github.com/stretchr/testify/require\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc TestNewYamlSourceFromFile(t *testing.T) {\n\tfilename := filepath.Join(t.TempDir(), \"server.yml\")\n\tcontents := `\n# Normal options\nlisten-https: \":10443\"\n\n# Note the underscore!\nlisten_http: \":1080\"\n\n# OMG this is allowed now ...\nK: /some/file.pem\n`\n\trequire.Nil(t, os.WriteFile(filename, []byte(contents), 0600))\n\n\tctx, err := newYamlSourceFromFile(filename, flagsServe)\n\trequire.Nil(t, err)\n\n\tlistenHTTPS, err := ctx.String(\"listen-https\")\n\trequire.Nil(t, err)\n\trequire.Equal(t, \":10443\", listenHTTPS)\n\n\tlistenHTTP, err := ctx.String(\"listen-http\") // No underscore!\n\trequire.Nil(t, err)\n\trequire.Equal(t, \":1080\", listenHTTP)\n\n\tkeyFile, err := ctx.String(\"key-file\") // Long option!\n\trequire.Nil(t, err)\n\trequire.Equal(t, \"/some/file.pem\", keyFile)\n}\n" }, { "path": "cmd/publish.go", "content": "package cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/client\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/util\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdPublish)\n}\n\nvar flagsPublish = append(\n\tappend([]cli.Flag{}, flagsDefault...),\n\t&cli.StringFlag{Name: \"config\", Aliases: []string{\"c\"}, EnvVars: []string{\"NTFY_CONFIG\"}, Usage: \"client config file\"},\n\t&cli.StringFlag{Name: \"title\", Aliases: []string{\"t\"}, EnvVars: []string{\"NTFY_TITLE\"}, Usage: \"message title\"},\n\t&cli.StringFlag{Name: \"message\", Aliases: []string{\"m\"}, EnvVars: []string{\"NTFY_MESSAGE\"}, Usage: \"message body\"},\n\t&cli.StringFlag{Name: \"priority\", Aliases: []string{\"p\"}, EnvVars: []string{\"NTFY_PRIORITY\"}, Usage: \"priority of the message (1=min, 2=low, 3=default, 4=high, 5=max)\"},\n\t&cli.StringFlag{Name: \"tags\", Aliases: []string{\"tag\", \"T\"}, EnvVars: []string{\"NTFY_TAGS\"}, Usage: \"comma separated list of tags and emojis\"},\n\t&cli.StringFlag{Name: \"delay\", Aliases: []string{\"at\", \"in\", \"D\"}, EnvVars: []string{\"NTFY_DELAY\"}, Usage: \"delay/schedule message\"},\n\t&cli.StringFlag{Name: \"click\", Aliases: []string{\"U\"}, EnvVars: []string{\"NTFY_CLICK\"}, Usage: \"URL to open when notification is clicked\"},\n\t&cli.StringFlag{Name: \"icon\", Aliases: []string{\"i\"}, EnvVars: []string{\"NTFY_ICON\"}, Usage: \"URL to use as notification icon\"},\n\t&cli.StringFlag{Name: \"actions\", Aliases: []string{\"A\"}, EnvVars: []string{\"NTFY_ACTIONS\"}, Usage: \"actions JSON array or simple definition\"},\n\t&cli.StringFlag{Name: \"attach\", Aliases: []string{\"a\"}, EnvVars: []string{\"NTFY_ATTACH\"}, Usage: \"URL to send as an external attachment\"},\n\t&cli.BoolFlag{Name: \"markdown\", Aliases: []string{\"md\"}, EnvVars: []string{\"NTFY_MARKDOWN\"}, Usage: \"Message is formatted as Markdown\"},\n\t&cli.StringFlag{Name: \"template\", Aliases: []string{\"tpl\"}, EnvVars: []string{\"NTFY_TEMPLATE\"}, Usage: \"use templates to transform JSON message body\"},\n\t&cli.StringFlag{Name: \"filename\", Aliases: []string{\"name\", \"n\"}, EnvVars: []string{\"NTFY_FILENAME\"}, Usage: \"filename for the attachment\"},\n\t&cli.StringFlag{Name: \"sequence-id\", Aliases: []string{\"sequence_id\", \"sid\", \"S\"}, EnvVars: []string{\"NTFY_SEQUENCE_ID\"}, Usage: \"sequence ID for updating notifications\"},\n\t&cli.StringFlag{Name: \"file\", Aliases: []string{\"f\"}, EnvVars: []string{\"NTFY_FILE\"}, Usage: \"file to upload as an attachment\"},\n\t&cli.StringFlag{Name: \"email\", Aliases: []string{\"mail\", \"e\"}, EnvVars: []string{\"NTFY_EMAIL\"}, Usage: \"also send to e-mail address\"},\n\t&cli.StringFlag{Name: \"user\", Aliases: []string{\"u\"}, EnvVars: []string{\"NTFY_USER\"}, Usage: \"username[:password] used to auth against the server\"},\n\t&cli.StringFlag{Name: \"token\", Aliases: []string{\"k\"}, EnvVars: []string{\"NTFY_TOKEN\"}, Usage: \"access token used to auth against the server\"},\n\t&cli.IntFlag{Name: \"wait-pid\", Aliases: []string{\"wait_pid\", \"pid\"}, EnvVars: []string{\"NTFY_WAIT_PID\"}, Usage: \"wait until PID exits before publishing\"},\n\t&cli.BoolFlag{Name: \"wait-cmd\", Aliases: []string{\"wait_cmd\", \"cmd\", \"done\"}, EnvVars: []string{\"NTFY_WAIT_CMD\"}, Usage: \"run command and wait until it finishes before publishing\"},\n\t&cli.BoolFlag{Name: \"no-cache\", Aliases: []string{\"no_cache\", \"C\"}, EnvVars: []string{\"NTFY_NO_CACHE\"}, Usage: \"do not cache message server-side\"},\n\t&cli.BoolFlag{Name: \"no-firebase\", Aliases: []string{\"no_firebase\", \"F\"}, EnvVars: []string{\"NTFY_NO_FIREBASE\"}, Usage: \"do not forward message to Firebase\"},\n\t&cli.BoolFlag{Name: \"quiet\", Aliases: []string{\"q\"}, EnvVars: []string{\"NTFY_QUIET\"}, Usage: \"do not print message\"},\n)\n\nvar cmdPublish = &cli.Command{\n\tName: \"publish\",\n\tAliases: []string{\"pub\", \"send\", \"trigger\"},\n\tUsage: \"Send message via a ntfy server\",\n\tUsageText: `ntfy publish [OPTIONS..] TOPIC [MESSAGE...]\nntfy publish [OPTIONS..] --wait-cmd COMMAND...\nNTFY_TOPIC=.. ntfy publish [OPTIONS..] [MESSAGE...]`,\n\tAction: execPublish,\n\tCategory: categoryClient,\n\tFlags: flagsPublish,\n\tBefore: initLogFunc,\n\tDescription: `Publish a message to a ntfy server.\n\nExamples:\n ntfy publish mytopic This is my message # Send simple message\n ntfy send myserver.com/mytopic \"This is my message\" # Send message to different default host\n ntfy pub -p high backups \"Backups failed\" # Send high priority message\n ntfy pub --tags=warning,skull backups \"Backups failed\" # Add tags/emojis to message\n ntfy pub --delay=10s delayed_topic Laterzz # Delay message by 10s\n ntfy pub --at=8:30am delayed_topic Laterzz # Send message at 8:30am\n ntfy pub -e phil@example.com alerts 'App is down!' # Also send email to phil@example.com\n ntfy pub --click=\"https://reddit.com\" redd 'New msg' # Opens Reddit when notification is clicked\n ntfy pub --icon=\"http://some.tld/icon.png\" 'Icon!' # Send notification with custom icon\n ntfy pub --attach=\"http://some.tld/file.zip\" files # Send ZIP archive from URL as attachment\n ntfy pub --file=flower.jpg flowers 'Nice!' # Send image.jpg as attachment\n ntfy pub -S my-id mytopic 'Update me' # Send with sequence ID for updates\n echo 'message' | ntfy publish mytopic # Send message from stdin\n ntfy pub -u phil:mypass secret Psst # Publish with username/password\n ntfy pub --wait-pid 1234 mytopic # Wait for process 1234 to exit before publishing\n ntfy pub --wait-cmd mytopic rsync -av ./ /tmp/a # Run command and publish after it completes\n NTFY_USER=phil:mypass ntfy pub secret Psst # Use env variables to set username/password\n NTFY_TOPIC=mytopic ntfy pub \"some message\" # Use NTFY_TOPIC variable as topic \n cat flower.jpg | ntfy pub --file=- flowers 'Nice!' # Same as above, send image.jpg as attachment\n ntfy trigger mywebhook # Sending without message, useful for webhooks\n \nPlease also check out the docs on publishing messages. Especially for the --tags and --delay options, \nit has incredibly useful information: https://ntfy.sh/docs/publish/.\n\n` + clientCommandDescriptionSuffix,\n}\n\nfunc execPublish(c *cli.Context) error {\n\tconf, err := loadConfig(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\ttitle := c.String(\"title\")\n\tpriority := c.String(\"priority\")\n\ttags := c.String(\"tags\")\n\tdelay := c.String(\"delay\")\n\tclick := c.String(\"click\")\n\ticon := c.String(\"icon\")\n\tactions := c.String(\"actions\")\n\tattach := c.String(\"attach\")\n\tmarkdown := c.Bool(\"markdown\")\n\ttemplate := c.String(\"template\")\n\tfilename := c.String(\"filename\")\n\tsequenceID := c.String(\"sequence-id\")\n\tfile := c.String(\"file\")\n\temail := c.String(\"email\")\n\tuser := c.String(\"user\")\n\ttoken := c.String(\"token\")\n\tnoCache := c.Bool(\"no-cache\")\n\tnoFirebase := c.Bool(\"no-firebase\")\n\tquiet := c.Bool(\"quiet\")\n\tpid := c.Int(\"wait-pid\")\n\n\t// Checks\n\tif user != \"\" && token != \"\" {\n\t\treturn errors.New(\"cannot set both --user and --token\")\n\t}\n\n\t// Do the things\n\ttopic, message, command, err := parseTopicMessageCommand(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar options []client.PublishOption\n\tif title != \"\" {\n\t\toptions = append(options, client.WithTitle(title))\n\t}\n\tif priority != \"\" {\n\t\toptions = append(options, client.WithPriority(priority))\n\t}\n\tif tags != \"\" {\n\t\toptions = append(options, client.WithTagsList(tags))\n\t}\n\tif delay != \"\" {\n\t\toptions = append(options, client.WithDelay(delay))\n\t}\n\tif click != \"\" {\n\t\toptions = append(options, client.WithClick(click))\n\t}\n\tif icon != \"\" {\n\t\toptions = append(options, client.WithIcon(icon))\n\t}\n\tif actions != \"\" {\n\t\toptions = append(options, client.WithActions(strings.ReplaceAll(actions, \"\\n\", \" \")))\n\t}\n\tif attach != \"\" {\n\t\toptions = append(options, client.WithAttach(attach))\n\t}\n\tif markdown {\n\t\toptions = append(options, client.WithMarkdown())\n\t}\n\tif template != \"\" {\n\t\toptions = append(options, client.WithTemplate(template))\n\t}\n\tif filename != \"\" {\n\t\toptions = append(options, client.WithFilename(filename))\n\t}\n\tif sequenceID != \"\" {\n\t\toptions = append(options, client.WithSequenceID(sequenceID))\n\t}\n\tif email != \"\" {\n\t\toptions = append(options, client.WithEmail(email))\n\t}\n\tif noCache {\n\t\toptions = append(options, client.WithNoCache())\n\t}\n\tif noFirebase {\n\t\toptions = append(options, client.WithNoFirebase())\n\t}\n\tif token != \"\" {\n\t\toptions = append(options, client.WithBearerAuth(token))\n\t} else if user != \"\" {\n\t\tvar pass string\n\t\tparts := strings.SplitN(user, \":\", 2)\n\t\tif len(parts) == 2 {\n\t\t\tuser = parts[0]\n\t\t\tpass = parts[1]\n\t\t} else {\n\t\t\tfmt.Fprint(c.App.ErrWriter, \"Enter Password: \")\n\t\t\tp, err := util.ReadPassword(c.App.Reader)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tpass = string(p)\n\t\t\tfmt.Fprintf(c.App.ErrWriter, \"\\r%s\\r\", strings.Repeat(\" \", 20))\n\t\t}\n\t\toptions = append(options, client.WithBasicAuth(user, pass))\n\t} else if conf.DefaultToken != \"\" {\n\t\toptions = append(options, client.WithBearerAuth(conf.DefaultToken))\n\t} else if conf.DefaultUser != \"\" && conf.DefaultPassword != nil {\n\t\toptions = append(options, client.WithBasicAuth(conf.DefaultUser, *conf.DefaultPassword))\n\t}\n\tif pid > 0 {\n\t\tnewMessage, err := waitForProcess(pid)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t} else if message == \"\" {\n\t\t\tmessage = newMessage\n\t\t}\n\t} else if len(command) > 0 {\n\t\tnewMessage, err := runAndWaitForCommand(command)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t} else if message == \"\" {\n\t\t\tmessage = newMessage\n\t\t}\n\t}\n\tvar body io.Reader\n\tif file == \"\" {\n\t\tbody = strings.NewReader(message)\n\t} else {\n\t\tif message != \"\" {\n\t\t\toptions = append(options, client.WithMessage(message))\n\t\t}\n\t\tif file == \"-\" {\n\t\t\tif filename == \"\" {\n\t\t\t\toptions = append(options, client.WithFilename(\"stdin\"))\n\t\t\t}\n\t\t\tbody = c.App.Reader\n\t\t} else {\n\t\t\tif filename == \"\" {\n\t\t\t\toptions = append(options, client.WithFilename(filepath.Base(file)))\n\t\t\t}\n\t\t\tbody, err = os.Open(file)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\tcl := client.New(conf)\n\tm, err := cl.PublishReader(topic, body, options...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !quiet {\n\t\tfmt.Fprintln(c.App.Writer, strings.TrimSpace(m.Raw))\n\t}\n\treturn nil\n}\n\n// parseTopicMessageCommand reads the topic and the remaining arguments from the context.\n\n// There are a few cases to consider:\n//\n//\tntfy publish []\n//\tntfy publish --wait-cmd \n//\tNTFY_TOPIC=.. ntfy publish []\n//\tNTFY_TOPIC=.. ntfy publish --wait-cmd \nfunc parseTopicMessageCommand(c *cli.Context) (topic string, message string, command []string, err error) {\n\tvar args []string\n\ttopic, args, err = parseTopicAndArgs(c)\n\tif err != nil {\n\t\treturn\n\t}\n\tif c.Bool(\"wait-cmd\") {\n\t\tif len(args) == 0 {\n\t\t\terr = errors.New(\"must specify command when --wait-cmd is passed, type 'ntfy publish --help' for help\")\n\t\t\treturn\n\t\t}\n\t\tcommand = args\n\t} else {\n\t\tmessage = strings.Join(args, \" \")\n\t}\n\tif c.String(\"message\") != \"\" {\n\t\tmessage = c.String(\"message\")\n\t}\n\tif message == \"\" && isStdinRedirected() {\n\t\tvar data []byte\n\t\tdata, err = io.ReadAll(io.LimitReader(c.App.Reader, 1024*1024))\n\t\tif err != nil {\n\t\t\tlog.Debug(\"Failed to read from stdin: %s\", err.Error())\n\t\t\treturn\n\t\t}\n\t\tmessage = strings.TrimSpace(string(data))\n\t}\n\treturn\n}\n\nfunc parseTopicAndArgs(c *cli.Context) (topic string, args []string, err error) {\n\tenvTopic := os.Getenv(\"NTFY_TOPIC\")\n\tif envTopic != \"\" {\n\t\ttopic = envTopic\n\t\treturn topic, remainingArgs(c, 0), nil\n\t}\n\tif c.NArg() < 1 {\n\t\treturn \"\", nil, errors.New(\"must specify topic, type 'ntfy publish --help' for help\")\n\t}\n\treturn c.Args().Get(0), remainingArgs(c, 1), nil\n}\n\nfunc remainingArgs(c *cli.Context, fromIndex int) []string {\n\tif c.NArg() > fromIndex {\n\t\treturn c.Args().Slice()[fromIndex:]\n\t}\n\treturn []string{}\n}\n\nfunc waitForProcess(pid int) (message string, err error) {\n\tif !processExists(pid) {\n\t\treturn \"\", fmt.Errorf(\"process with PID %d not running\", pid)\n\t}\n\tstart := time.Now()\n\tlog.Debug(\"Waiting for process with PID %d to exit\", pid)\n\tfor processExists(pid) {\n\t\ttime.Sleep(500 * time.Millisecond)\n\t}\n\truntime := time.Since(start).Round(time.Millisecond)\n\tlog.Debug(\"Process with PID %d exited after %s\", pid, runtime)\n\treturn fmt.Sprintf(\"Process with PID %d exited after %s\", pid, runtime), nil\n}\n\nfunc runAndWaitForCommand(command []string) (message string, err error) {\n\tprettyCmd := util.QuoteCommand(command)\n\tlog.Debug(\"Running command: %s\", prettyCmd)\n\tstart := time.Now()\n\tcmd := exec.Command(command[0], command[1:]...)\n\tif log.IsTrace() {\n\t\tcmd.Stdout = os.Stdout\n\t\tcmd.Stderr = os.Stderr\n\t}\n\terr = cmd.Run()\n\truntime := time.Since(start).Round(time.Millisecond)\n\tif err != nil {\n\t\tif exitError, ok := err.(*exec.ExitError); ok {\n\t\t\tlog.Debug(\"Command failed after %s (exit code %d): %s\", runtime, exitError.ExitCode(), prettyCmd)\n\t\t\treturn fmt.Sprintf(\"Command failed after %s (exit code %d): %s\", runtime, exitError.ExitCode(), prettyCmd), nil\n\t\t}\n\t\t// Hard fail when command does not exist or could not be properly launched\n\t\treturn \"\", fmt.Errorf(\"command failed: %s, error: %s\", prettyCmd, err.Error())\n\t}\n\tlog.Debug(\"Command succeeded after %s: %s\", runtime, prettyCmd)\n\treturn fmt.Sprintf(\"Command succeeded after %s: %s\", runtime, prettyCmd), nil\n}\n\nfunc isStdinRedirected() bool {\n\tstat, err := os.Stdin.Stat()\n\tif err != nil {\n\t\tlog.Debug(\"Failed to stat stdin: %s\", err.Error())\n\t\treturn false\n\t}\n\treturn (stat.Mode() & os.ModeCharDevice) == 0\n}\n" }, { "path": "cmd/publish_test.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/require\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nfunc TestCLI_Publish_Subscribe_Poll_Real_Server(t *testing.T) {\n\tt.Skip(\"temporarily disabled\") // FIXME\n\ttestMessage := util.RandomString(10)\n\tapp, _, _, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"ntfytest\", \"ntfy unit test \" + testMessage}))\n\n\t_, err := util.Retry(func() (*int, error) {\n\t\tapp2, _, stdout, _ := newTestApp()\n\t\tif err := app2.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"ntfytest\"}); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif !strings.Contains(stdout.String(), testMessage) {\n\t\t\treturn nil, fmt.Errorf(\"test message %s not found in topic\", testMessage)\n\t\t}\n\t\treturn util.Int(1), nil\n\t}, time.Second, 2*time.Second, 5*time.Second) // Since #502, ntfy.sh writes messages to the cache asynchronously, after a timeout of ~1.5s\n\trequire.Nil(t, err)\n}\n\nfunc TestCLI_Publish_Subscribe_Poll(t *testing.T) {\n\ts, port := test.StartServer(t)\n\tdefer test.StopServer(t, s, port)\n\ttopic := fmt.Sprintf(\"http://127.0.0.1:%d/mytopic\", port)\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", topic, \"some message\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"some message\", m.Message)\n\n\tapp2, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app2.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", topic}))\n\tm = toMessage(t, stdout.String())\n\trequire.Equal(t, \"some message\", m.Message)\n}\n\nfunc TestCLI_Publish_All_The_Things(t *testing.T) {\n\ts, port := test.StartServer(t)\n\tdefer test.StopServer(t, s, port)\n\ttopic := fmt.Sprintf(\"http://127.0.0.1:%d/mytopic\", port)\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\n\t\t\"ntfy\", \"publish\",\n\t\t\"--title\", \"this is a title\",\n\t\t\"--priority\", \"high\",\n\t\t\"--tags\", \"tag1,tag2\",\n\t\t// No --delay, --email\n\t\t\"--click\", \"https://ntfy.sh\",\n\t\t\"--icon\", \"https://ntfy.sh/static/img/ntfy.png\",\n\t\t\"--attach\", \"https://f-droid.org/F-Droid.apk\",\n\t\t\"--filename\", \"fdroid.apk\",\n\t\t\"--no-cache\",\n\t\t\"--no-firebase\",\n\t\ttopic,\n\t\t\"some message\",\n\t}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"message\", m.Event)\n\trequire.Equal(t, \"mytopic\", m.Topic)\n\trequire.Equal(t, \"some message\", m.Message)\n\trequire.Equal(t, \"this is a title\", m.Title)\n\trequire.Equal(t, 4, m.Priority)\n\trequire.Equal(t, []string{\"tag1\", \"tag2\"}, m.Tags)\n\trequire.Equal(t, \"https://ntfy.sh\", m.Click)\n\trequire.Equal(t, \"https://f-droid.org/F-Droid.apk\", m.Attachment.URL)\n\trequire.Equal(t, \"fdroid.apk\", m.Attachment.Name)\n\trequire.Equal(t, int64(0), m.Attachment.Size)\n\trequire.Equal(t, \"\", m.Attachment.Owner)\n\trequire.Equal(t, int64(0), m.Attachment.Expires)\n\trequire.Equal(t, \"\", m.Attachment.Type)\n\trequire.Equal(t, \"https://ntfy.sh/static/img/ntfy.png\", m.Icon)\n}\n\nfunc TestCLI_Publish_Wait_PID_And_Cmd(t *testing.T) {\n\ts, port := test.StartServer(t)\n\tdefer test.StopServer(t, s, port)\n\ttopic := fmt.Sprintf(\"http://127.0.0.1:%d/mytopic\", port)\n\n\t// Test: sleep 0.5\n\tsleep := exec.Command(\"sleep\", \"0.5\")\n\trequire.Nil(t, sleep.Start())\n\tgo sleep.Wait() // Must be called to release resources\n\tstart := time.Now()\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--wait-pid\", strconv.Itoa(sleep.Process.Pid), topic}))\n\tm := toMessage(t, stdout.String())\n\trequire.True(t, time.Since(start) >= 500*time.Millisecond)\n\trequire.Regexp(t, `Process with PID \\d+ exited after `, m.Message)\n\n\t// Test: PID does not exist\n\tapp, _, _, _ = newTestApp()\n\terr := app.Run([]string{\"ntfy\", \"publish\", \"--wait-pid\", \"1234567\", topic})\n\trequire.Error(t, err)\n\trequire.Equal(t, \"process with PID 1234567 not running\", err.Error())\n\n\t// Test: Successful command (exit 0)\n\tstart = time.Now()\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--wait-cmd\", topic, \"sleep\", \"0.5\"}))\n\tm = toMessage(t, stdout.String())\n\trequire.True(t, time.Since(start) >= 500*time.Millisecond)\n\trequire.Contains(t, m.Message, `Command succeeded after `)\n\trequire.Contains(t, m.Message, `: sleep 0.5`)\n\n\t// Test: Failing command (exit 1)\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--wait-cmd\", topic, \"/bin/false\", \"false doesn't care about its args\"}))\n\tm = toMessage(t, stdout.String())\n\trequire.Contains(t, m.Message, `Command failed after `)\n\trequire.Contains(t, m.Message, `(exit code 1): /bin/false \"false doesn't care about its args\"`, m.Message)\n\n\t// Test: Non-existing command (hard fail!)\n\tapp, _, _, _ = newTestApp()\n\terr = app.Run([]string{\"ntfy\", \"publish\", \"--wait-cmd\", topic, \"does-not-exist-no-really\", \"really though\"})\n\trequire.Error(t, err)\n\trequire.Equal(t, `command failed: does-not-exist-no-really \"really though\", error: exec: \"does-not-exist-no-really\": executable file not found in $PATH`, err.Error())\n\n\t// Tests with NTFY_TOPIC set ////\n\tt.Setenv(\"NTFY_TOPIC\", topic)\n\n\t// Test: Successful command with NTFY_TOPIC\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--cmd\", \"echo\", \"hi there\"}))\n\tm = toMessage(t, stdout.String())\n\trequire.Equal(t, \"mytopic\", m.Topic)\n\n\t// Test: Successful --wait-pid with NTFY_TOPIC\n\tsleep = exec.Command(\"sleep\", \"0.2\")\n\trequire.Nil(t, sleep.Start())\n\tgo sleep.Wait() // Must be called to release resources\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--wait-pid\", strconv.Itoa(sleep.Process.Pid)}))\n\tm = toMessage(t, stdout.String())\n\trequire.Regexp(t, `Process with PID \\d+ exited after .+ms`, m.Message)\n}\n\nfunc TestCLI_Publish_Default_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: mypass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--config=\" + filename, \"mytopic\", \"triggered\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"triggered\", m.Message)\n}\n\nfunc TestCLI_Publish_Default_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--config=\" + filename, \"mytopic\", \"triggered\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"triggered\", m.Message)\n}\n\nfunc TestCLI_Publish_Default_UserPass_CLI_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: mypass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--config=\" + filename, \"--token\", \"tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", \"mytopic\", \"triggered\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"triggered\", m.Message)\n}\n\nfunc TestCLI_Publish_Default_Token_CLI_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--config=\" + filename, \"--user\", \"philipp:mypass\", \"mytopic\", \"triggered\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"triggered\", m.Message)\n}\n\nfunc TestCLI_Publish_Default_Token_CLI_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_FAKETOKEN01234567890FAKETOKEN\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--config=\" + filename, \"--token\", \"tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", \"mytopic\", \"triggered\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"triggered\", m.Message)\n}\n\nfunc TestCLI_Publish_Default_UserPass_CLI_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: fakepass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"publish\", \"--config=\" + filename, \"--user\", \"philipp:mypass\", \"mytopic\", \"triggered\"}))\n\tm := toMessage(t, stdout.String())\n\trequire.Equal(t, \"triggered\", m.Message)\n}\n\nfunc TestCLI_Publish_Token_And_UserPass(t *testing.T) {\n\tapp, _, _, _ := newTestApp()\n\terr := app.Run([]string{\"ntfy\", \"publish\", \"--token\", \"tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", \"--user\", \"philipp:mypass\", \"mytopic\", \"triggered\"})\n\trequire.Error(t, err)\n\trequire.Equal(t, \"cannot set both --user and --token\", err.Error())\n}\n" }, { "path": "cmd/publish_unix.go", "content": "//go:build darwin || linux || dragonfly || freebsd || netbsd || openbsd\n\npackage cmd\n\nimport \"syscall\"\n\nfunc processExists(pid int) bool {\n\terr := syscall.Kill(pid, syscall.Signal(0))\n\treturn err == nil\n}\n" }, { "path": "cmd/publish_windows.go", "content": "package cmd\n\nimport (\n\t\"os\"\n)\n\nfunc processExists(pid int) bool {\n\t_, err := os.FindProcess(pid)\n\treturn err == nil\n}\n" }, { "path": "cmd/serve.go", "content": "//go:build !noserver\n\npackage cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"math\"\n\t\"net\"\n\t\"net/netip\"\n\t\"net/url\"\n\t\"runtime\"\n\t\"strings\"\n\t\"text/template\"\n\t\"time\"\n\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/payments\"\n\t\"heckel.io/ntfy/v2/server\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdServe)\n}\n\nvar flagsServe = append(\n\tappend([]cli.Flag{}, flagsDefault...),\n\t&cli.StringFlag{Name: \"config\", Aliases: []string{\"c\"}, EnvVars: []string{\"NTFY_CONFIG_FILE\"}, Value: server.DefaultConfigFile, Usage: \"config file\"},\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"base-url\", Aliases: []string{\"base_url\", \"B\"}, EnvVars: []string{\"NTFY_BASE_URL\"}, Usage: \"externally visible base URL for this host (e.g. https://ntfy.sh)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"listen-http\", Aliases: []string{\"listen_http\", \"l\"}, EnvVars: []string{\"NTFY_LISTEN_HTTP\"}, Value: server.DefaultListenHTTP, Usage: \"ip:port used as HTTP listen address\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"listen-https\", Aliases: []string{\"listen_https\", \"L\"}, EnvVars: []string{\"NTFY_LISTEN_HTTPS\"}, Usage: \"ip:port used as HTTPS listen address\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"listen-unix\", Aliases: []string{\"listen_unix\", \"U\"}, EnvVars: []string{\"NTFY_LISTEN_UNIX\"}, Usage: \"listen on unix socket path\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"listen-unix-mode\", Aliases: []string{\"listen_unix_mode\"}, EnvVars: []string{\"NTFY_LISTEN_UNIX_MODE\"}, DefaultText: \"system default\", Usage: \"file permissions of unix socket, e.g. 0700\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"key-file\", Aliases: []string{\"key_file\", \"K\"}, EnvVars: []string{\"NTFY_KEY_FILE\"}, Usage: \"private key file, if listen-https is set\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"cert-file\", Aliases: []string{\"cert_file\", \"E\"}, EnvVars: []string{\"NTFY_CERT_FILE\"}, Usage: \"certificate file, if listen-https is set\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"firebase-key-file\", Aliases: []string{\"firebase_key_file\", \"F\"}, EnvVars: []string{\"NTFY_FIREBASE_KEY_FILE\"}, Usage: \"Firebase credentials file; if set additionally publish to FCM topic\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"database-url\", Aliases: []string{\"database_url\"}, EnvVars: []string{\"NTFY_DATABASE_URL\"}, Usage: \"PostgreSQL connection string for database-backed stores (e.g. postgres://user:pass@host:5432/ntfy)\"}),\n\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: \"database-replica-urls\", Aliases: []string{\"database_replica_urls\"}, EnvVars: []string{\"NTFY_DATABASE_REPLICA_URLS\"}, Usage: \"PostgreSQL read replica connection strings for offloading read queries\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"cache-file\", Aliases: []string{\"cache_file\", \"C\"}, EnvVars: []string{\"NTFY_CACHE_FILE\"}, Usage: \"cache file used for message caching\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"cache-duration\", Aliases: []string{\"cache_duration\", \"b\"}, EnvVars: []string{\"NTFY_CACHE_DURATION\"}, Value: util.FormatDuration(server.DefaultCacheDuration), Usage: \"buffer messages for this time to allow `since` requests\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"cache-batch-size\", Aliases: []string{\"cache_batch_size\"}, EnvVars: []string{\"NTFY_BATCH_SIZE\"}, Usage: \"max size of messages to batch together when writing to message cache (if zero, writes are synchronous)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"cache-batch-timeout\", Aliases: []string{\"cache_batch_timeout\"}, EnvVars: []string{\"NTFY_CACHE_BATCH_TIMEOUT\"}, Value: util.FormatDuration(server.DefaultCacheBatchTimeout), Usage: \"timeout for batched async writes to the message cache (if zero, writes are synchronous)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"cache-startup-queries\", Aliases: []string{\"cache_startup_queries\"}, EnvVars: []string{\"NTFY_CACHE_STARTUP_QUERIES\"}, Usage: \"queries run when the cache database is initialized\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"auth-file\", Aliases: []string{\"auth_file\", \"H\"}, EnvVars: []string{\"NTFY_AUTH_FILE\"}, Usage: \"auth database file used for access control\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"auth-startup-queries\", Aliases: []string{\"auth_startup_queries\"}, EnvVars: []string{\"NTFY_AUTH_STARTUP_QUERIES\"}, Usage: \"queries run when the auth database is initialized\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"auth-default-access\", Aliases: []string{\"auth_default_access\", \"p\"}, EnvVars: []string{\"NTFY_AUTH_DEFAULT_ACCESS\"}, Value: \"read-write\", Usage: \"default permissions if no matching entries in the auth database are found\"}),\n\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: \"auth-users\", Aliases: []string{\"auth_users\"}, EnvVars: []string{\"NTFY_AUTH_USERS\"}, Usage: \"pre-provisioned declarative users\"}),\n\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: \"auth-access\", Aliases: []string{\"auth_access\"}, EnvVars: []string{\"NTFY_AUTH_ACCESS\"}, Usage: \"pre-provisioned declarative access control entries\"}),\n\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: \"auth-tokens\", Aliases: []string{\"auth_tokens\"}, EnvVars: []string{\"NTFY_AUTH_TOKENS\"}, Usage: \"pre-provisioned declarative access tokens\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"attachment-cache-dir\", Aliases: []string{\"attachment_cache_dir\"}, EnvVars: []string{\"NTFY_ATTACHMENT_CACHE_DIR\"}, Usage: \"cache directory for attached files\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"attachment-total-size-limit\", Aliases: []string{\"attachment_total_size_limit\", \"A\"}, EnvVars: []string{\"NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT\"}, Value: util.FormatSize(server.DefaultAttachmentTotalSizeLimit), Usage: \"limit of the on-disk attachment cache\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"attachment-file-size-limit\", Aliases: []string{\"attachment_file_size_limit\", \"Y\"}, EnvVars: []string{\"NTFY_ATTACHMENT_FILE_SIZE_LIMIT\"}, Value: util.FormatSize(server.DefaultAttachmentFileSizeLimit), Usage: \"per-file attachment size limit (e.g. 300k, 2M, 100M)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"attachment-expiry-duration\", Aliases: []string{\"attachment_expiry_duration\", \"X\"}, EnvVars: []string{\"NTFY_ATTACHMENT_EXPIRY_DURATION\"}, Value: util.FormatDuration(server.DefaultAttachmentExpiryDuration), Usage: \"duration after which uploaded attachments will be deleted (e.g. 3h, 20h)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"template-dir\", Aliases: []string{\"template_dir\"}, EnvVars: []string{\"NTFY_TEMPLATE_DIR\"}, Value: server.DefaultTemplateDir, Usage: \"directory to load named message templates from\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"keepalive-interval\", Aliases: []string{\"keepalive_interval\", \"k\"}, EnvVars: []string{\"NTFY_KEEPALIVE_INTERVAL\"}, Value: util.FormatDuration(server.DefaultKeepaliveInterval), Usage: \"interval of keepalive messages\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"manager-interval\", Aliases: []string{\"manager_interval\", \"m\"}, EnvVars: []string{\"NTFY_MANAGER_INTERVAL\"}, Value: util.FormatDuration(server.DefaultManagerInterval), Usage: \"interval of for message pruning and stats printing\"}),\n\taltsrc.NewStringSliceFlag(&cli.StringSliceFlag{Name: \"disallowed-topics\", Aliases: []string{\"disallowed_topics\"}, EnvVars: []string{\"NTFY_DISALLOWED_TOPICS\"}, Usage: \"topics that are not allowed to be used\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-root\", Aliases: []string{\"web_root\"}, EnvVars: []string{\"NTFY_WEB_ROOT\"}, Value: \"/\", Usage: \"sets root of the web app (e.g. /, or /app), or disables it (disable)\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"enable-signup\", Aliases: []string{\"enable_signup\"}, EnvVars: []string{\"NTFY_ENABLE_SIGNUP\"}, Value: false, Usage: \"allows users to sign up via the web app, or API\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"enable-login\", Aliases: []string{\"enable_login\"}, EnvVars: []string{\"NTFY_ENABLE_LOGIN\"}, Value: false, Usage: \"allows users to log in via the web app, or API\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"enable-reservations\", Aliases: []string{\"enable_reservations\"}, EnvVars: []string{\"NTFY_ENABLE_RESERVATIONS\"}, Value: false, Usage: \"allows users to reserve topics (if their tier allows it)\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"require-login\", Aliases: []string{\"require_login\"}, EnvVars: []string{\"NTFY_REQUIRE_LOGIN\"}, Value: false, Usage: \"all actions via the web app requires a login\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"upstream-base-url\", Aliases: []string{\"upstream_base_url\"}, EnvVars: []string{\"NTFY_UPSTREAM_BASE_URL\"}, Value: \"\", Usage: \"forward poll request to an upstream server, this is needed for iOS push notifications for self-hosted servers\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"upstream-access-token\", Aliases: []string{\"upstream_access_token\"}, EnvVars: []string{\"NTFY_UPSTREAM_ACCESS_TOKEN\"}, Value: \"\", Usage: \"access token to use for the upstream server; needed only if upstream rate limits are exceeded or upstream server requires auth\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-sender-addr\", Aliases: []string{\"smtp_sender_addr\"}, EnvVars: []string{\"NTFY_SMTP_SENDER_ADDR\"}, Usage: \"SMTP server address (host:port) for outgoing emails\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-sender-user\", Aliases: []string{\"smtp_sender_user\"}, EnvVars: []string{\"NTFY_SMTP_SENDER_USER\"}, Usage: \"SMTP user (if e-mail sending is enabled)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-sender-pass\", Aliases: []string{\"smtp_sender_pass\"}, EnvVars: []string{\"NTFY_SMTP_SENDER_PASS\"}, Usage: \"SMTP password (if e-mail sending is enabled)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-sender-from\", Aliases: []string{\"smtp_sender_from\"}, EnvVars: []string{\"NTFY_SMTP_SENDER_FROM\"}, Usage: \"SMTP sender address (if e-mail sending is enabled)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-server-listen\", Aliases: []string{\"smtp_server_listen\"}, EnvVars: []string{\"NTFY_SMTP_SERVER_LISTEN\"}, Usage: \"SMTP server address (ip:port) for incoming emails, e.g. :25\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-server-domain\", Aliases: []string{\"smtp_server_domain\"}, EnvVars: []string{\"NTFY_SMTP_SERVER_DOMAIN\"}, Usage: \"SMTP domain for incoming e-mail, e.g. ntfy.sh\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"smtp-server-addr-prefix\", Aliases: []string{\"smtp_server_addr_prefix\"}, EnvVars: []string{\"NTFY_SMTP_SERVER_ADDR_PREFIX\"}, Usage: \"SMTP email address prefix for topics to prevent spam (e.g. 'ntfy-')\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"twilio-account\", Aliases: []string{\"twilio_account\"}, EnvVars: []string{\"NTFY_TWILIO_ACCOUNT\"}, Usage: \"Twilio account SID, used for phone calls, e.g. AC123...\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"twilio-auth-token\", Aliases: []string{\"twilio_auth_token\"}, EnvVars: []string{\"NTFY_TWILIO_AUTH_TOKEN\"}, Usage: \"Twilio auth token\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"twilio-phone-number\", Aliases: []string{\"twilio_phone_number\"}, EnvVars: []string{\"NTFY_TWILIO_PHONE_NUMBER\"}, Usage: \"Twilio number to use for outgoing calls\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"twilio-verify-service\", Aliases: []string{\"twilio_verify_service\"}, EnvVars: []string{\"NTFY_TWILIO_VERIFY_SERVICE\"}, Usage: \"Twilio Verify service ID, used for phone number verification\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"twilio-call-format\", Aliases: []string{\"twilio_call_format\"}, EnvVars: []string{\"NTFY_TWILIO_CALL_FORMAT\"}, Usage: \"Twilio/TwiML format string for phone calls\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"message-size-limit\", Aliases: []string{\"message_size_limit\"}, EnvVars: []string{\"NTFY_MESSAGE_SIZE_LIMIT\"}, Value: util.FormatSize(server.DefaultMessageSizeLimit), Usage: \"size limit for the message (see docs for limitations)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"message-delay-limit\", Aliases: []string{\"message_delay_limit\"}, EnvVars: []string{\"NTFY_MESSAGE_DELAY_LIMIT\"}, Value: util.FormatDuration(server.DefaultMessageDelayMax), Usage: \"max duration a message can be scheduled into the future\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"global-topic-limit\", Aliases: []string{\"global_topic_limit\", \"T\"}, EnvVars: []string{\"NTFY_GLOBAL_TOPIC_LIMIT\"}, Value: server.DefaultTotalTopicLimit, Usage: \"total number of topics allowed\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"visitor-subscription-limit\", Aliases: []string{\"visitor_subscription_limit\"}, EnvVars: []string{\"NTFY_VISITOR_SUBSCRIPTION_LIMIT\"}, Value: server.DefaultVisitorSubscriptionLimit, Usage: \"number of subscriptions per visitor\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"visitor-subscriber-rate-limiting\", Aliases: []string{\"visitor_subscriber_rate_limiting\"}, EnvVars: []string{\"NTFY_VISITOR_SUBSCRIBER_RATE_LIMITING\"}, Value: false, Usage: \"enables subscriber-based rate limiting\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"visitor-attachment-total-size-limit\", Aliases: []string{\"visitor_attachment_total_size_limit\"}, EnvVars: []string{\"NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT\"}, Value: util.FormatSize(server.DefaultVisitorAttachmentTotalSizeLimit), Usage: \"total storage limit used for attachments per visitor\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"visitor-attachment-daily-bandwidth-limit\", Aliases: []string{\"visitor_attachment_daily_bandwidth_limit\"}, EnvVars: []string{\"NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT\"}, Value: \"500M\", Usage: \"total daily attachment download/upload bandwidth limit per visitor\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"visitor-request-limit-burst\", Aliases: []string{\"visitor_request_limit_burst\"}, EnvVars: []string{\"NTFY_VISITOR_REQUEST_LIMIT_BURST\"}, Value: server.DefaultVisitorRequestLimitBurst, Usage: \"initial limit of requests per visitor\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"visitor-request-limit-replenish\", Aliases: []string{\"visitor_request_limit_replenish\"}, EnvVars: []string{\"NTFY_VISITOR_REQUEST_LIMIT_REPLENISH\"}, Value: util.FormatDuration(server.DefaultVisitorRequestLimitReplenish), Usage: \"interval at which burst limit is replenished (one per x)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"visitor-request-limit-exempt-hosts\", Aliases: []string{\"visitor_request_limit_exempt_hosts\"}, EnvVars: []string{\"NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS\"}, Value: \"\", Usage: \"hostnames and/or IP addresses of hosts that will be exempt from the visitor request limit\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"visitor-message-daily-limit\", Aliases: []string{\"visitor_message_daily_limit\"}, EnvVars: []string{\"NTFY_VISITOR_MESSAGE_DAILY_LIMIT\"}, Value: server.DefaultVisitorMessageDailyLimit, Usage: \"max messages per visitor per day, derived from request limit if unset\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"visitor-email-limit-burst\", Aliases: []string{\"visitor_email_limit_burst\"}, EnvVars: []string{\"NTFY_VISITOR_EMAIL_LIMIT_BURST\"}, Value: server.DefaultVisitorEmailLimitBurst, Usage: \"initial limit of e-mails per visitor\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"visitor-email-limit-replenish\", Aliases: []string{\"visitor_email_limit_replenish\"}, EnvVars: []string{\"NTFY_VISITOR_EMAIL_LIMIT_REPLENISH\"}, Value: util.FormatDuration(server.DefaultVisitorEmailLimitReplenish), Usage: \"interval at which burst limit is replenished (one per x)\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"visitor-prefix-bits-ipv4\", Aliases: []string{\"visitor_prefix_bits_ipv4\"}, EnvVars: []string{\"NTFY_VISITOR_PREFIX_BITS_IPV4\"}, Value: server.DefaultVisitorPrefixBitsIPv4, Usage: \"number of bits of the IPv4 address to use for rate limiting (default: 32, full address)\"}),\n\taltsrc.NewIntFlag(&cli.IntFlag{Name: \"visitor-prefix-bits-ipv6\", Aliases: []string{\"visitor_prefix_bits_ipv6\"}, EnvVars: []string{\"NTFY_VISITOR_PREFIX_BITS_IPV6\"}, Value: server.DefaultVisitorPrefixBitsIPv6, Usage: \"number of bits of the IPv6 address to use for rate limiting (default: 64, /64 subnet)\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"behind-proxy\", Aliases: []string{\"behind_proxy\", \"P\"}, EnvVars: []string{\"NTFY_BEHIND_PROXY\"}, Value: false, Usage: \"if set, use forwarded header (e.g. X-Forwarded-For, X-Client-IP) to determine visitor IP address (for rate limiting)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"proxy-forwarded-header\", Aliases: []string{\"proxy_forwarded_header\"}, EnvVars: []string{\"NTFY_PROXY_FORWARDED_HEADER\"}, Value: \"X-Forwarded-For\", Usage: \"use specified header to determine visitor IP address (for rate limiting)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"proxy-trusted-hosts\", Aliases: []string{\"proxy_trusted_hosts\"}, EnvVars: []string{\"NTFY_PROXY_TRUSTED_HOSTS\"}, Value: \"\", Usage: \"comma-separated list of trusted IP addresses, hosts, or CIDRs to remove from forwarded header\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"stripe-secret-key\", Aliases: []string{\"stripe_secret_key\"}, EnvVars: []string{\"NTFY_STRIPE_SECRET_KEY\"}, Value: \"\", Usage: \"key used for the Stripe API communication, this enables payments\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"stripe-webhook-key\", Aliases: []string{\"stripe_webhook_key\"}, EnvVars: []string{\"NTFY_STRIPE_WEBHOOK_KEY\"}, Value: \"\", Usage: \"key required to validate the authenticity of incoming webhooks from Stripe\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"billing-contact\", Aliases: []string{\"billing_contact\"}, EnvVars: []string{\"NTFY_BILLING_CONTACT\"}, Value: \"\", Usage: \"e-mail or website to display in upgrade dialog (only if payments are enabled)\"}),\n\taltsrc.NewBoolFlag(&cli.BoolFlag{Name: \"enable-metrics\", Aliases: []string{\"enable_metrics\"}, EnvVars: []string{\"NTFY_ENABLE_METRICS\"}, Value: false, Usage: \"if set, Prometheus metrics are exposed via the /metrics endpoint\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"metrics-listen-http\", Aliases: []string{\"metrics_listen_http\"}, EnvVars: []string{\"NTFY_METRICS_LISTEN_HTTP\"}, Usage: \"ip:port used to expose the metrics endpoint (implicitly enables metrics)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"profile-listen-http\", Aliases: []string{\"profile_listen_http\"}, EnvVars: []string{\"NTFY_PROFILE_LISTEN_HTTP\"}, Usage: \"ip:port used to expose the profiling endpoints (implicitly enables profiling)\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-public-key\", Aliases: []string{\"web_push_public_key\"}, EnvVars: []string{\"NTFY_WEB_PUSH_PUBLIC_KEY\"}, Usage: \"public key used for web push notifications\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-private-key\", Aliases: []string{\"web_push_private_key\"}, EnvVars: []string{\"NTFY_WEB_PUSH_PRIVATE_KEY\"}, Usage: \"private key used for web push notifications\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-file\", Aliases: []string{\"web_push_file\"}, EnvVars: []string{\"NTFY_WEB_PUSH_FILE\"}, Usage: \"file used to store web push subscriptions\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-email-address\", Aliases: []string{\"web_push_email_address\"}, EnvVars: []string{\"NTFY_WEB_PUSH_EMAIL_ADDRESS\"}, Usage: \"e-mail address of sender, required to use browser push services\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-startup-queries\", Aliases: []string{\"web_push_startup_queries\"}, EnvVars: []string{\"NTFY_WEB_PUSH_STARTUP_QUERIES\"}, Usage: \"queries run when the web push database is initialized\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-expiry-duration\", Aliases: []string{\"web_push_expiry_duration\"}, EnvVars: []string{\"NTFY_WEB_PUSH_EXPIRY_DURATION\"}, Value: util.FormatDuration(server.DefaultWebPushExpiryDuration), Usage: \"automatically expire unused subscriptions after this time\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"web-push-expiry-warning-duration\", Aliases: []string{\"web_push_expiry_warning_duration\"}, EnvVars: []string{\"NTFY_WEB_PUSH_EXPIRY_WARNING_DURATION\"}, Value: util.FormatDuration(server.DefaultWebPushExpiryWarningDuration), Usage: \"send web push warning notification after this time before expiring unused subscriptions\"}),\n)\n\nvar cmdServe = &cli.Command{\n\tName: \"serve\",\n\tUsage: \"Run the ntfy server\",\n\tUsageText: \"ntfy serve [OPTIONS..]\",\n\tAction: execServe,\n\tCategory: categoryServer,\n\tFlags: flagsServe,\n\tBefore: initConfigFileInputSourceFunc(\"config\", flagsServe, initLogFunc),\n\tDescription: `Run the ntfy server and listen for incoming requests\n\nThe command will load the configuration from /etc/ntfy/server.yml. Config options can \nbe overridden using the command line options.\n\nExamples:\n ntfy serve # Starts server in the foreground (on port 80)\n ntfy serve --listen-http :8080 # Starts server with alternate port`,\n}\n\nfunc execServe(c *cli.Context) error {\n\tif c.NArg() > 0 {\n\t\treturn errors.New(\"no arguments expected, see 'ntfy serve --help' for help\")\n\t}\n\n\t// Read all the options\n\tconfig := c.String(\"config\")\n\tbaseURL := strings.TrimSuffix(c.String(\"base-url\"), \"/\")\n\tlistenHTTP := c.String(\"listen-http\")\n\tlistenHTTPS := c.String(\"listen-https\")\n\tlistenUnix := c.String(\"listen-unix\")\n\tlistenUnixMode := c.Int(\"listen-unix-mode\")\n\tkeyFile := c.String(\"key-file\")\n\tcertFile := c.String(\"cert-file\")\n\tfirebaseKeyFile := c.String(\"firebase-key-file\")\n\tdatabaseURL := c.String(\"database-url\")\n\tdatabaseReplicaURLs := c.StringSlice(\"database-replica-urls\")\n\twebPushPrivateKey := c.String(\"web-push-private-key\")\n\twebPushPublicKey := c.String(\"web-push-public-key\")\n\twebPushFile := c.String(\"web-push-file\")\n\twebPushEmailAddress := c.String(\"web-push-email-address\")\n\twebPushStartupQueries := c.String(\"web-push-startup-queries\")\n\twebPushExpiryDurationStr := c.String(\"web-push-expiry-duration\")\n\twebPushExpiryWarningDurationStr := c.String(\"web-push-expiry-warning-duration\")\n\tcacheFile := c.String(\"cache-file\")\n\tcacheDurationStr := c.String(\"cache-duration\")\n\tcacheStartupQueries := c.String(\"cache-startup-queries\")\n\tcacheBatchSize := c.Int(\"cache-batch-size\")\n\tcacheBatchTimeoutStr := c.String(\"cache-batch-timeout\")\n\tauthFile := c.String(\"auth-file\")\n\tauthStartupQueries := c.String(\"auth-startup-queries\")\n\tauthDefaultAccess := c.String(\"auth-default-access\")\n\tauthUsersRaw := c.StringSlice(\"auth-users\")\n\tauthAccessRaw := c.StringSlice(\"auth-access\")\n\tauthTokensRaw := c.StringSlice(\"auth-tokens\")\n\tattachmentCacheDir := c.String(\"attachment-cache-dir\")\n\tattachmentTotalSizeLimitStr := c.String(\"attachment-total-size-limit\")\n\tattachmentFileSizeLimitStr := c.String(\"attachment-file-size-limit\")\n\tattachmentExpiryDurationStr := c.String(\"attachment-expiry-duration\")\n\ttemplateDir := c.String(\"template-dir\")\n\tkeepaliveIntervalStr := c.String(\"keepalive-interval\")\n\tmanagerIntervalStr := c.String(\"manager-interval\")\n\tdisallowedTopics := c.StringSlice(\"disallowed-topics\")\n\twebRoot := c.String(\"web-root\")\n\tenableSignup := c.Bool(\"enable-signup\")\n\tenableLogin := c.Bool(\"enable-login\")\n\trequireLogin := c.Bool(\"require-login\")\n\tenableReservations := c.Bool(\"enable-reservations\")\n\tupstreamBaseURL := c.String(\"upstream-base-url\")\n\tupstreamAccessToken := c.String(\"upstream-access-token\")\n\tsmtpSenderAddr := c.String(\"smtp-sender-addr\")\n\tsmtpSenderUser := c.String(\"smtp-sender-user\")\n\tsmtpSenderPass := c.String(\"smtp-sender-pass\")\n\tsmtpSenderFrom := c.String(\"smtp-sender-from\")\n\tsmtpServerListen := c.String(\"smtp-server-listen\")\n\tsmtpServerDomain := c.String(\"smtp-server-domain\")\n\tsmtpServerAddrPrefix := c.String(\"smtp-server-addr-prefix\")\n\ttwilioAccount := c.String(\"twilio-account\")\n\ttwilioAuthToken := c.String(\"twilio-auth-token\")\n\ttwilioPhoneNumber := c.String(\"twilio-phone-number\")\n\ttwilioVerifyService := c.String(\"twilio-verify-service\")\n\ttwilioCallFormat := c.String(\"twilio-call-format\")\n\tmessageSizeLimitStr := c.String(\"message-size-limit\")\n\tmessageDelayLimitStr := c.String(\"message-delay-limit\")\n\ttotalTopicLimit := c.Int(\"global-topic-limit\")\n\tvisitorSubscriptionLimit := c.Int(\"visitor-subscription-limit\")\n\tvisitorSubscriberRateLimiting := c.Bool(\"visitor-subscriber-rate-limiting\")\n\tvisitorAttachmentTotalSizeLimitStr := c.String(\"visitor-attachment-total-size-limit\")\n\tvisitorAttachmentDailyBandwidthLimitStr := c.String(\"visitor-attachment-daily-bandwidth-limit\")\n\tvisitorRequestLimitBurst := c.Int(\"visitor-request-limit-burst\")\n\tvisitorRequestLimitReplenishStr := c.String(\"visitor-request-limit-replenish\")\n\tvisitorRequestLimitExemptHosts := util.SplitNoEmpty(c.String(\"visitor-request-limit-exempt-hosts\"), \",\")\n\tvisitorMessageDailyLimit := c.Int(\"visitor-message-daily-limit\")\n\tvisitorEmailLimitBurst := c.Int(\"visitor-email-limit-burst\")\n\tvisitorEmailLimitReplenishStr := c.String(\"visitor-email-limit-replenish\")\n\tvisitorPrefixBitsIPv4 := c.Int(\"visitor-prefix-bits-ipv4\")\n\tvisitorPrefixBitsIPv6 := c.Int(\"visitor-prefix-bits-ipv6\")\n\tbehindProxy := c.Bool(\"behind-proxy\")\n\tproxyForwardedHeader := c.String(\"proxy-forwarded-header\")\n\tproxyTrustedHosts := util.SplitNoEmpty(c.String(\"proxy-trusted-hosts\"), \",\")\n\tstripeSecretKey := c.String(\"stripe-secret-key\")\n\tstripeWebhookKey := c.String(\"stripe-webhook-key\")\n\tbillingContact := c.String(\"billing-contact\")\n\tmetricsListenHTTP := c.String(\"metrics-listen-http\")\n\tenableMetrics := c.Bool(\"enable-metrics\") || metricsListenHTTP != \"\"\n\tprofileListenHTTP := c.String(\"profile-listen-http\")\n\n\t// Convert durations\n\tcacheDuration, err := util.ParseDuration(cacheDurationStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid cache duration: %s\", cacheDurationStr)\n\t}\n\tcacheBatchTimeout, err := util.ParseDuration(cacheBatchTimeoutStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid cache batch timeout: %s\", cacheBatchTimeoutStr)\n\t}\n\tattachmentExpiryDuration, err := util.ParseDuration(attachmentExpiryDurationStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid attachment expiry duration: %s\", attachmentExpiryDurationStr)\n\t}\n\tkeepaliveInterval, err := util.ParseDuration(keepaliveIntervalStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid keepalive interval: %s\", keepaliveIntervalStr)\n\t}\n\tmanagerInterval, err := util.ParseDuration(managerIntervalStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid manager interval: %s\", managerIntervalStr)\n\t}\n\tmessageDelayLimit, err := util.ParseDuration(messageDelayLimitStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid message delay limit: %s\", messageDelayLimitStr)\n\t}\n\tvisitorRequestLimitReplenish, err := util.ParseDuration(visitorRequestLimitReplenishStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid visitor request limit replenish: %s\", visitorRequestLimitReplenishStr)\n\t}\n\tvisitorEmailLimitReplenish, err := util.ParseDuration(visitorEmailLimitReplenishStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid visitor email limit replenish: %s\", visitorEmailLimitReplenishStr)\n\t}\n\twebPushExpiryDuration, err := util.ParseDuration(webPushExpiryDurationStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid web push expiry duration: %s\", webPushExpiryDurationStr)\n\t}\n\twebPushExpiryWarningDuration, err := util.ParseDuration(webPushExpiryWarningDurationStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid web push expiry warning duration: %s\", webPushExpiryWarningDurationStr)\n\t}\n\n\t// Convert sizes to bytes\n\tmessageSizeLimit, err := util.ParseSize(messageSizeLimitStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid message size limit: %s\", messageSizeLimitStr)\n\t}\n\tattachmentTotalSizeLimit, err := util.ParseSize(attachmentTotalSizeLimitStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid attachment total size limit: %s\", attachmentTotalSizeLimitStr)\n\t}\n\tattachmentFileSizeLimit, err := util.ParseSize(attachmentFileSizeLimitStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid attachment file size limit: %s\", attachmentFileSizeLimitStr)\n\t}\n\tvisitorAttachmentTotalSizeLimit, err := util.ParseSize(visitorAttachmentTotalSizeLimitStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid visitor attachment total size limit: %s\", visitorAttachmentTotalSizeLimitStr)\n\t}\n\tvisitorAttachmentDailyBandwidthLimit, err := util.ParseSize(visitorAttachmentDailyBandwidthLimitStr)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid visitor attachment daily bandwidth limit: %s\", visitorAttachmentDailyBandwidthLimitStr)\n\t} else if visitorAttachmentDailyBandwidthLimit > math.MaxInt {\n\t\treturn fmt.Errorf(\"config option visitor-attachment-daily-bandwidth-limit must be lower than %d\", math.MaxInt)\n\t}\n\n\t// Check values\n\tif databaseURL != \"\" && !strings.HasPrefix(databaseURL, \"postgres://\") && !strings.HasPrefix(databaseURL, \"postgresql://\") {\n\t\treturn errors.New(\"if database-url is set, it must start with postgres:// or postgresql://\")\n\t} else if databaseURL != \"\" && (authFile != \"\" || cacheFile != \"\" || webPushFile != \"\") {\n\t\treturn errors.New(\"if database-url is set, auth-file, cache-file, and web-push-file must not be set\")\n\t} else if len(databaseReplicaURLs) > 0 && databaseURL == \"\" {\n\t\treturn errors.New(\"database-replica-urls can only be used if database-url is also set\")\n\t} else if firebaseKeyFile != \"\" && !util.FileExists(firebaseKeyFile) {\n\t\treturn errors.New(\"if set, FCM key file must exist\")\n\t} else if firebaseKeyFile != \"\" && !server.FirebaseAvailable {\n\t\treturn errors.New(\"cannot set firebase-key-file, support for Firebase is not available (nofirebase)\")\n\t} else if webPushPublicKey != \"\" && (webPushPrivateKey == \"\" || (webPushFile == \"\" && databaseURL == \"\") || webPushEmailAddress == \"\" || baseURL == \"\") {\n\t\treturn errors.New(\"if web push is enabled, web-push-private-key, web-push-public-key, web-push-file (or database-url), web-push-email-address, and base-url should be set. run 'ntfy webpush keys' to generate keys\")\n\t} else if keepaliveInterval < 5*time.Second {\n\t\treturn errors.New(\"keepalive interval cannot be lower than five seconds\")\n\t} else if managerInterval < 5*time.Second {\n\t\treturn errors.New(\"manager interval cannot be lower than five seconds\")\n\t} else if cacheDuration > 0 && cacheDuration < managerInterval {\n\t\treturn errors.New(\"cache duration cannot be lower than manager interval\")\n\t} else if keyFile != \"\" && !util.FileExists(keyFile) {\n\t\treturn errors.New(\"if set, key file must exist\")\n\t} else if certFile != \"\" && !util.FileExists(certFile) {\n\t\treturn errors.New(\"if set, certificate file must exist\")\n\t} else if listenHTTPS != \"\" && (keyFile == \"\" || certFile == \"\") {\n\t\treturn errors.New(\"if listen-https is set, both key-file and cert-file must be set\")\n\t} else if smtpSenderAddr != \"\" && (baseURL == \"\" || smtpSenderFrom == \"\") {\n\t\treturn errors.New(\"if smtp-sender-addr is set, base-url, and smtp-sender-from must also be set\")\n\t} else if smtpServerListen != \"\" && smtpServerDomain == \"\" {\n\t\treturn errors.New(\"if smtp-server-listen is set, smtp-server-domain must also be set\")\n\t} else if attachmentCacheDir != \"\" && baseURL == \"\" {\n\t\treturn errors.New(\"if attachment-cache-dir is set, base-url must also be set\")\n\t} else if baseURL != \"\" {\n\t\tu, err := url.Parse(baseURL)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"if set, base-url must be a valid URL, e.g. https://ntfy.mydomain.com: %v\", err)\n\t\t} else if u.Scheme != \"http\" && u.Scheme != \"https\" {\n\t\t\treturn errors.New(\"if set, base-url must be a valid URL starting with http:// or https://, e.g. https://ntfy.mydomain.com\")\n\t\t} else if u.Path != \"\" {\n\t\t\treturn fmt.Errorf(\"if set, base-url must not have a path (%s), as hosting ntfy on a sub-path is not supported, e.g. https://ntfy.mydomain.com\", u.Path)\n\t\t}\n\t} else if upstreamBaseURL != \"\" && !strings.HasPrefix(upstreamBaseURL, \"http://\") && !strings.HasPrefix(upstreamBaseURL, \"https://\") {\n\t\treturn errors.New(\"if set, upstream-base-url must start with http:// or https://\")\n\t} else if upstreamBaseURL != \"\" && strings.HasSuffix(upstreamBaseURL, \"/\") {\n\t\treturn errors.New(\"if set, upstream-base-url must not end with a slash (/)\")\n\t} else if upstreamBaseURL != \"\" && baseURL == \"\" {\n\t\treturn errors.New(\"if upstream-base-url is set, base-url must also be set\")\n\t} else if upstreamBaseURL != \"\" && baseURL != \"\" && baseURL == upstreamBaseURL {\n\t\treturn errors.New(\"base-url and upstream-base-url cannot be identical, you'll likely want to set upstream-base-url to https://ntfy.sh, see https://ntfy.sh/docs/config/#ios-instant-notifications\")\n\t} else if authFile == \"\" && databaseURL == \"\" && (enableSignup || enableLogin || requireLogin || enableReservations || stripeSecretKey != \"\") {\n\t\treturn errors.New(\"cannot set enable-signup, enable-login, require-login, enable-reserve-topics, or stripe-secret-key if auth-file or database-url is not set\")\n\t} else if enableSignup && !enableLogin {\n\t\treturn errors.New(\"cannot set enable-signup without also setting enable-login\")\n\t} else if requireLogin && !enableLogin {\n\t\treturn errors.New(\"cannot set require-login without also setting enable-login\")\n\t} else if !payments.Available && (stripeSecretKey != \"\" || stripeWebhookKey != \"\") {\n\t\treturn errors.New(\"cannot set stripe-secret-key or stripe-webhook-key, support for payments is not available in this build (nopayments)\")\n\t} else if stripeSecretKey != \"\" && (stripeWebhookKey == \"\" || baseURL == \"\") {\n\t\treturn errors.New(\"if stripe-secret-key is set, stripe-webhook-key and base-url must also be set\")\n\t} else if twilioAccount != \"\" && (twilioAuthToken == \"\" || twilioPhoneNumber == \"\" || twilioVerifyService == \"\" || baseURL == \"\" || (authFile == \"\" && databaseURL == \"\")) {\n\t\treturn errors.New(\"if twilio-account is set, twilio-auth-token, twilio-phone-number, twilio-verify-service, base-url, and auth-file (or database-url) must also be set\")\n\t} else if messageSizeLimit > server.DefaultMessageSizeLimit {\n\t\tlog.Warn(\"message-size-limit is greater than 4K, this is not recommended and largely untested, and may lead to issues with some clients\")\n\t\tif messageSizeLimit > 5*1024*1024 {\n\t\t\treturn errors.New(\"message-size-limit cannot be higher than 5M\")\n\t\t}\n\t} else if !server.WebPushAvailable && (webPushPrivateKey != \"\" || webPushPublicKey != \"\" || webPushFile != \"\") {\n\t\treturn errors.New(\"cannot enable WebPush, support is not available in this build (nowebpush)\")\n\t} else if webPushExpiryWarningDuration > 0 && webPushExpiryWarningDuration > webPushExpiryDuration {\n\t\treturn errors.New(\"web push expiry warning duration cannot be higher than web push expiry duration\")\n\t} else if behindProxy && proxyForwardedHeader == \"\" {\n\t\treturn errors.New(\"if behind-proxy is set, proxy-forwarded-header must also be set\")\n\t} else if visitorPrefixBitsIPv4 < 1 || visitorPrefixBitsIPv4 > 32 {\n\t\treturn errors.New(\"visitor-prefix-bits-ipv4 must be between 1 and 32\")\n\t} else if visitorPrefixBitsIPv6 < 1 || visitorPrefixBitsIPv6 > 128 {\n\t\treturn errors.New(\"visitor-prefix-bits-ipv6 must be between 1 and 128\")\n\t} else if runtime.GOOS == \"windows\" && listenUnix != \"\" {\n\t\treturn errors.New(\"listen-unix is not supported on Windows\")\n\t}\n\n\t// Backwards compatibility\n\tif webRoot == \"app\" {\n\t\twebRoot = \"/\"\n\t} else if webRoot == \"home\" {\n\t\twebRoot = \"/app\"\n\t} else if webRoot == \"disable\" {\n\t\twebRoot = \"\"\n\t} else if !strings.HasPrefix(webRoot, \"/\") {\n\t\twebRoot = \"/\" + webRoot\n\t}\n\n\t// Convert default auth permission, read provisioned users\n\tauthDefault, err := user.ParsePermission(authDefaultAccess)\n\tif err != nil {\n\t\treturn errors.New(\"if set, auth-default-access must start set to 'read-write', 'read-only', 'write-only' or 'deny-all'\")\n\t}\n\tauthUsers, err := parseUsers(authUsersRaw)\n\tif err != nil {\n\t\treturn err\n\t}\n\tauthAccess, err := parseAccess(authUsers, authAccessRaw)\n\tif err != nil {\n\t\treturn err\n\t}\n\tauthTokens, err := parseTokens(authUsers, authTokensRaw)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Special case: Unset default\n\tif listenHTTP == \"-\" {\n\t\tlistenHTTP = \"\"\n\t}\n\n\t// Resolve hosts\n\tvisitorRequestLimitExemptPrefixes := make([]netip.Prefix, 0)\n\tfor _, host := range visitorRequestLimitExemptHosts {\n\t\tprefixes, err := parseIPHostPrefix(host)\n\t\tif err != nil {\n\t\t\tlog.Warn(\"cannot resolve host %s: %s, ignoring visitor request exemption\", host, err.Error())\n\t\t\tcontinue\n\t\t}\n\t\tvisitorRequestLimitExemptPrefixes = append(visitorRequestLimitExemptPrefixes, prefixes...)\n\t}\n\n\t// Parse trusted prefixes\n\ttrustedProxyPrefixes := make([]netip.Prefix, 0)\n\tfor _, host := range proxyTrustedHosts {\n\t\tprefixes, err := parseIPHostPrefix(host)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"cannot resolve trusted proxy host %s: %s\", host, err.Error())\n\t\t}\n\t\ttrustedProxyPrefixes = append(trustedProxyPrefixes, prefixes...)\n\t}\n\n\t// Stripe things\n\tif stripeSecretKey != \"\" {\n\t\tpayments.Setup(stripeSecretKey)\n\t}\n\n\t// Parse Twilio template\n\tvar twilioCallFormatTemplate *template.Template\n\tif twilioCallFormat != \"\" {\n\t\ttwilioCallFormatTemplate, err = template.New(\"\").Parse(twilioCallFormat)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to parse twilio-call-format template: %w\", err)\n\t\t}\n\t}\n\n\t// Add default forbidden topics\n\tdisallowedTopics = append(disallowedTopics, server.DefaultDisallowedTopics...)\n\n\t// Run server\n\tconf := server.NewConfig()\n\tconf.File = config\n\tconf.BaseURL = baseURL\n\tconf.ListenHTTP = listenHTTP\n\tconf.ListenHTTPS = listenHTTPS\n\tconf.ListenUnix = listenUnix\n\tconf.ListenUnixMode = fs.FileMode(listenUnixMode)\n\tconf.KeyFile = keyFile\n\tconf.CertFile = certFile\n\tconf.FirebaseKeyFile = firebaseKeyFile\n\tconf.CacheFile = cacheFile\n\tconf.CacheDuration = cacheDuration\n\tconf.CacheStartupQueries = cacheStartupQueries\n\tconf.CacheBatchSize = cacheBatchSize\n\tconf.CacheBatchTimeout = cacheBatchTimeout\n\tconf.AuthFile = authFile\n\tconf.AuthStartupQueries = authStartupQueries\n\tconf.AuthDefault = authDefault\n\tconf.AuthUsers = authUsers\n\tconf.AuthAccess = authAccess\n\tconf.AuthTokens = authTokens\n\tconf.AttachmentCacheDir = attachmentCacheDir\n\tconf.AttachmentTotalSizeLimit = attachmentTotalSizeLimit\n\tconf.AttachmentFileSizeLimit = attachmentFileSizeLimit\n\tconf.AttachmentExpiryDuration = attachmentExpiryDuration\n\tconf.TemplateDir = templateDir\n\tconf.KeepaliveInterval = keepaliveInterval\n\tconf.ManagerInterval = managerInterval\n\tconf.DisallowedTopics = disallowedTopics\n\tconf.WebRoot = webRoot\n\tconf.UpstreamBaseURL = upstreamBaseURL\n\tconf.UpstreamAccessToken = upstreamAccessToken\n\tconf.SMTPSenderAddr = smtpSenderAddr\n\tconf.SMTPSenderUser = smtpSenderUser\n\tconf.SMTPSenderPass = smtpSenderPass\n\tconf.SMTPSenderFrom = smtpSenderFrom\n\tconf.SMTPServerListen = smtpServerListen\n\tconf.SMTPServerDomain = smtpServerDomain\n\tconf.SMTPServerAddrPrefix = smtpServerAddrPrefix\n\tconf.TwilioAccount = twilioAccount\n\tconf.TwilioAuthToken = twilioAuthToken\n\tconf.TwilioPhoneNumber = twilioPhoneNumber\n\tconf.TwilioVerifyService = twilioVerifyService\n\tconf.TwilioCallFormat = twilioCallFormatTemplate\n\tconf.MessageSizeLimit = int(messageSizeLimit)\n\tconf.MessageDelayMax = messageDelayLimit\n\tconf.TotalTopicLimit = totalTopicLimit\n\tconf.VisitorSubscriptionLimit = visitorSubscriptionLimit\n\tconf.VisitorSubscriberRateLimiting = visitorSubscriberRateLimiting\n\tconf.VisitorAttachmentTotalSizeLimit = visitorAttachmentTotalSizeLimit\n\tconf.VisitorAttachmentDailyBandwidthLimit = visitorAttachmentDailyBandwidthLimit\n\tconf.VisitorRequestLimitBurst = visitorRequestLimitBurst\n\tconf.VisitorRequestLimitReplenish = visitorRequestLimitReplenish\n\tconf.VisitorRequestExemptPrefixes = visitorRequestLimitExemptPrefixes\n\tconf.VisitorMessageDailyLimit = visitorMessageDailyLimit\n\tconf.VisitorEmailLimitBurst = visitorEmailLimitBurst\n\tconf.VisitorEmailLimitReplenish = visitorEmailLimitReplenish\n\tconf.VisitorPrefixBitsIPv4 = visitorPrefixBitsIPv4\n\tconf.VisitorPrefixBitsIPv6 = visitorPrefixBitsIPv6\n\tconf.BehindProxy = behindProxy\n\tconf.ProxyForwardedHeader = proxyForwardedHeader\n\tconf.ProxyTrustedPrefixes = trustedProxyPrefixes\n\tconf.StripeSecretKey = stripeSecretKey\n\tconf.StripeWebhookKey = stripeWebhookKey\n\tconf.BillingContact = billingContact\n\tconf.EnableSignup = enableSignup\n\tconf.EnableLogin = enableLogin\n\tconf.RequireLogin = requireLogin\n\tconf.EnableReservations = enableReservations\n\tconf.EnableMetrics = enableMetrics\n\tconf.MetricsListenHTTP = metricsListenHTTP\n\tconf.ProfileListenHTTP = profileListenHTTP\n\tconf.DatabaseURL = databaseURL\n\tconf.DatabaseReplicaURLs = databaseReplicaURLs\n\tconf.WebPushPrivateKey = webPushPrivateKey\n\tconf.WebPushPublicKey = webPushPublicKey\n\tconf.WebPushFile = webPushFile\n\tconf.WebPushEmailAddress = webPushEmailAddress\n\tconf.WebPushStartupQueries = webPushStartupQueries\n\tconf.WebPushExpiryDuration = webPushExpiryDuration\n\tconf.WebPushExpiryWarningDuration = webPushExpiryWarningDuration\n\tconf.BuildVersion = c.App.Version\n\tconf.BuildDate = maybeFromMetadata(c.App.Metadata, MetadataKeyDate)\n\tconf.BuildCommit = maybeFromMetadata(c.App.Metadata, MetadataKeyCommit)\n\n\t// Check if we should run as a Windows service\n\tif ranAsService, err := maybeRunAsService(conf); err != nil {\n\t\tlog.Fatal(\"%s\", err.Error())\n\t} else if ranAsService {\n\t\tlog.Info(\"Exiting.\")\n\t\treturn nil\n\t}\n\n\t// Set up hot-reloading of config\n\tgo sigHandlerConfigReload(config)\n\n\t// Run server\n\ts, err := server.New(conf)\n\tif err != nil {\n\t\tlog.Fatal(\"%s\", err.Error())\n\t} else if err := s.Run(); err != nil {\n\t\tlog.Fatal(\"%s\", err.Error())\n\t}\n\tlog.Info(\"Exiting.\")\n\treturn nil\n}\n\nfunc parseIPHostPrefix(host string) (prefixes []netip.Prefix, err error) {\n\t// Try parsing as prefix, e.g. 10.0.1.0/24 or 2001:db8::/32\n\tprefix, err := netip.ParsePrefix(host)\n\tif err == nil {\n\t\tprefixes = append(prefixes, prefix.Masked())\n\t\treturn prefixes, nil\n\t}\n\t// Not a prefix, parse as host or IP (LookupHost passes through an IP as is)\n\tips, err := net.LookupHost(host)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfor _, ipStr := range ips {\n\t\tip, err := netip.ParseAddr(ipStr)\n\t\tif err == nil {\n\t\t\tprefix, err := ip.Prefix(ip.BitLen())\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"%s successfully parsed but unable to make prefix: %s\", ip.String(), err.Error())\n\t\t\t}\n\t\t\tprefixes = append(prefixes, prefix.Masked())\n\t\t}\n\t}\n\treturn\n}\n\nfunc parseUsers(usersRaw []string) ([]*user.User, error) {\n\tusers := make([]*user.User, 0)\n\tfor _, userLine := range usersRaw {\n\t\tparts := strings.Split(userLine, \":\")\n\t\tif len(parts) != 3 {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-users: %s, expected format: 'name:hash:role'\", userLine)\n\t\t}\n\t\tusername := strings.TrimSpace(parts[0])\n\t\tpasswordHash := strings.TrimSpace(parts[1])\n\t\trole := user.Role(strings.TrimSpace(parts[2]))\n\t\tif !user.AllowedUsername(username) {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-users: %s, username invalid\", userLine)\n\t\t} else if err := user.ValidPasswordHash(passwordHash, user.DefaultUserPasswordBcryptCost); err != nil {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-users: %s, password hash invalid, %s\", userLine, err.Error())\n\t\t} else if !user.AllowedRole(role) {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-users: %s, role %s is not allowed, allowed roles are 'admin' or 'user'\", userLine, role)\n\t\t}\n\t\tusers = append(users, &user.User{\n\t\t\tName: username,\n\t\t\tHash: passwordHash,\n\t\t\tRole: role,\n\t\t\tProvisioned: true,\n\t\t})\n\t}\n\treturn users, nil\n}\n\nfunc parseAccess(users []*user.User, accessRaw []string) (map[string][]*user.Grant, error) {\n\taccess := make(map[string][]*user.Grant)\n\tfor _, accessLine := range accessRaw {\n\t\tparts := strings.Split(accessLine, \":\")\n\t\tif len(parts) != 3 {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-access: %s, expected format: 'user:topic:permission'\", accessLine)\n\t\t}\n\t\tusername := strings.TrimSpace(parts[0])\n\t\tif username == userEveryone {\n\t\t\tusername = user.Everyone\n\t\t}\n\t\tu, exists := util.Find(users, func(u *user.User) bool {\n\t\t\treturn u.Name == username\n\t\t})\n\t\tif username != user.Everyone {\n\t\t\tif !exists {\n\t\t\t\treturn nil, fmt.Errorf(\"invalid auth-access: %s, user %s is not provisioned\", accessLine, username)\n\t\t\t} else if !user.AllowedUsername(username) {\n\t\t\t\treturn nil, fmt.Errorf(\"invalid auth-access: %s, username %s invalid\", accessLine, username)\n\t\t\t} else if u.Role != user.RoleUser {\n\t\t\t\treturn nil, fmt.Errorf(\"invalid auth-access: %s, user %s is not a regular user, only regular users can have ACL entries\", accessLine, username)\n\t\t\t}\n\t\t}\n\t\ttopic := strings.TrimSpace(parts[1])\n\t\tif !user.AllowedTopicPattern(topic) {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-access: %s, topic pattern %s invalid\", accessLine, topic)\n\t\t}\n\t\tpermission, err := user.ParsePermission(strings.TrimSpace(parts[2]))\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-access: %s, permission %s invalid, %s\", accessLine, parts[2], err.Error())\n\t\t}\n\t\tif _, exists := access[username]; !exists {\n\t\t\taccess[username] = make([]*user.Grant, 0)\n\t\t}\n\t\taccess[username] = append(access[username], &user.Grant{\n\t\t\tTopicPattern: topic,\n\t\t\tPermission: permission,\n\t\t\tProvisioned: true,\n\t\t})\n\t}\n\treturn access, nil\n}\n\nfunc parseTokens(users []*user.User, tokensRaw []string) (map[string][]*user.Token, error) {\n\ttokens := make(map[string][]*user.Token)\n\tfor _, tokenLine := range tokensRaw {\n\t\tparts := strings.Split(tokenLine, \":\")\n\t\tif len(parts) < 2 || len(parts) > 3 {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-tokens: %s, expected format: 'user:token[:label]'\", tokenLine)\n\t\t}\n\t\tusername := strings.TrimSpace(parts[0])\n\t\t_, exists := util.Find(users, func(u *user.User) bool {\n\t\t\treturn u.Name == username\n\t\t})\n\t\tif !exists {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-tokens: %s, user %s is not provisioned\", tokenLine, username)\n\t\t} else if !user.AllowedUsername(username) {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-tokens: %s, username %s invalid\", tokenLine, username)\n\t\t}\n\t\ttoken := strings.TrimSpace(parts[1])\n\t\tif !user.ValidToken(token) {\n\t\t\treturn nil, fmt.Errorf(\"invalid auth-tokens: %s, token %s invalid, use 'ntfy token generate' to generate a random token\", tokenLine, token)\n\t\t}\n\t\tvar label string\n\t\tif len(parts) > 2 {\n\t\t\tlabel = parts[2]\n\t\t}\n\t\tif _, exists := tokens[username]; !exists {\n\t\t\ttokens[username] = make([]*user.Token, 0)\n\t\t}\n\t\ttokens[username] = append(tokens[username], &user.Token{\n\t\t\tValue: token,\n\t\t\tLabel: label,\n\t\t\tProvisioned: true,\n\t\t})\n\t}\n\treturn tokens, nil\n}\n\nfunc maybeFromMetadata(m map[string]any, key string) string {\n\tif m == nil {\n\t\treturn \"\"\n\t}\n\tv, exists := m[key]\n\tif !exists {\n\t\treturn \"\"\n\t}\n\ts, ok := v.(string)\n\tif !ok {\n\t\treturn \"\"\n\t}\n\treturn s\n}\n" }, { "path": "cmd/serve_test.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"math/rand\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/gorilla/websocket\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"heckel.io/ntfy/v2/client\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nfunc TestParseUsers_Success(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tinput []string\n\t\texpected []*user.User\n\t}{\n\t\t{\n\t\t\tname: \"single user\",\n\t\t\tinput: []string{\"alice:$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:user\"},\n\t\t\texpected: []*user.User{\n\t\t\t\t{\n\t\t\t\t\tName: \"alice\",\n\t\t\t\t\tHash: \"$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S\",\n\t\t\t\t\tRole: user.RoleUser,\n\t\t\t\t\tProvisioned: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple users with different roles\",\n\t\t\tinput: []string{\n\t\t\t\t\"alice:$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:user\",\n\t\t\t\t\"bob:$2a$10$jIcuBWcbxd6oW1aPvoJ5iOShzu3/UJ2kSxKbTZtDypG06nBflQagq:admin\",\n\t\t\t},\n\t\t\texpected: []*user.User{\n\t\t\t\t{\n\t\t\t\t\tName: \"alice\",\n\t\t\t\t\tHash: \"$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S\",\n\t\t\t\t\tRole: user.RoleUser,\n\t\t\t\t\tProvisioned: true,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"bob\",\n\t\t\t\t\tHash: \"$2a$10$jIcuBWcbxd6oW1aPvoJ5iOShzu3/UJ2kSxKbTZtDypG06nBflQagq\",\n\t\t\t\t\tRole: user.RoleAdmin,\n\t\t\t\t\tProvisioned: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"empty input\",\n\t\t\tinput: []string{},\n\t\t\texpected: []*user.User{},\n\t\t},\n\t\t{\n\t\t\tname: \"user with special characters in name\",\n\t\t\tinput: []string{\"alice.test+123@example.com:$2a$10$RYUYAsl5zOnAIp6fH7BPX.Eug0rUfEUk92r8WiVusb0VK.vGojWBe:user\"},\n\t\t\texpected: []*user.User{\n\t\t\t\t{\n\t\t\t\t\tName: \"alice.test+123@example.com\",\n\t\t\t\t\tHash: \"$2a$10$RYUYAsl5zOnAIp6fH7BPX.Eug0rUfEUk92r8WiVusb0VK.vGojWBe\",\n\t\t\t\t\tRole: user.RoleUser,\n\t\t\t\t\tProvisioned: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult, err := parseUsers(tt.input)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, result, len(tt.expected))\n\n\t\t\tfor i, expectedUser := range tt.expected {\n\t\t\t\tassert.Equal(t, expectedUser.Name, result[i].Name)\n\t\t\t\tassert.Equal(t, expectedUser.Hash, result[i].Hash)\n\t\t\t\tassert.Equal(t, expectedUser.Role, result[i].Role)\n\t\t\t\tassert.Equal(t, expectedUser.Provisioned, result[i].Provisioned)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestParseUsers_Errors(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tinput []string\n\t\terror string\n\t}{\n\t\t{\n\t\t\tname: \"invalid format - too few parts\",\n\t\t\tinput: []string{\"alice:hash\"},\n\t\t\terror: \"invalid auth-users: alice:hash, expected format: 'name:hash:role'\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid format - too many parts\",\n\t\t\tinput: []string{\"alice:hash:role:extra\"},\n\t\t\terror: \"invalid auth-users: alice:hash:role:extra, expected format: 'name:hash:role'\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid username\",\n\t\t\tinput: []string{\"alice@#$%:$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:user\"},\n\t\t\terror: \"invalid auth-users: alice@#$%:$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:user, username invalid\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid password hash - wrong prefix\",\n\t\t\tinput: []string{\"alice:plaintext:user\"},\n\t\t\terror: \"invalid auth-users: alice:plaintext:user, password hash invalid, password hash must be a bcrypt hash, use 'ntfy user hash' to generate\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid role\",\n\t\t\tinput: []string{\"alice:$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:invalid\"},\n\t\t\terror: \"invalid auth-users: alice:$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:invalid, role invalid is not allowed, allowed roles are 'admin' or 'user'\",\n\t\t},\n\t\t{\n\t\t\tname: \"empty username\",\n\t\t\tinput: []string{\":$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:user\"},\n\t\t\terror: \"invalid auth-users: :$2a$10$320YlQeaMghYZsvtu9jzfOQZS32FysWY/T9qu5NWqcIh.DN.u5P5S:user, username invalid\",\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult, err := parseUsers(tt.input)\n\t\t\trequire.Error(t, err)\n\t\t\trequire.Nil(t, result)\n\t\t\tassert.Contains(t, err.Error(), tt.error)\n\t\t})\n\t}\n}\n\nfunc TestParseAccess_Success(t *testing.T) {\n\tusers := []*user.User{\n\t\t{Name: \"alice\", Role: user.RoleUser},\n\t\t{Name: \"bob\", Role: user.RoleUser},\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tusers []*user.User\n\t\tinput []string\n\t\texpected map[string][]*user.Grant\n\t}{\n\t\t{\n\t\t\tname: \"single access entry\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:mytopic:read-write\"},\n\t\t\texpected: map[string][]*user.Grant{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tTopicPattern: \"mytopic\",\n\t\t\t\t\t\tPermission: user.PermissionReadWrite,\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple access entries for same user\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\n\t\t\t\t\"alice:topic1:read-only\",\n\t\t\t\t\"alice:topic2:write-only\",\n\t\t\t},\n\t\t\texpected: map[string][]*user.Grant{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tTopicPattern: \"topic1\",\n\t\t\t\t\t\tPermission: user.PermissionRead,\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tTopicPattern: \"topic2\",\n\t\t\t\t\t\tPermission: user.PermissionWrite,\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"access for everyone\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"everyone:publictopic:read-only\"},\n\t\t\texpected: map[string][]*user.Grant{\n\t\t\t\tuser.Everyone: {\n\t\t\t\t\t{\n\t\t\t\t\t\tTopicPattern: \"publictopic\",\n\t\t\t\t\t\tPermission: user.PermissionRead,\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"wildcard topic pattern\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:topic*:read-write\"},\n\t\t\texpected: map[string][]*user.Grant{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tTopicPattern: \"topic*\",\n\t\t\t\t\t\tPermission: user.PermissionReadWrite,\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"empty input\",\n\t\t\tusers: users,\n\t\t\tinput: []string{},\n\t\t\texpected: map[string][]*user.Grant{},\n\t\t},\n\t\t{\n\t\t\tname: \"deny-all permission\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:secretopic:deny-all\"},\n\t\t\texpected: map[string][]*user.Grant{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tTopicPattern: \"secretopic\",\n\t\t\t\t\t\tPermission: user.PermissionDenyAll,\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult, err := parseAccess(tt.users, tt.input)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, tt.expected, result)\n\t\t})\n\t}\n}\n\nfunc TestParseAccess_Errors(t *testing.T) {\n\tusers := []*user.User{\n\t\t{Name: \"alice\", Role: user.RoleUser},\n\t\t{Name: \"admin\", Role: user.RoleAdmin},\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tusers []*user.User\n\t\tinput []string\n\t\terror string\n\t}{\n\t\t{\n\t\t\tname: \"invalid format - too few parts\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:topic\"},\n\t\t\terror: \"invalid auth-access: alice:topic, expected format: 'user:topic:permission'\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid format - too many parts\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:topic:read:extra\"},\n\t\t\terror: \"invalid auth-access: alice:topic:read:extra, expected format: 'user:topic:permission'\",\n\t\t},\n\t\t{\n\t\t\tname: \"user not provisioned\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"charlie:topic:read\"},\n\t\t\terror: \"invalid auth-access: charlie:topic:read, user charlie is not provisioned\",\n\t\t},\n\t\t{\n\t\t\tname: \"admin user cannot have ACL entries\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"admin:topic:read\"},\n\t\t\terror: \"invalid auth-access: admin:topic:read, user admin is not a regular user, only regular users can have ACL entries\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid topic pattern\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:topic-with-invalid-chars!:read\"},\n\t\t\terror: \"invalid auth-access: alice:topic-with-invalid-chars!:read, topic pattern topic-with-invalid-chars! invalid\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid permission\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:topic:invalid-permission\"},\n\t\t\terror: \"invalid auth-access: alice:topic:invalid-permission, permission invalid-permission invalid\",\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult, err := parseAccess(tt.users, tt.input)\n\t\t\trequire.Error(t, err)\n\t\t\trequire.Nil(t, result)\n\t\t\tassert.Contains(t, err.Error(), tt.error)\n\t\t})\n\t}\n}\n\nfunc TestParseTokens_Success(t *testing.T) {\n\tusers := []*user.User{\n\t\t{Name: \"alice\"},\n\t\t{Name: \"bob\"},\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tusers []*user.User\n\t\tinput []string\n\t\texpected map[string][]*user.Token\n\t}{\n\t\t{\n\t\t\tname: \"single token without label\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:tk_abcdefghijklmnopqrstuvwxyz123\"},\n\t\t\texpected: map[string][]*user.Token{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tValue: \"tk_abcdefghijklmnopqrstuvwxyz123\",\n\t\t\t\t\t\tLabel: \"\",\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"single token with label\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:tk_abcdefghijklmnopqrstuvwxyz123:My Phone\"},\n\t\t\texpected: map[string][]*user.Token{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tValue: \"tk_abcdefghijklmnopqrstuvwxyz123\",\n\t\t\t\t\t\tLabel: \"My Phone\",\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple tokens for same user\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\n\t\t\t\t\"alice:tk_abcdefghijklmnopqrstuvwxyz123:Phone\",\n\t\t\t\t\"alice:tk_zyxwvutsrqponmlkjihgfedcba987:Laptop\",\n\t\t\t},\n\t\t\texpected: map[string][]*user.Token{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tValue: \"tk_abcdefghijklmnopqrstuvwxyz123\",\n\t\t\t\t\t\tLabel: \"Phone\",\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tValue: \"tk_zyxwvutsrqponmlkjihgfedcba987\",\n\t\t\t\t\t\tLabel: \"Laptop\",\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"tokens for multiple users\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\n\t\t\t\t\"alice:tk_abcdefghijklmnopqrstuvwxyz123:Phone\",\n\t\t\t\t\"bob:tk_zyxwvutsrqponmlkjihgfedcba987:Tablet\",\n\t\t\t},\n\t\t\texpected: map[string][]*user.Token{\n\t\t\t\t\"alice\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tValue: \"tk_abcdefghijklmnopqrstuvwxyz123\",\n\t\t\t\t\t\tLabel: \"Phone\",\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\"bob\": {\n\t\t\t\t\t{\n\t\t\t\t\t\tValue: \"tk_zyxwvutsrqponmlkjihgfedcba987\",\n\t\t\t\t\t\tLabel: \"Tablet\",\n\t\t\t\t\t\tProvisioned: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"empty input\",\n\t\t\tusers: users,\n\t\t\tinput: []string{},\n\t\t\texpected: map[string][]*user.Token{},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult, err := parseTokens(tt.users, tt.input)\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Equal(t, tt.expected, result)\n\t\t})\n\t}\n}\n\nfunc TestParseTokens_Errors(t *testing.T) {\n\tusers := []*user.User{\n\t\t{Name: \"alice\"},\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tusers []*user.User\n\t\tinput []string\n\t\terror string\n\t}{\n\t\t{\n\t\t\tname: \"invalid format - too few parts\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice\"},\n\t\t\terror: \"invalid auth-tokens: alice, expected format: 'user:token[:label]'\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid format - too many parts\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:token:label:extra:parts\"},\n\t\t\terror: \"invalid auth-tokens: alice:token:label:extra:parts, expected format: 'user:token[:label]'\",\n\t\t},\n\t\t{\n\t\t\tname: \"user not provisioned\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"charlie:tk_abcdefghijklmnopqrstuvwxyz123\"},\n\t\t\terror: \"invalid auth-tokens: charlie:tk_abcdefghijklmnopqrstuvwxyz123, user charlie is not provisioned\",\n\t\t},\n\t\t{\n\t\t\tname: \"invalid token format\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:invalid-token\"},\n\t\t\terror: \"invalid auth-tokens: alice:invalid-token, token invalid-token invalid, use 'ntfy token generate' to generate a random token\",\n\t\t},\n\t\t{\n\t\t\tname: \"token too short\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:tk_short\"},\n\t\t\terror: \"invalid auth-tokens: alice:tk_short, token tk_short invalid, use 'ntfy token generate' to generate a random token\",\n\t\t},\n\t\t{\n\t\t\tname: \"token without prefix\",\n\t\t\tusers: users,\n\t\t\tinput: []string{\"alice:abcdefghijklmnopqrstuvwxyz12345\"},\n\t\t\terror: \"invalid auth-tokens: alice:abcdefghijklmnopqrstuvwxyz12345, token abcdefghijklmnopqrstuvwxyz12345 invalid, use 'ntfy token generate' to generate a random token\",\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult, err := parseTokens(tt.users, tt.input)\n\t\t\trequire.Error(t, err)\n\t\t\trequire.Nil(t, result)\n\t\t\tassert.Contains(t, err.Error(), tt.error)\n\t\t})\n\t}\n}\n\nfunc TestCLI_Serve_Unix_Curl(t *testing.T) {\n\tsockFile := filepath.Join(t.TempDir(), \"ntfy.sock\")\n\tconfigFile := newEmptyFile(t) // Avoid issues with existing server.yml file on system\n\tgo func() {\n\t\tapp, _, _, _ := newTestApp()\n\t\terr := app.Run([]string{\"ntfy\", \"serve\", \"--config=\" + configFile, \"--listen-http=-\", \"--listen-unix=\" + sockFile})\n\t\trequire.Nil(t, err)\n\t}()\n\tfor i := 0; i < 40 && !util.FileExists(sockFile); i++ {\n\t\ttime.Sleep(50 * time.Millisecond)\n\t}\n\trequire.True(t, util.FileExists(sockFile))\n\n\tcmd := exec.Command(\"curl\", \"-s\", \"--unix-socket\", sockFile, \"-d\", \"this is a message\", \"localhost/mytopic\")\n\tout, err := cmd.Output()\n\trequire.Nil(t, err)\n\tm := toMessage(t, string(out))\n\trequire.Equal(t, \"this is a message\", m.Message)\n}\n\nfunc TestCLI_Serve_WebSocket(t *testing.T) {\n\tport := 10000 + rand.Intn(20000)\n\tgo func() {\n\t\tconfigFile := newEmptyFile(t) // Avoid issues with existing server.yml file on system\n\t\tapp, _, _, _ := newTestApp()\n\t\terr := app.Run([]string{\"ntfy\", \"serve\", \"--config=\" + configFile, fmt.Sprintf(\"--listen-http=:%d\", port)})\n\t\trequire.Nil(t, err)\n\t}()\n\ttest.WaitForPortUp(t, port)\n\n\tws, _, err := websocket.DefaultDialer.Dial(fmt.Sprintf(\"ws://127.0.0.1:%d/mytopic/ws\", port), nil)\n\trequire.Nil(t, err)\n\n\tmessageType, data, err := ws.ReadMessage()\n\trequire.Nil(t, err)\n\trequire.Equal(t, websocket.TextMessage, messageType)\n\trequire.Equal(t, \"open\", toMessage(t, string(data)).Event)\n\n\tc := client.New(client.NewConfig())\n\t_, err = c.Publish(fmt.Sprintf(\"http://127.0.0.1:%d/mytopic\", port), \"my message\")\n\trequire.Nil(t, err)\n\n\tmessageType, data, err = ws.ReadMessage()\n\trequire.Nil(t, err)\n\trequire.Equal(t, websocket.TextMessage, messageType)\n\n\tm := toMessage(t, string(data))\n\trequire.Equal(t, \"my message\", m.Message)\n\trequire.Equal(t, \"mytopic\", m.Topic)\n}\n\nfunc TestIP_Host_Parsing(t *testing.T) {\n\tcases := map[string]string{\n\t\t\"1.1.1.1\": \"1.1.1.1/32\",\n\t\t\"fd00::1234\": \"fd00::1234/128\",\n\t\t\"192.168.0.3/24\": \"192.168.0.0/24\",\n\t\t\"10.1.2.3/8\": \"10.0.0.0/8\",\n\t\t\"201:be93::4a6/21\": \"201:b800::/21\",\n\t}\n\tfor q, expectedAnswer := range cases {\n\t\tips, err := parseIPHostPrefix(q)\n\t\trequire.Nil(t, err)\n\t\tassert.Equal(t, 1, len(ips))\n\t\tassert.Equal(t, expectedAnswer, ips[0].String())\n\t}\n}\n\nfunc newEmptyFile(t *testing.T) string {\n\tfilename := filepath.Join(t.TempDir(), \"empty\")\n\trequire.Nil(t, os.WriteFile(filename, []byte{}, 0600))\n\treturn filename\n}\n" }, { "path": "cmd/serve_unix.go", "content": "//go:build linux || dragonfly || freebsd || netbsd || openbsd\n\npackage cmd\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/server\"\n)\n\nfunc sigHandlerConfigReload(config string) {\n\tsigs := make(chan os.Signal, 1)\n\tsignal.Notify(sigs, syscall.SIGHUP)\n\tfor range sigs {\n\t\tlog.Info(\"Partially hot reloading configuration ...\")\n\t\tinputSource, err := newYamlSourceFromFile(config, flagsServe)\n\t\tif err != nil {\n\t\t\tlog.Warn(\"Hot reload failed: %s\", err.Error())\n\t\t\tcontinue\n\t\t}\n\t\tif err := reloadLogLevel(inputSource); err != nil {\n\t\t\tlog.Warn(\"Reloading log level failed: %s\", err.Error())\n\t\t}\n\t}\n}\n\nfunc reloadLogLevel(inputSource altsrc.InputSourceContext) error {\n\tnewLevelStr, err := inputSource.String(\"log-level\")\n\tif err != nil {\n\t\treturn err\n\t}\n\toverrides, err := inputSource.StringSlice(\"log-level-overrides\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tlog.ResetLevelOverrides()\n\tif err := applyLogLevelOverrides(overrides); err != nil {\n\t\treturn err\n\t}\n\tlog.SetLevel(log.ToLevel(newLevelStr))\n\tif len(overrides) > 0 {\n\t\tlog.Info(\"Log level is %v, %d override(s) in place\", newLevelStr, len(overrides))\n\t} else {\n\t\tlog.Info(\"Log level is %v\", newLevelStr)\n\t}\n\treturn nil\n}\n\nfunc maybeRunAsService(conf *server.Config) (bool, error) {\n\treturn false, nil\n}\n" }, { "path": "cmd/serve_windows.go", "content": "//go:build windows && !noserver\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"sync\"\n\n\t\"golang.org/x/sys/windows/svc\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/server\"\n)\n\nconst serviceName = \"ntfy\"\n\n// sigHandlerConfigReload is a no-op on Windows since SIGHUP is not available.\n// Windows users can restart the service to reload configuration.\nfunc sigHandlerConfigReload(config string) {\n\tlog.Debug(\"Config hot-reload via SIGHUP is not supported on Windows\")\n}\n\n// runAsWindowsService runs the ntfy server as a Windows service\nfunc runAsWindowsService(conf *server.Config) error {\n\treturn svc.Run(serviceName, &windowsService{conf: conf})\n}\n\n// windowsService implements the svc.Handler interface\ntype windowsService struct {\n\tconf *server.Config\n\tserver *server.Server\n\tmu sync.Mutex\n}\n\n// Execute is the main entry point for the Windows service\nfunc (s *windowsService) Execute(args []string, requests <-chan svc.ChangeRequest, status chan<- svc.Status) (bool, uint32) {\n\tconst cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown\n\tstatus <- svc.Status{State: svc.StartPending}\n\n\t// Create and start the server\n\tvar err error\n\ts.mu.Lock()\n\ts.server, err = server.New(s.conf)\n\ts.mu.Unlock()\n\tif err != nil {\n\t\tlog.Error(\"Failed to create server: %s\", err.Error())\n\t\treturn true, 1\n\t}\n\n\t// Start server in a goroutine\n\tserverErrChan := make(chan error, 1)\n\tgo func() {\n\t\tserverErrChan <- s.server.Run()\n\t}()\n\n\tstatus <- svc.Status{State: svc.Running, Accepts: cmdsAccepted}\n\tlog.Info(\"Windows service started\")\n\n\tfor {\n\t\tselect {\n\t\tcase err := <-serverErrChan:\n\t\t\tif err != nil {\n\t\t\t\tlog.Error(\"Server error: %s\", err.Error())\n\t\t\t\treturn true, 1\n\t\t\t}\n\t\t\treturn false, 0\n\t\tcase req := <-requests:\n\t\t\tswitch req.Cmd {\n\t\t\tcase svc.Interrogate:\n\t\t\t\tstatus <- req.CurrentStatus\n\t\t\tcase svc.Stop, svc.Shutdown:\n\t\t\t\tlog.Info(\"Windows service stopping...\")\n\t\t\t\tstatus <- svc.Status{State: svc.StopPending}\n\t\t\t\ts.mu.Lock()\n\t\t\t\tif s.server != nil {\n\t\t\t\t\ts.server.Stop()\n\t\t\t\t}\n\t\t\t\ts.mu.Unlock()\n\t\t\t\treturn false, 0\n\t\t\tdefault:\n\t\t\t\tlog.Warn(\"Unexpected service control request: %d\", req.Cmd)\n\t\t\t}\n\t\t}\n\t}\n}\n\n// maybeRunAsService checks if the process is running as a Windows service,\n// and if so, runs the server as a service. Returns true if it ran as a service.\nfunc maybeRunAsService(conf *server.Config) (bool, error) {\n\tisService, err := svc.IsWindowsService()\n\tif err != nil {\n\t\treturn false, fmt.Errorf(\"failed to detect Windows service mode: %w\", err)\n\t} else if !isService {\n\t\treturn false, nil\n\t}\n\tlog.Info(\"Running as Windows service\")\n\tif err := runAsWindowsService(conf); err != nil {\n\t\treturn true, fmt.Errorf(\"failed to run as Windows service: %w\", err)\n\t}\n\treturn true, nil\n}\n" }, { "path": "cmd/subscribe.go", "content": "package cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"sort\"\n\t\"strings\"\n\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/client\"\n\t\"heckel.io/ntfy/v2/log\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdSubscribe)\n}\n\nvar flagsSubscribe = append(\n\tappend([]cli.Flag{}, flagsDefault...),\n\t&cli.StringFlag{Name: \"config\", Aliases: []string{\"c\"}, Usage: \"client config file\"},\n\t&cli.StringFlag{Name: \"since\", Aliases: []string{\"s\"}, Usage: \"return events since `SINCE` (Unix timestamp, or all)\"},\n\t&cli.StringFlag{Name: \"user\", Aliases: []string{\"u\"}, EnvVars: []string{\"NTFY_USER\"}, Usage: \"username[:password] used to auth against the server\"},\n\t&cli.StringFlag{Name: \"token\", Aliases: []string{\"k\"}, EnvVars: []string{\"NTFY_TOKEN\"}, Usage: \"access token used to auth against the server\"},\n\t&cli.BoolFlag{Name: \"from-config\", Aliases: []string{\"from_config\", \"C\"}, Usage: \"read subscriptions from config file (service mode)\"},\n\t&cli.BoolFlag{Name: \"poll\", Aliases: []string{\"p\"}, Usage: \"return events and exit, do not listen for new events\"},\n\t&cli.BoolFlag{Name: \"scheduled\", Aliases: []string{\"sched\", \"S\"}, Usage: \"also return scheduled/delayed events\"},\n)\n\nvar cmdSubscribe = &cli.Command{\n\tName: \"subscribe\",\n\tAliases: []string{\"sub\"},\n\tUsage: \"Subscribe to one or more topics on a ntfy server\",\n\tUsageText: \"ntfy subscribe [OPTIONS..] [TOPIC]\",\n\tAction: execSubscribe,\n\tCategory: categoryClient,\n\tFlags: flagsSubscribe,\n\tBefore: initLogFunc,\n\tDescription: `Subscribe to a topic from a ntfy server, and either print or execute a command for \nevery arriving message. There are 3 modes in which the command can be run:\n\nntfy subscribe TOPIC\n This prints the JSON representation of every incoming message. It is useful when you\n have a command that wants to stream-read incoming JSON messages. Unless --poll is passed,\n this command stays open forever. \n\n Examples:\n ntfy subscribe mytopic # Prints JSON for incoming messages for ntfy.sh/mytopic\n ntfy sub home.lan/backups # Subscribe to topic on different server\n ntfy sub --poll home.lan/backups # Just query for latest messages and exit\n ntfy sub -u phil:mypass secret # Subscribe with username/password\n \nntfy subscribe TOPIC COMMAND\n This executes COMMAND for every incoming messages. The message fields are passed to the\n command as environment variables:\n\n Variable Aliases Description\n --------------- --------------------- -----------------------------------\n $NTFY_ID $id Unique message ID\n $NTFY_TIME $time Unix timestamp of the message delivery\n $NTFY_TOPIC $topic Topic name\n $NTFY_MESSAGE $message, $m Message body\n $NTFY_TITLE $title, $t Message title\n $NTFY_PRIORITY $priority, $prio, $p Message priority (1=min, 5=max)\n $NTFY_TAGS $tags, $tag, $ta Message tags (comma separated list)\n $NTFY_RAW $raw Raw JSON message\n\n Examples:\n ntfy sub mytopic 'notify-send \"$m\"' # Execute command for incoming messages\n ntfy sub topic1 myscript.sh # Execute script for incoming messages\n\nntfy subscribe --from-config\n Service mode (used in ntfy-client.service). This reads the config file and sets up \n subscriptions for every topic in the \"subscribe:\" block (see config file).\n\n Examples: \n ntfy sub --from-config # Read topics from config file\n ntfy sub --config=myclient.yml --from-config # Read topics from alternate config file\n\n` + clientCommandDescriptionSuffix,\n}\n\nfunc execSubscribe(c *cli.Context) error {\n\t// Read config and options\n\tconf, err := loadConfig(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcl := client.New(conf)\n\tsince := c.String(\"since\")\n\tuser := c.String(\"user\")\n\ttoken := c.String(\"token\")\n\tpoll := c.Bool(\"poll\")\n\tscheduled := c.Bool(\"scheduled\")\n\tfromConfig := c.Bool(\"from-config\")\n\ttopic := c.Args().Get(0)\n\tcommand := c.Args().Get(1)\n\n\t// Checks\n\tif user != \"\" && token != \"\" {\n\t\treturn errors.New(\"cannot set both --user and --token\")\n\t}\n\n\tif !fromConfig {\n\t\tconf.Subscribe = nil // wipe if --from-config not passed\n\t}\n\tvar options []client.SubscribeOption\n\tif since != \"\" {\n\t\toptions = append(options, client.WithSince(since))\n\t}\n\tif token != \"\" {\n\t\toptions = append(options, client.WithBearerAuth(token))\n\t} else if user != \"\" {\n\t\tvar pass string\n\t\tparts := strings.SplitN(user, \":\", 2)\n\t\tif len(parts) == 2 {\n\t\t\tuser = parts[0]\n\t\t\tpass = parts[1]\n\t\t} else {\n\t\t\tfmt.Fprint(c.App.ErrWriter, \"Enter Password: \")\n\t\t\tp, err := util.ReadPassword(c.App.Reader)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tpass = string(p)\n\t\t\tfmt.Fprintf(c.App.ErrWriter, \"\\r%s\\r\", strings.Repeat(\" \", 20))\n\t\t}\n\t\toptions = append(options, client.WithBasicAuth(user, pass))\n\t} else if conf.DefaultToken != \"\" {\n\t\toptions = append(options, client.WithBearerAuth(conf.DefaultToken))\n\t} else if conf.DefaultUser != \"\" && conf.DefaultPassword != nil {\n\t\toptions = append(options, client.WithBasicAuth(conf.DefaultUser, *conf.DefaultPassword))\n\t}\n\tif scheduled {\n\t\toptions = append(options, client.WithScheduled())\n\t}\n\tif topic == \"\" && len(conf.Subscribe) == 0 {\n\t\treturn errors.New(\"must specify topic, type 'ntfy subscribe --help' for help\")\n\t}\n\n\t// Execute poll or subscribe\n\tif poll {\n\t\treturn doPoll(c, cl, conf, topic, command, options...)\n\t}\n\treturn doSubscribe(c, cl, conf, topic, command, options...)\n}\n\nfunc doPoll(c *cli.Context, cl *client.Client, conf *client.Config, topic, command string, options ...client.SubscribeOption) error {\n\tfor _, s := range conf.Subscribe { // may be nil\n\t\tif auth := maybeAddAuthHeader(s, conf); auth != nil {\n\t\t\toptions = append(options, auth)\n\t\t}\n\t\tif err := doPollSingle(c, cl, s.Topic, s.Command, options...); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif topic != \"\" {\n\t\tif err := doPollSingle(c, cl, topic, command, options...); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc doPollSingle(c *cli.Context, cl *client.Client, topic, command string, options ...client.SubscribeOption) error {\n\tmessages, err := cl.Poll(topic, options...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, m := range messages {\n\t\tprintMessageOrRunCommand(c, m, command)\n\t}\n\treturn nil\n}\n\nfunc doSubscribe(c *cli.Context, cl *client.Client, conf *client.Config, topic, command string, options ...client.SubscribeOption) error {\n\tcmds := make(map[string]string) // Subscription ID -> command\n\tfor _, s := range conf.Subscribe { // May be nil\n\t\ttopicOptions := append(make([]client.SubscribeOption, 0), options...)\n\t\tfor filter, value := range s.If {\n\t\t\ttopicOptions = append(topicOptions, client.WithFilter(filter, value))\n\t\t}\n\n\t\tif auth := maybeAddAuthHeader(s, conf); auth != nil {\n\t\t\ttopicOptions = append(topicOptions, auth)\n\t\t}\n\n\t\tsubscriptionID, err := cl.Subscribe(s.Topic, topicOptions...)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif s.Command != \"\" {\n\t\t\tcmds[subscriptionID] = s.Command\n\t\t} else if conf.DefaultCommand != \"\" {\n\t\t\tcmds[subscriptionID] = conf.DefaultCommand\n\t\t} else {\n\t\t\tcmds[subscriptionID] = \"\"\n\t\t}\n\t}\n\tif topic != \"\" {\n\t\tsubscriptionID, err := cl.Subscribe(topic, options...)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcmds[subscriptionID] = command\n\t}\n\tfor m := range cl.Messages {\n\t\tcmd, ok := cmds[m.SubscriptionID]\n\t\tif !ok {\n\t\t\tcontinue\n\t\t}\n\t\tlog.Debug(\"%s Dispatching received message: %s\", logMessagePrefix(m), m.Raw)\n\t\tprintMessageOrRunCommand(c, m, cmd)\n\t}\n\treturn nil\n}\n\nfunc maybeAddAuthHeader(s client.Subscribe, conf *client.Config) client.SubscribeOption {\n\t// if an explicit empty token or empty user:pass is given, exit without auth\n\tif (s.Token != nil && *s.Token == \"\") || (s.User != nil && *s.User == \"\" && s.Password != nil && *s.Password == \"\") {\n\t\treturn client.WithEmptyAuth()\n\t}\n\n\t// check for subscription token then subscription user:pass\n\tif s.Token != nil && *s.Token != \"\" {\n\t\treturn client.WithBearerAuth(*s.Token)\n\t}\n\tif s.User != nil && *s.User != \"\" && s.Password != nil {\n\t\treturn client.WithBasicAuth(*s.User, *s.Password)\n\t}\n\n\t// if no subscription token nor subscription user:pass, check for default token then default user:pass\n\tif conf.DefaultToken != \"\" {\n\t\treturn client.WithBearerAuth(conf.DefaultToken)\n\t}\n\tif conf.DefaultUser != \"\" && conf.DefaultPassword != nil {\n\t\treturn client.WithBasicAuth(conf.DefaultUser, *conf.DefaultPassword)\n\t}\n\treturn nil\n}\n\nfunc printMessageOrRunCommand(c *cli.Context, m *client.Message, command string) {\n\tif command != \"\" {\n\t\trunCommand(c, command, m)\n\t} else {\n\t\tlog.Debug(\"%s Printing raw message\", logMessagePrefix(m))\n\t\tfmt.Fprintln(c.App.Writer, m.Raw)\n\t}\n}\n\nfunc runCommand(c *cli.Context, command string, m *client.Message) {\n\tif err := runCommandInternal(c, command, m); err != nil {\n\t\tlog.Warn(\"%s Command failed: %s\", logMessagePrefix(m), err.Error())\n\t}\n}\n\nfunc runCommandInternal(c *cli.Context, script string, m *client.Message) error {\n\tscriptFile := fmt.Sprintf(\"%s/ntfy-subscribe-%s.%s\", os.TempDir(), util.RandomString(10), scriptExt)\n\tlog.Debug(\"%s Running command '%s' via temporary script %s\", logMessagePrefix(m), script, scriptFile)\n\tscript = scriptHeader + script\n\tif err := os.WriteFile(scriptFile, []byte(script), 0700); err != nil {\n\t\treturn err\n\t}\n\tdefer os.Remove(scriptFile)\n\tlog.Debug(\"%s Executing script %s\", logMessagePrefix(m), scriptFile)\n\tcmd := exec.Command(scriptLauncher[0], append(scriptLauncher[1:], scriptFile)...)\n\tcmd.Stdin = c.App.Reader\n\tcmd.Stdout = c.App.Writer\n\tcmd.Stderr = c.App.ErrWriter\n\tcmd.Env = envVars(m)\n\treturn cmd.Run()\n}\n\nfunc envVars(m *client.Message) []string {\n\tenv := make([]string, 0)\n\tenv = append(env, envVar(m.ID, \"NTFY_ID\", \"id\")...)\n\tenv = append(env, envVar(m.Topic, \"NTFY_TOPIC\", \"topic\")...)\n\tenv = append(env, envVar(fmt.Sprintf(\"%d\", m.Time), \"NTFY_TIME\", \"time\")...)\n\tenv = append(env, envVar(m.Message, \"NTFY_MESSAGE\", \"message\", \"m\")...)\n\tenv = append(env, envVar(m.Title, \"NTFY_TITLE\", \"title\", \"t\")...)\n\tenv = append(env, envVar(fmt.Sprintf(\"%d\", m.Priority), \"NTFY_PRIORITY\", \"priority\", \"prio\", \"p\")...)\n\tenv = append(env, envVar(strings.Join(m.Tags, \",\"), \"NTFY_TAGS\", \"tags\", \"tag\", \"ta\")...)\n\tenv = append(env, envVar(m.Raw, \"NTFY_RAW\", \"raw\")...)\n\tsort.Strings(env)\n\tif log.IsTrace() {\n\t\tlog.Trace(\"%s With environment:\\n%s\", logMessagePrefix(m), strings.Join(env, \"\\n\"))\n\t}\n\treturn append(os.Environ(), env...)\n}\n\nfunc envVar(value string, vars ...string) []string {\n\tenv := make([]string, 0)\n\tfor _, v := range vars {\n\t\tenv = append(env, fmt.Sprintf(\"%s=%s\", v, value))\n\t}\n\treturn env\n}\n\nfunc loadConfig(c *cli.Context) (*client.Config, error) {\n\tfilename := c.String(\"config\")\n\tif filename != \"\" {\n\t\treturn client.LoadConfig(filename)\n\t}\n\tif client.DefaultConfigFile != \"\" {\n\t\tif s, _ := os.Stat(client.DefaultConfigFile); s != nil {\n\t\t\treturn client.LoadConfig(client.DefaultConfigFile)\n\t\t}\n\t\tlog.Debug(\"Config file %s not found\", client.DefaultConfigFile)\n\t}\n\tlog.Debug(\"Loading default config\")\n\treturn client.NewConfig(), nil\n}\n\nfunc logMessagePrefix(m *client.Message) string {\n\treturn fmt.Sprintf(\"%s/%s\", util.ShortTopicURL(m.TopicURL), m.ID)\n}\n" }, { "path": "cmd/subscribe_darwin.go", "content": "//go:build darwin\n\npackage cmd\n\nconst (\n\tscriptExt = \"sh\"\n\tscriptHeader = \"#!/bin/sh\\n\"\n\tclientCommandDescriptionSuffix = `The default config file for all client commands is /etc/ntfy/client.yml (if root user),\nor \"~/Library/Application Support/ntfy/client.yml\" for all other users.`\n)\n\nvar (\n\tscriptLauncher = []string{\"sh\", \"-c\"}\n)\n" }, { "path": "cmd/subscribe_test.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"github.com/stretchr/testify/require\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n)\n\nfunc TestCLI_Subscribe_Default_UserPass_Subscription_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: mypass\nsubscribe:\n - topic: mytopic\n token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Token_Subscription_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\nsubscribe:\n - topic: mytopic\n user: philipp\n password: mypass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Token_Subscription_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_FAKETOKEN01234567890FAKETOKEN\nsubscribe:\n - topic: mytopic\n token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_UserPass_Subscription_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: fake\ndefault-password: password\nsubscribe:\n - topic: mytopic\n user: philipp\n password: mypass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Token_Subscription_Empty(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\nsubscribe:\n - topic: mytopic\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_UserPass_Subscription_Empty(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: mypass\nsubscribe:\n - topic: mytopic\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Empty_Subscription_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\nsubscribe:\n - topic: mytopic\n token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Empty_Subscription_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\nsubscribe:\n - topic: mytopic\n user: philipp\n password: mypass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Token_CLI_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_FAKETOKEN0123456789FAKETOKEN\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename, \"--token\", \"tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", \"mytopic\"}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Token_CLI_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename, \"--user\", \"philipp:mypass\", \"mytopic\"}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_Token_Subscription_Token_CLI_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_FAKETOKEN01234567890FAKETOKEN\nsubscribe:\n - topic: mytopic\n token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename, \"--user\", \"philipp:mypass\"}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Token_And_UserPass(t *testing.T) {\n\tapp, _, _, _ := newTestApp()\n\terr := app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--token\", \"tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", \"--user\", \"philipp:mypass\", \"mytopic\", \"triggered\"})\n\trequire.Error(t, err)\n\trequire.Equal(t, \"cannot set both --user and --token\", err.Error())\n}\n\nfunc TestCLI_Subscribe_Default_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename, \"mytopic\"}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Default_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"Basic cGhpbGlwcDpteXBhc3M=\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: mypass\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename, \"mytopic\"}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Override_Default_UserPass_With_Empty_UserPass(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-user: philipp\ndefault-password: mypass\nsubscribe:\n - topic: mytopic\n user: \"\"\n password: \"\"\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n\nfunc TestCLI_Subscribe_Override_Default_Token_With_Empty_Token(t *testing.T) {\n\tmessage := `{\"id\":\"RXIQBFaieLVr\",\"time\":124,\"expires\":1124,\"event\":\"message\",\"topic\":\"mytopic\",\"message\":\"triggered\"}`\n\tserver := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trequire.Equal(t, \"/mytopic/json\", r.URL.Path)\n\t\trequire.Equal(t, \"\", r.Header.Get(\"Authorization\"))\n\n\t\tw.WriteHeader(http.StatusOK)\n\t\tw.Write([]byte(message))\n\t}))\n\tdefer server.Close()\n\n\tfilename := filepath.Join(t.TempDir(), \"client.yml\")\n\trequire.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`\ndefault-host: %s\ndefault-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2\nsubscribe:\n - topic: mytopic\n token: \"\"\n`, server.URL)), 0600))\n\n\tapp, _, stdout, _ := newTestApp()\n\n\trequire.Nil(t, app.Run([]string{\"ntfy\", \"subscribe\", \"--poll\", \"--from-config\", \"--config=\" + filename}))\n\n\trequire.Equal(t, message, strings.TrimSpace(stdout.String()))\n}\n" }, { "path": "cmd/subscribe_unix.go", "content": "//go:build linux || dragonfly || freebsd || netbsd || openbsd\n\npackage cmd\n\nconst (\n\tscriptExt = \"sh\"\n\tscriptHeader = \"#!/bin/sh\\n\"\n\tclientCommandDescriptionSuffix = `The default config file for all client commands is /etc/ntfy/client.yml (if root user),\nor ~/.config/ntfy/client.yml for all other users.`\n)\n\nvar (\n\tscriptLauncher = []string{\"sh\", \"-c\"}\n)\n" }, { "path": "cmd/subscribe_windows.go", "content": "//go:build windows\n\npackage cmd\n\nconst (\n\tscriptExt = \"bat\"\n\tscriptHeader = \"\"\n\tclientCommandDescriptionSuffix = `The default config file for all client commands is %AppData%\\ntfy\\client.yml.`\n)\n\nvar (\n\tscriptLauncher = []string{\"cmd.exe\", \"/Q\", \"/C\"}\n)\n" }, { "path": "cmd/tier.go", "content": "//go:build !noserver\n\npackage cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdTier)\n}\n\nconst (\n\tdefaultMessageLimit = 5000\n\tdefaultMessageExpiryDuration = \"12h\"\n\tdefaultEmailLimit = 20\n\tdefaultCallLimit = 0\n\tdefaultReservationLimit = 3\n\tdefaultAttachmentFileSizeLimit = \"15M\"\n\tdefaultAttachmentTotalSizeLimit = \"100M\"\n\tdefaultAttachmentExpiryDuration = \"6h\"\n\tdefaultAttachmentBandwidthLimit = \"1G\"\n)\n\nvar (\n\tflagsTier = append([]cli.Flag{}, flagsUser...)\n)\n\nvar cmdTier = &cli.Command{\n\tName: \"tier\",\n\tUsage: \"Manage/show tiers\",\n\tUsageText: \"ntfy tier [list|add|change|remove] ...\",\n\tFlags: flagsTier,\n\tBefore: initConfigFileInputSourceFunc(\"config\", flagsUser, initLogFunc),\n\tCategory: categoryServer,\n\tSubcommands: []*cli.Command{\n\t\t{\n\t\t\tName: \"add\",\n\t\t\tAliases: []string{\"a\"},\n\t\t\tUsage: \"Adds a new tier\",\n\t\t\tUsageText: \"ntfy tier add [OPTIONS] CODE\",\n\t\t\tAction: execTierAdd,\n\t\t\tFlags: []cli.Flag{\n\t\t\t\t&cli.StringFlag{Name: \"name\", Usage: \"tier name\"},\n\t\t\t\t&cli.Int64Flag{Name: \"message-limit\", Value: defaultMessageLimit, Usage: \"daily message limit\"},\n\t\t\t\t&cli.StringFlag{Name: \"message-expiry-duration\", Value: defaultMessageExpiryDuration, Usage: \"duration after which messages are deleted\"},\n\t\t\t\t&cli.Int64Flag{Name: \"email-limit\", Value: defaultEmailLimit, Usage: \"daily email limit\"},\n\t\t\t\t&cli.Int64Flag{Name: \"call-limit\", Value: defaultCallLimit, Usage: \"daily phone call limit\"},\n\t\t\t\t&cli.Int64Flag{Name: \"reservation-limit\", Value: defaultReservationLimit, Usage: \"topic reservation limit\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-file-size-limit\", Value: defaultAttachmentFileSizeLimit, Usage: \"per-attachment file size limit\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-total-size-limit\", Value: defaultAttachmentTotalSizeLimit, Usage: \"total size limit of attachments for the user\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-expiry-duration\", Value: defaultAttachmentExpiryDuration, Usage: \"duration after which attachments are deleted\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-bandwidth-limit\", Value: defaultAttachmentBandwidthLimit, Usage: \"daily bandwidth limit for attachment uploads/downloads\"},\n\t\t\t\t&cli.StringFlag{Name: \"stripe-monthly-price-id\", Usage: \"Monthly Stripe price ID for paid tiers (e.g. price_12345)\"},\n\t\t\t\t&cli.StringFlag{Name: \"stripe-yearly-price-id\", Usage: \"Yearly Stripe price ID for paid tiers (e.g. price_12345)\"},\n\t\t\t\t&cli.BoolFlag{Name: \"ignore-exists\", Usage: \"if the tier already exists, perform no action and exit\"},\n\t\t\t},\n\t\t\tDescription: `Add a new tier to the ntfy user database.\n\nTiers can be used to grant users higher limits, such as daily message limits, attachment size, or\nmake it possible for users to reserve topics.\n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n\nExamples:\n ntfy tier add pro # Add tier with code \"pro\", using the defaults\n ntfy tier add \\ # Add a tier with custom limits\n --name=\"Pro\" \\\n --message-limit=10000 \\\n --message-expiry-duration=24h \\\n --email-limit=50 \\\n --reservation-limit=10 \\\n --attachment-file-size-limit=100M \\\n --attachment-total-size-limit=1G \\\n --attachment-expiry-duration=12h \\\n --attachment-bandwidth-limit=5G \\\n pro\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"change\",\n\t\t\tAliases: []string{\"ch\"},\n\t\t\tUsage: \"Change a tier\",\n\t\t\tUsageText: \"ntfy tier change [OPTIONS] CODE\",\n\t\t\tAction: execTierChange,\n\t\t\tFlags: []cli.Flag{\n\t\t\t\t&cli.StringFlag{Name: \"name\", Usage: \"tier name\"},\n\t\t\t\t&cli.Int64Flag{Name: \"message-limit\", Usage: \"daily message limit\"},\n\t\t\t\t&cli.StringFlag{Name: \"message-expiry-duration\", Usage: \"duration after which messages are deleted\"},\n\t\t\t\t&cli.Int64Flag{Name: \"email-limit\", Usage: \"daily email limit\"},\n\t\t\t\t&cli.Int64Flag{Name: \"call-limit\", Usage: \"daily phone call limit\"},\n\t\t\t\t&cli.Int64Flag{Name: \"reservation-limit\", Usage: \"topic reservation limit\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-file-size-limit\", Usage: \"per-attachment file size limit\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-total-size-limit\", Usage: \"total size limit of attachments for the user\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-expiry-duration\", Usage: \"duration after which attachments are deleted\"},\n\t\t\t\t&cli.StringFlag{Name: \"attachment-bandwidth-limit\", Usage: \"daily bandwidth limit for attachment uploads/downloads\"},\n\t\t\t\t&cli.StringFlag{Name: \"stripe-monthly-price-id\", Usage: \"Monthly Stripe price ID for paid tiers (e.g. price_12345)\"},\n\t\t\t\t&cli.StringFlag{Name: \"stripe-yearly-price-id\", Usage: \"Yearly Stripe price ID for paid tiers (e.g. price_12345)\"},\n\t\t\t},\n\t\t\tDescription: `Updates a tier to change the limits.\n\nAfter updating a tier, you may have to restart the ntfy server to apply them \nto all visitors. \n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n\nExamples:\n ntfy tier change --name=\"Pro\" pro # Update the name of an existing tier\n ntfy tier change \\ # Update multiple limits and fields\n --message-expiry-duration=24h \\\n --stripe-monthly-price-id=price_1234 \\\n --stripe-monthly-price-id=price_5678 \\\n pro\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"remove\",\n\t\t\tAliases: []string{\"del\", \"rm\"},\n\t\t\tUsage: \"Removes a tier\",\n\t\t\tUsageText: \"ntfy tier remove CODE\",\n\t\t\tAction: execTierDel,\n\t\t\tDescription: `Remove a tier from the ntfy user database.\n\nYou cannot remove a tier if there are users associated with a tier. Use \"ntfy user change-tier\"\nto remove or switch their tier first.\n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n\nExample:\n ntfy tier del pro\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"list\",\n\t\t\tAliases: []string{\"l\"},\n\t\t\tUsage: \"Shows a list of tiers\",\n\t\t\tAction: execTierList,\n\t\t\tDescription: `Shows a list of all configured tiers.\n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n`,\n\t\t},\n\t},\n\tDescription: `Manage tiers of the ntfy server.\n\nThe command allows you to add/remove/change tiers in the ntfy user database. Tiers are used\nto grant users higher limits, such as daily message limits, attachment size, or make it \npossible for users to reserve topics.\n\nThis is a server-only command. It directly manages the user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n\nExamples:\n ntfy tier add pro # Add tier with code \"pro\", using the defaults\n ntfy tier change --name=\"Pro\" pro # Update the name of an existing tier\n ntfy tier del pro # Delete an existing tier\n`,\n}\n\nfunc execTierAdd(c *cli.Context) error {\n\tcode := c.Args().Get(0)\n\tif code == \"\" {\n\t\treturn errors.New(\"tier code expected, type 'ntfy tier add --help' for help\")\n\t} else if !user.AllowedTier(code) {\n\t\treturn errors.New(\"tier code must consist only of numbers and letters\")\n\t} else if c.String(\"stripe-monthly-price-id\") != \"\" && c.String(\"stripe-yearly-price-id\") == \"\" {\n\t\treturn errors.New(\"if stripe-monthly-price-id is set, stripe-yearly-price-id must also be set\")\n\t} else if c.String(\"stripe-monthly-price-id\") == \"\" && c.String(\"stripe-yearly-price-id\") != \"\" {\n\t\treturn errors.New(\"if stripe-yearly-price-id is set, stripe-monthly-price-id must also be set\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif tier, _ := manager.Tier(code); tier != nil {\n\t\tif c.Bool(\"ignore-exists\") {\n\t\t\tfmt.Fprintf(c.App.Writer, \"tier %s already exists (exited successfully)\\n\", code)\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"tier %s already exists\", code)\n\t}\n\tname := c.String(\"name\")\n\tif name == \"\" {\n\t\tname = code\n\t}\n\tmessageExpiryDuration, err := util.ParseDuration(c.String(\"message-expiry-duration\"))\n\tif err != nil {\n\t\treturn err\n\t}\n\tattachmentFileSizeLimit, err := util.ParseSize(c.String(\"attachment-file-size-limit\"))\n\tif err != nil {\n\t\treturn err\n\t}\n\tattachmentTotalSizeLimit, err := util.ParseSize(c.String(\"attachment-total-size-limit\"))\n\tif err != nil {\n\t\treturn err\n\t}\n\tattachmentBandwidthLimit, err := util.ParseSize(c.String(\"attachment-bandwidth-limit\"))\n\tif err != nil {\n\t\treturn err\n\t}\n\tattachmentExpiryDuration, err := util.ParseDuration(c.String(\"attachment-expiry-duration\"))\n\tif err != nil {\n\t\treturn err\n\t}\n\ttier := &user.Tier{\n\t\tID: \"\", // Generated\n\t\tCode: code,\n\t\tName: name,\n\t\tMessageLimit: c.Int64(\"message-limit\"),\n\t\tMessageExpiryDuration: messageExpiryDuration,\n\t\tEmailLimit: c.Int64(\"email-limit\"),\n\t\tCallLimit: c.Int64(\"call-limit\"),\n\t\tReservationLimit: c.Int64(\"reservation-limit\"),\n\t\tAttachmentFileSizeLimit: attachmentFileSizeLimit,\n\t\tAttachmentTotalSizeLimit: attachmentTotalSizeLimit,\n\t\tAttachmentExpiryDuration: attachmentExpiryDuration,\n\t\tAttachmentBandwidthLimit: attachmentBandwidthLimit,\n\t\tStripeMonthlyPriceID: c.String(\"stripe-monthly-price-id\"),\n\t\tStripeYearlyPriceID: c.String(\"stripe-yearly-price-id\"),\n\t}\n\tif err := manager.AddTier(tier); err != nil {\n\t\treturn err\n\t}\n\ttier, err = manager.Tier(code)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"tier added\\n\\n\")\n\tprintTier(c, tier)\n\treturn nil\n}\n\nfunc execTierChange(c *cli.Context) error {\n\tcode := c.Args().Get(0)\n\tif code == \"\" {\n\t\treturn errors.New(\"tier code expected, type 'ntfy tier change --help' for help\")\n\t} else if !user.AllowedTier(code) {\n\t\treturn errors.New(\"tier code must consist only of numbers and letters\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\ttier, err := manager.Tier(code)\n\tif err == user.ErrTierNotFound {\n\t\treturn fmt.Errorf(\"tier %s does not exist\", code)\n\t} else if err != nil {\n\t\treturn err\n\t}\n\tif c.IsSet(\"name\") {\n\t\ttier.Name = c.String(\"name\")\n\t}\n\tif c.IsSet(\"message-limit\") {\n\t\ttier.MessageLimit = c.Int64(\"message-limit\")\n\t}\n\tif c.IsSet(\"message-expiry-duration\") {\n\t\ttier.MessageExpiryDuration, err = util.ParseDuration(c.String(\"message-expiry-duration\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.IsSet(\"email-limit\") {\n\t\ttier.EmailLimit = c.Int64(\"email-limit\")\n\t}\n\tif c.IsSet(\"call-limit\") {\n\t\ttier.CallLimit = c.Int64(\"call-limit\")\n\t}\n\tif c.IsSet(\"reservation-limit\") {\n\t\ttier.ReservationLimit = c.Int64(\"reservation-limit\")\n\t}\n\tif c.IsSet(\"attachment-file-size-limit\") {\n\t\ttier.AttachmentFileSizeLimit, err = util.ParseSize(c.String(\"attachment-file-size-limit\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.IsSet(\"attachment-total-size-limit\") {\n\t\ttier.AttachmentTotalSizeLimit, err = util.ParseSize(c.String(\"attachment-total-size-limit\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.IsSet(\"attachment-expiry-duration\") {\n\t\ttier.AttachmentExpiryDuration, err = util.ParseDuration(c.String(\"attachment-expiry-duration\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.IsSet(\"attachment-bandwidth-limit\") {\n\t\ttier.AttachmentBandwidthLimit, err = util.ParseSize(c.String(\"attachment-bandwidth-limit\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.IsSet(\"stripe-monthly-price-id\") {\n\t\ttier.StripeMonthlyPriceID = c.String(\"stripe-monthly-price-id\")\n\t}\n\tif c.IsSet(\"stripe-yearly-price-id\") {\n\t\ttier.StripeYearlyPriceID = c.String(\"stripe-yearly-price-id\")\n\t}\n\tif tier.StripeMonthlyPriceID != \"\" && tier.StripeYearlyPriceID == \"\" {\n\t\treturn errors.New(\"if stripe-monthly-price-id is set, stripe-yearly-price-id must also be set\")\n\t} else if tier.StripeMonthlyPriceID == \"\" && tier.StripeYearlyPriceID != \"\" {\n\t\treturn errors.New(\"if stripe-yearly-price-id is set, stripe-monthly-price-id must also be set\")\n\t}\n\tif err := manager.UpdateTier(tier); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"tier updated\\n\\n\")\n\tprintTier(c, tier)\n\treturn nil\n}\n\nfunc execTierDel(c *cli.Context) error {\n\tcode := c.Args().Get(0)\n\tif code == \"\" {\n\t\treturn errors.New(\"tier code expected, type 'ntfy tier del --help' for help\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err := manager.Tier(code); err == user.ErrTierNotFound {\n\t\treturn fmt.Errorf(\"tier %s does not exist\", code)\n\t}\n\tif err := manager.RemoveTier(code); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"tier %s removed\\n\", code)\n\treturn nil\n}\n\nfunc execTierList(c *cli.Context) error {\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\ttiers, err := manager.Tiers()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, tier := range tiers {\n\t\tprintTier(c, tier)\n\t}\n\treturn nil\n}\n\nfunc printTier(c *cli.Context, tier *user.Tier) {\n\tprices := \"(none)\"\n\tif tier.StripeMonthlyPriceID != \"\" && tier.StripeYearlyPriceID != \"\" {\n\t\tprices = fmt.Sprintf(\"%s / %s\", tier.StripeMonthlyPriceID, tier.StripeYearlyPriceID)\n\t}\n\tfmt.Fprintf(c.App.Writer, \"tier %s (id: %s)\\n\", tier.Code, tier.ID)\n\tfmt.Fprintf(c.App.Writer, \"- Name: %s\\n\", tier.Name)\n\tfmt.Fprintf(c.App.Writer, \"- Message limit: %d\\n\", tier.MessageLimit)\n\tfmt.Fprintf(c.App.Writer, \"- Message expiry duration: %s (%d seconds)\\n\", tier.MessageExpiryDuration.String(), int64(tier.MessageExpiryDuration.Seconds()))\n\tfmt.Fprintf(c.App.Writer, \"- Email limit: %d\\n\", tier.EmailLimit)\n\tfmt.Fprintf(c.App.Writer, \"- Phone call limit: %d\\n\", tier.CallLimit)\n\tfmt.Fprintf(c.App.Writer, \"- Reservation limit: %d\\n\", tier.ReservationLimit)\n\tfmt.Fprintf(c.App.Writer, \"- Attachment file size limit: %s\\n\", util.FormatSizeHuman(tier.AttachmentFileSizeLimit))\n\tfmt.Fprintf(c.App.Writer, \"- Attachment total size limit: %s\\n\", util.FormatSizeHuman(tier.AttachmentTotalSizeLimit))\n\tfmt.Fprintf(c.App.Writer, \"- Attachment expiry duration: %s (%d seconds)\\n\", tier.AttachmentExpiryDuration.String(), int64(tier.AttachmentExpiryDuration.Seconds()))\n\tfmt.Fprintf(c.App.Writer, \"- Attachment daily bandwidth limit: %s\\n\", util.FormatSizeHuman(tier.AttachmentBandwidthLimit))\n\tfmt.Fprintf(c.App.Writer, \"- Stripe prices (monthly/yearly): %s\\n\", prices)\n}\n" }, { "path": "cmd/tier_test.go", "content": "package cmd\n\nimport (\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/server\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"testing\"\n)\n\nfunc TestCLI_Tier_AddListChangeDelete(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, runTierCommand(app, conf, \"add\", \"--name\", \"Pro\", \"--message-limit\", \"1234\", \"pro\"))\n\trequire.Contains(t, stdout.String(), \"tier added\\n\\ntier pro (id: ti_\")\n\n\terr := runTierCommand(app, conf, \"add\", \"pro\")\n\trequire.NotNil(t, err)\n\trequire.Equal(t, \"tier pro already exists\", err.Error())\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTierCommand(app, conf, \"list\"))\n\trequire.Contains(t, stdout.String(), \"tier pro (id: ti_\")\n\trequire.Contains(t, stdout.String(), \"- Name: Pro\")\n\trequire.Contains(t, stdout.String(), \"- Message limit: 1234\")\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTierCommand(app, conf, \"change\",\n\t\t\"--message-limit=999\",\n\t\t\"--message-expiry-duration=2d\",\n\t\t\"--email-limit=91\",\n\t\t\"--reservation-limit=98\",\n\t\t\"--attachment-file-size-limit=100m\",\n\t\t\"--attachment-expiry-duration=1d\",\n\t\t\"--attachment-total-size-limit=10G\",\n\t\t\"--attachment-bandwidth-limit=100G\",\n\t\t\"--stripe-monthly-price-id=price_991\",\n\t\t\"--stripe-yearly-price-id=price_992\",\n\t\t\"pro\",\n\t))\n\trequire.Contains(t, stdout.String(), \"- Message limit: 999\")\n\trequire.Contains(t, stdout.String(), \"- Message expiry duration: 48h\")\n\trequire.Contains(t, stdout.String(), \"- Email limit: 91\")\n\trequire.Contains(t, stdout.String(), \"- Reservation limit: 98\")\n\trequire.Contains(t, stdout.String(), \"- Attachment file size limit: 100.0 MB\")\n\trequire.Contains(t, stdout.String(), \"- Attachment expiry duration: 24h\")\n\trequire.Contains(t, stdout.String(), \"- Attachment total size limit: 10.0 GB\")\n\trequire.Contains(t, stdout.String(), \"- Stripe prices (monthly/yearly): price_991 / price_992\")\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTierCommand(app, conf, \"remove\", \"pro\"))\n\trequire.Contains(t, stdout.String(), \"tier pro removed\")\n}\n\nfunc runTierCommand(app *cli.App, conf *server.Config, args ...string) error {\n\tuserArgs := []string{\n\t\t\"ntfy\",\n\t\t\"--log-level=ERROR\",\n\t\t\"tier\",\n\t\t\"--config=\" + conf.File, // Dummy config file to avoid lookups of real file\n\t\t\"--auth-file=\" + conf.AuthFile,\n\t\t\"--auth-default-access=\" + conf.AuthDefault.String(),\n\t}\n\treturn app.Run(append(userArgs, args...))\n}\n" }, { "path": "cmd/token.go", "content": "//go:build !noserver\n\npackage cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"heckel.io/ntfy/v2/util\"\n\t\"net/netip\"\n\t\"time\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdToken)\n}\n\nvar flagsToken = append([]cli.Flag{}, flagsUser...)\n\nvar cmdToken = &cli.Command{\n\tName: \"token\",\n\tUsage: \"Create, list or delete user tokens\",\n\tUsageText: \"ntfy token [list|add|remove] ...\",\n\tFlags: flagsToken,\n\tBefore: initConfigFileInputSourceFunc(\"config\", flagsToken, initLogFunc),\n\tCategory: categoryServer,\n\tSubcommands: []*cli.Command{\n\t\t{\n\t\t\tName: \"add\",\n\t\t\tAliases: []string{\"a\"},\n\t\t\tUsage: \"Create a new token\",\n\t\t\tUsageText: \"ntfy token add [--expires=] [--label=..] USERNAME\",\n\t\t\tAction: execTokenAdd,\n\t\t\tFlags: []cli.Flag{\n\t\t\t\t&cli.StringFlag{Name: \"expires\", Aliases: []string{\"e\"}, Value: \"\", Usage: \"token expires after\"},\n\t\t\t\t&cli.StringFlag{Name: \"label\", Aliases: []string{\"l\"}, Value: \"\", Usage: \"token label\"},\n\t\t\t},\n\t\t\tDescription: `Create a new user access token.\n\nUser access tokens can be used to publish, subscribe, or perform any other user-specific tasks.\nTokens have full access, and can perform any task a user can do. They are meant to be used to \navoid spreading the password to various places.\n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n\nExamples:\n ntfy token add phil # Create token for user phil which never expires\n ntfy token add --expires=2d phil # Create token for user phil which expires in 2 days\n ntfy token add -e \"tuesday, 8pm\" phil # Create token for user phil which expires next Tuesday\n ntfy token add -l backups phil # Create token for user phil with label \"backups\"`,\n\t\t},\n\t\t{\n\t\t\tName: \"remove\",\n\t\t\tAliases: []string{\"del\", \"rm\"},\n\t\t\tUsage: \"Removes a token\",\n\t\t\tUsageText: \"ntfy token remove USERNAME TOKEN\",\n\t\t\tAction: execTokenDel,\n\t\t\tDescription: `Remove a token from the ntfy user database.\n\nExample:\n ntfy token del phil tk_th2srHVlxrANQHAso5t0HuQ1J1TjN`,\n\t\t},\n\t\t{\n\t\t\tName: \"list\",\n\t\t\tAliases: []string{\"l\"},\n\t\t\tUsage: \"Shows a list of tokens\",\n\t\t\tAction: execTokenList,\n\t\t\tDescription: `Shows a list of all tokens.\n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.`,\n\t\t},\n\t\t{\n\t\t\tName: \"generate\",\n\t\t\tUsage: \"Generates a random token\",\n\t\t\tAction: execTokenGenerate,\n\t\t\tDescription: `Randomly generate a token to be used in provisioned tokens.\n\nThis command only generates the token value, but does not persist it anywhere.\nThe output can be used in the 'auth-tokens' config option.`,\n\t\t},\n\t},\n\tDescription: `Manage access tokens for individual users.\n\nUser access tokens can be used to publish, subscribe, or perform any other user-specific tasks.\nTokens have full access, and can perform any task a user can do. They are meant to be used to \navoid spreading the password to various places.\n\nThis is a server-only command. It directly manages the user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n\nExamples:\n ntfy token list # Shows list of tokens for all users\n ntfy token list phil # Shows list of tokens for user phil\n ntfy token add phil # Create token for user phil which never expires\n ntfy token add --expires=2d phil # Create token for user phil which expires in 2 days\n ntfy token remove phil tk_th2srHVlxr... # Delete token`,\n}\n\nfunc execTokenAdd(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\texpiresStr := c.String(\"expires\")\n\tlabel := c.String(\"label\")\n\tif username == \"\" {\n\t\treturn errors.New(\"username expected, type 'ntfy token add --help' for help\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\texpires := time.Unix(0, 0)\n\tif expiresStr != \"\" {\n\t\tvar err error\n\t\texpires, err = util.ParseFutureTime(expiresStr, time.Now())\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tu, err := manager.User(username)\n\tif errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t} else if err != nil {\n\t\treturn err\n\t}\n\ttoken, err := manager.CreateToken(u.ID, label, expires, netip.IPv4Unspecified(), false)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif expires.Unix() == 0 {\n\t\tfmt.Fprintf(c.App.Writer, \"token %s created for user %s, never expires\\n\", token.Value, u.Name)\n\t} else {\n\t\tfmt.Fprintf(c.App.Writer, \"token %s created for user %s, expires %v\\n\", token.Value, u.Name, expires.Format(time.UnixDate))\n\t}\n\treturn nil\n}\n\nfunc execTokenDel(c *cli.Context) error {\n\tusername, token := c.Args().Get(0), c.Args().Get(1)\n\tif username == \"\" || token == \"\" {\n\t\treturn errors.New(\"username and token expected, type 'ntfy token remove --help' for help\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tu, err := manager.User(username)\n\tif errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t} else if err != nil {\n\t\treturn err\n\t}\n\tif err := manager.RemoveToken(u.ID, token); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"token %s for user %s removed\\n\", token, username)\n\treturn nil\n}\n\nfunc execTokenList(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\tif username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar users []*user.User\n\tif username != \"\" {\n\t\tu, err := manager.User(username)\n\t\tif errors.Is(err, user.ErrUserNotFound) {\n\t\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t\t} else if err != nil {\n\t\t\treturn err\n\t\t}\n\t\tusers = append(users, u)\n\t} else {\n\t\tusers, err = manager.Users()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tusersWithTokens := 0\n\tfor _, u := range users {\n\t\ttokens, err := manager.Tokens(u.ID)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t} else if len(tokens) == 0 && username != \"\" {\n\t\t\tfmt.Fprintf(c.App.Writer, \"user %s has no access tokens\\n\", username)\n\t\t\treturn nil\n\t\t} else if len(tokens) == 0 {\n\t\t\tcontinue\n\t\t}\n\t\tusersWithTokens++\n\t\tfmt.Fprintf(c.App.Writer, \"user %s\\n\", u.Name)\n\t\tfor _, t := range tokens {\n\t\t\tvar label, expires, provisioned string\n\t\t\tif t.Label != \"\" {\n\t\t\t\tlabel = fmt.Sprintf(\" (%s)\", t.Label)\n\t\t\t}\n\t\t\tif t.Expires.Unix() == 0 {\n\t\t\t\texpires = \"never expires\"\n\t\t\t} else {\n\t\t\t\texpires = fmt.Sprintf(\"expires %s\", t.Expires.Format(time.RFC822))\n\t\t\t}\n\t\t\tif t.Provisioned {\n\t\t\t\tprovisioned = \" (server config)\"\n\t\t\t}\n\t\t\tfmt.Fprintf(c.App.Writer, \"- %s%s, %s, accessed from %s at %s%s\\n\", t.Value, label, expires, t.LastOrigin.String(), t.LastAccess.Format(time.RFC822), provisioned)\n\t\t}\n\t}\n\tif usersWithTokens == 0 {\n\t\tfmt.Fprintf(c.App.Writer, \"no users with tokens\\n\")\n\t}\n\treturn nil\n}\n\nfunc execTokenGenerate(c *cli.Context) error {\n\tfmt.Fprintln(c.App.Writer, user.GenerateToken())\n\treturn nil\n}\n" }, { "path": "cmd/token_test.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/server\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"regexp\"\n\t\"testing\"\n)\n\nfunc TestCLI_Token_AddListRemove(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role user\")\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTokenCommand(app, conf, \"add\", \"phil\"))\n\trequire.Regexp(t, `token tk_.+ created for user phil, never expires`, stdout.String())\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTokenCommand(app, conf, \"list\", \"phil\"))\n\trequire.Regexp(t, `user phil\\n- tk_.+, never expires, accessed from 0.0.0.0 at .+`, stdout.String())\n\tre := regexp.MustCompile(`tk_\\w+`)\n\ttoken := re.FindString(stdout.String())\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTokenCommand(app, conf, \"remove\", \"phil\", token))\n\trequire.Regexp(t, fmt.Sprintf(\"token %s for user phil removed\", token), stdout.String())\n\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runTokenCommand(app, conf, \"list\"))\n\trequire.Equal(t, \"no users with tokens\\n\", stdout.String())\n}\n\nfunc runTokenCommand(app *cli.App, conf *server.Config, args ...string) error {\n\tuserArgs := []string{\n\t\t\"ntfy\",\n\t\t\"--log-level=ERROR\",\n\t\t\"token\",\n\t\t\"--config=\" + conf.File, // Dummy config file to avoid lookups of real file\n\t\t\"--auth-file=\" + conf.AuthFile,\n\t}\n\treturn app.Run(append(userArgs, args...))\n}\n" }, { "path": "cmd/user.go", "content": "//go:build !noserver\n\npackage cmd\n\nimport (\n\t\"crypto/subtle\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n\t\"heckel.io/ntfy/v2/db\"\n\t\"heckel.io/ntfy/v2/db/pg\"\n\t\"heckel.io/ntfy/v2/server\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nconst (\n\ttierReset = \"-\"\n)\n\nfunc init() {\n\tcommands = append(commands, cmdUser)\n}\n\nvar flagsUser = append(\n\tappend([]cli.Flag{}, flagsDefault...),\n\t&cli.StringFlag{Name: \"config\", Aliases: []string{\"c\"}, EnvVars: []string{\"NTFY_CONFIG_FILE\"}, Value: server.DefaultConfigFile, DefaultText: server.DefaultConfigFile, Usage: \"config file\"},\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"auth-file\", Aliases: []string{\"auth_file\", \"H\"}, EnvVars: []string{\"NTFY_AUTH_FILE\"}, Usage: \"auth database file used for access control\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"auth-default-access\", Aliases: []string{\"auth_default_access\", \"p\"}, EnvVars: []string{\"NTFY_AUTH_DEFAULT_ACCESS\"}, Value: \"read-write\", Usage: \"default permissions if no matching entries in the auth database are found\"}),\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"database-url\", Aliases: []string{\"database_url\"}, EnvVars: []string{\"NTFY_DATABASE_URL\"}, Usage: \"PostgreSQL connection string for database-backed stores\"}),\n)\n\nvar cmdUser = &cli.Command{\n\tName: \"user\",\n\tUsage: \"Manage/show users\",\n\tUsageText: \"ntfy user [list|add|remove|change-pass|change-role] ...\",\n\tFlags: flagsUser,\n\tBefore: initConfigFileInputSourceFunc(\"config\", flagsUser, initLogFunc),\n\tCategory: categoryServer,\n\tSubcommands: []*cli.Command{\n\t\t{\n\t\t\tName: \"add\",\n\t\t\tAliases: []string{\"a\"},\n\t\t\tUsage: \"Adds a new user\",\n\t\t\tUsageText: \"ntfy user add [--role=admin|user] USERNAME\\nNTFY_PASSWORD=... ntfy user add [--role=admin|user] USERNAME\\nNTFY_PASSWORD_HASH=... ntfy user add [--role=admin|user] USERNAME\",\n\t\t\tAction: execUserAdd,\n\t\t\tFlags: []cli.Flag{\n\t\t\t\t&cli.StringFlag{Name: \"role\", Aliases: []string{\"r\"}, Value: string(user.RoleUser), Usage: \"user role\"},\n\t\t\t\t&cli.BoolFlag{Name: \"ignore-exists\", Usage: \"if the user already exists, perform no action and exit\"},\n\t\t\t},\n\t\t\tDescription: `Add a new user to the ntfy user database.\n\nA user can be either a regular user, or an admin. A regular user has no read or write access (unless\ngranted otherwise by the auth-default-access setting). An admin user has read and write access to all\ntopics.\n\nExamples:\n ntfy user add phil # Add regular user phil\n ntfy user add --role=admin phil # Add admin user phil\n NTFY_PASSWORD=... ntfy user add phil # Add user, using env variable to set password (for scripts)\n NTFY_PASSWORD_HASH=... ntfy user add phil # Add user, using env variable to set password hash (for scripts)\n\nYou may set the NTFY_PASSWORD environment variable to pass the password, or NTFY_PASSWORD_HASH to pass\ndirectly the bcrypt hash. This is useful if you are creating users via scripts.\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"remove\",\n\t\t\tAliases: []string{\"del\", \"rm\"},\n\t\t\tUsage: \"Removes a user\",\n\t\t\tUsageText: \"ntfy user remove USERNAME\",\n\t\t\tAction: execUserDel,\n\t\t\tDescription: `Remove a user from the ntfy user database.\n\nExample:\n ntfy user del phil\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"change-pass\",\n\t\t\tAliases: []string{\"chp\"},\n\t\t\tUsage: \"Changes a user's password\",\n\t\t\tUsageText: \"ntfy user change-pass USERNAME\\nNTFY_PASSWORD=... ntfy user change-pass USERNAME\\nNTFY_PASSWORD_HASH=... ntfy user change-pass USERNAME\",\n\t\t\tAction: execUserChangePass,\n\t\t\tDescription: `Change the password for the given user.\n\nThe new password will be read from STDIN, and it'll be confirmed by typing\nit twice. \n\nExample:\n ntfy user change-pass phil\n NTFY_PASSWORD=.. ntfy user change-pass phil\n NTFY_PASSWORD_HASH=.. ntfy user change-pass phil\n\nYou may set the NTFY_PASSWORD environment variable to pass the new password or NTFY_PASSWORD_HASH to pass\ndirectly the bcrypt hash. This is useful if you are updating users via scripts.\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"change-role\",\n\t\t\tAliases: []string{\"chr\"},\n\t\t\tUsage: \"Changes the role of a user\",\n\t\t\tUsageText: \"ntfy user change-role USERNAME ROLE\",\n\t\t\tAction: execUserChangeRole,\n\t\t\tDescription: `Change the role for the given user to admin or user.\n\nThis command can be used to change the role of a user either from a regular user\nto an admin user, or the other way around:\n\n- admin: an admin has read/write access to all topics\n- user: a regular user only has access to what was explicitly granted via 'ntfy access'\n\nWhen changing the role of a user to \"admin\", all access control entries for that \nuser are removed, since they are no longer necessary.\n\nExample:\n ntfy user change-role phil admin # Make user phil an admin \n ntfy user change-role phil user # Remove admin role from user phil \n`,\n\t\t},\n\t\t{\n\t\t\tName: \"change-tier\",\n\t\t\tAliases: []string{\"cht\"},\n\t\t\tUsage: \"Changes the tier of a user\",\n\t\t\tUsageText: \"ntfy user change-tier USERNAME (TIER|-)\",\n\t\t\tAction: execUserChangeTier,\n\t\t\tDescription: `Change the tier for the given user.\n\nThis command can be used to change the tier of a user. Tiers define usage limits, such\nas messages per day, attachment file sizes, etc.\n\nExample:\n ntfy user change-tier phil pro # Change tier to \"pro\" for user \"phil\" \n ntfy user change-tier phil - # Remove tier from user \"phil\" entirely \n`,\n\t\t},\n\t\t{\n\t\t\tName: \"hash\",\n\t\t\tUsage: \"Create password hash for a predefined user\",\n\t\t\tUsageText: \"ntfy user hash\",\n\t\t\tAction: execUserHash,\n\t\t\tDescription: `Asks for a password and creates a bcrypt password hash.\n\nThis command is useful to create a password hash for a user, which can then be used\nfor predefined users in the server config file, in auth-users.\n\nExample:\n $ ntfy user hash\n (asks for password and confirmation)\n $2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C\n`,\n\t\t},\n\t\t{\n\t\t\tName: \"list\",\n\t\t\tAliases: []string{\"l\"},\n\t\t\tUsage: \"Shows a list of users\",\n\t\t\tAction: execUserList,\n\t\t\tDescription: `Shows a list of all configured users, including the everyone ('*') user.\n\nThis command is an alias to calling 'ntfy access' (display access control list).\n\nThis is a server-only command. It directly reads from user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined.\n`,\n\t\t},\n\t},\n\tDescription: `Manage users of the ntfy server.\n\nThe command allows you to add/remove/change users in the ntfy user database, as well as change \npasswords or roles.\n\nThis is a server-only command. It directly manages the user.db as defined in the server config\nfile server.yml. The command only works if 'auth-file' is properly defined. Please also refer\nto the related command 'ntfy access'.\n\nExamples:\n ntfy user list # Shows list of users (alias: 'ntfy access') \n ntfy user add phil # Add regular user phil \n NTFY_PASSWORD=... ntfy user add phil # As above, using env variable to set password (for scripts)\n ntfy user add --role=admin phil # Add admin user phil\n ntfy user del phil # Delete user phil\n ntfy user change-pass phil # Change password for user phil\n NTFY_PASSWORD=.. ntfy user change-pass phil # As above, using env variable to set password (for scripts)\n ntfy user change-role phil admin # Make user phil an admin \n\nFor the 'ntfy user add' and 'ntfy user change-pass' commands, you may set the NTFY_PASSWORD environment\nvariable to pass the new password. This is useful if you are creating/updating users via scripts.\n`,\n}\n\nfunc execUserAdd(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\trole := user.Role(c.String(\"role\"))\n\tpassword, hashed := os.LookupEnv(\"NTFY_PASSWORD_HASH\")\n\n\tif !hashed {\n\t\tpassword = os.Getenv(\"NTFY_PASSWORD\")\n\t}\n\n\tif username == \"\" {\n\t\treturn errors.New(\"username expected, type 'ntfy user add --help' for help\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t} else if !user.AllowedRole(role) {\n\t\treturn errors.New(\"role must be either 'user' or 'admin'\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif user, _ := manager.User(username); user != nil {\n\t\tif c.Bool(\"ignore-exists\") {\n\t\t\tfmt.Fprintf(c.App.Writer, \"user %s already exists (exited successfully)\\n\", username)\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"user %s already exists\", username)\n\t}\n\tif password == \"\" {\n\t\tp, err := readPasswordAndConfirm(c)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpassword = p\n\t}\n\tif err := manager.AddUser(username, password, role, hashed); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"user %s added with role %s\\n\", username, role)\n\treturn nil\n}\n\nfunc execUserDel(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\tif username == \"\" {\n\t\treturn errors.New(\"username expected, type 'ntfy user del --help' for help\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err := manager.User(username); errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t}\n\tif err := manager.RemoveUser(username); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"user %s removed\\n\", username)\n\treturn nil\n}\n\nfunc execUserChangePass(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\tpassword, hashed := os.LookupEnv(\"NTFY_PASSWORD_HASH\")\n\n\tif !hashed {\n\t\tpassword = os.Getenv(\"NTFY_PASSWORD\")\n\t}\n\tif username == \"\" {\n\t\treturn errors.New(\"username expected, type 'ntfy user change-pass --help' for help\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err := manager.User(username); errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t}\n\tif password == \"\" {\n\t\tpassword, err = readPasswordAndConfirm(c)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif err := manager.ChangePassword(username, password, hashed); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"changed password for user %s\\n\", username)\n\treturn nil\n}\n\nfunc execUserChangeRole(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\trole := user.Role(c.Args().Get(1))\n\tif username == \"\" || !user.AllowedRole(role) {\n\t\treturn errors.New(\"username and new role expected, type 'ntfy user change-role --help' for help\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err := manager.User(username); errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t}\n\tif err := manager.ChangeRole(username, role); err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintf(c.App.Writer, \"changed role for user %s to %s\\n\", username, role)\n\treturn nil\n}\n\nfunc execUserHash(c *cli.Context) error {\n\tpassword, err := readPasswordAndConfirm(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\thash, err := user.HashPassword(password)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to hash password: %w\", err)\n\t}\n\tfmt.Fprintln(c.App.Writer, hash)\n\treturn nil\n}\n\nfunc execUserChangeTier(c *cli.Context) error {\n\tusername := c.Args().Get(0)\n\ttier := c.Args().Get(1)\n\tif username == \"\" {\n\t\treturn errors.New(\"username and new tier expected, type 'ntfy user change-tier --help' for help\")\n\t} else if !user.AllowedTier(tier) && tier != tierReset {\n\t\treturn errors.New(\"invalid tier, must be tier code, or - to reset\")\n\t} else if username == userEveryone || username == user.Everyone {\n\t\treturn errors.New(\"username not allowed\")\n\t}\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err := manager.User(username); errors.Is(err, user.ErrUserNotFound) {\n\t\treturn fmt.Errorf(\"user %s does not exist\", username)\n\t}\n\tif tier == tierReset {\n\t\tif err := manager.ResetTier(username); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfmt.Fprintf(c.App.Writer, \"removed tier from user %s\\n\", username)\n\t} else {\n\t\tif err := manager.ChangeTier(username, tier); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfmt.Fprintf(c.App.Writer, \"changed tier for user %s to %s\\n\", username, tier)\n\t}\n\treturn nil\n}\n\nfunc execUserList(c *cli.Context) error {\n\tmanager, err := createUserManager(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tusers, err := manager.Users()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn showUsers(c, manager, users)\n}\n\nfunc createUserManager(c *cli.Context) (*user.Manager, error) {\n\tauthFile := c.String(\"auth-file\")\n\tauthStartupQueries := c.String(\"auth-startup-queries\")\n\tauthDefaultAccess := c.String(\"auth-default-access\")\n\tdatabaseURL := c.String(\"database-url\")\n\tauthDefault, err := user.ParsePermission(authDefaultAccess)\n\tif err != nil {\n\t\treturn nil, errors.New(\"if set, auth-default-access must start set to 'read-write', 'read-only', 'write-only' or 'deny-all'\")\n\t}\n\tauthConfig := &user.Config{\n\t\tDefaultAccess: authDefault,\n\t\tProvisionEnabled: false, // Hack: Do not re-provision users on manager initialization\n\t\tBcryptCost: user.DefaultUserPasswordBcryptCost,\n\t\tQueueWriterInterval: user.DefaultUserStatsQueueWriterInterval,\n\t}\n\tif databaseURL != \"\" {\n\t\thost, dbErr := pg.Open(databaseURL)\n\t\tif dbErr != nil {\n\t\t\treturn nil, dbErr\n\t\t}\n\t\treturn user.NewPostgresManager(db.New(host, nil), authConfig)\n\t} else if authFile != \"\" {\n\t\tif !util.FileExists(authFile) {\n\t\t\treturn nil, errors.New(\"auth-file does not exist; please start the server at least once to create it\")\n\t\t}\n\t\treturn user.NewSQLiteManager(authFile, authStartupQueries, authConfig)\n\t}\n\treturn nil, errors.New(\"option database-url or auth-file not set; auth is unconfigured for this server\")\n}\n\nfunc readPasswordAndConfirm(c *cli.Context) (string, error) {\n\tfmt.Fprint(c.App.ErrWriter, \"password: \")\n\tpassword, err := util.ReadPassword(c.App.Reader)\n\tif err != nil {\n\t\treturn \"\", err\n\t} else if len(password) == 0 {\n\t\treturn \"\", errors.New(\"password cannot be empty\")\n\t}\n\tfmt.Fprintf(c.App.ErrWriter, \"\\r%s\\rconfirm: \", strings.Repeat(\" \", 25))\n\tconfirm, err := util.ReadPassword(c.App.Reader)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tfmt.Fprintf(c.App.ErrWriter, \"\\r%s\\r\", strings.Repeat(\" \", 25))\n\tif subtle.ConstantTimeCompare(confirm, password) != 1 {\n\t\treturn \"\", errors.New(\"passwords do not match: try it again, but this time type slooowwwlly\")\n\t}\n\treturn string(password), nil\n}\n" }, { "path": "cmd/user_test.go", "content": "package cmd\n\nimport (\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/server\"\n\t\"heckel.io/ntfy/v2/test\"\n\t\"heckel.io/ntfy/v2/user\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc TestCLI_User_Add(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role user\")\n}\n\nfunc TestCLI_User_Add_Exists(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role user\")\n\n\tapp, stdin, _, _ = newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\terr := runUserCommand(app, conf, \"add\", \"phil\")\n\trequire.Error(t, err)\n\trequire.Contains(t, err.Error(), \"user phil already exists\")\n}\n\nfunc TestCLI_User_Add_Admin(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"--role=admin\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role admin\")\n}\n\nfunc TestCLI_User_Add_Password_Mismatch(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\tapp, stdin, _, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nNOTMATCH\")\n\terr := runUserCommand(app, conf, \"add\", \"phil\")\n\trequire.Error(t, err)\n\trequire.Contains(t, err.Error(), \"passwords do not match: try it again, but this time type slooowwwlly\")\n}\n\nfunc TestCLI_User_ChangePass(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tconf.AuthUsers = []*user.User{\n\t\t{Name: \"philuser\", Hash: \"$2a$10$U4WSIYY6evyGmZaraavM2e2JeVG6EMGUKN1uUwufUeeRd4Jpg6cGC\", Role: user.RoleUser}, // philuser:philpass\n\t}\n\tdefer test.StopServer(t, s, port)\n\n\t// Add user\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role user\")\n\n\t// Change pass\n\tapp, stdin, stdout, _ = newTestApp()\n\tstdin.WriteString(\"newpass\\nnewpass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"change-pass\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"changed password for user phil\")\n\n\t// Cannot change provisioned user's pass\n\tapp, stdin, _, _ = newTestApp()\n\tstdin.WriteString(\"newpass\\nnewpass\")\n\trequire.Error(t, runUserCommand(app, conf, \"change-pass\", \"philuser\"))\n}\n\nfunc TestCLI_User_ChangeRole(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\t// Add user\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role user\")\n\n\t// Change role\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runUserCommand(app, conf, \"change-role\", \"phil\", \"admin\"))\n\trequire.Contains(t, stdout.String(), \"changed role for user phil to admin\")\n}\n\nfunc TestCLI_User_Delete(t *testing.T) {\n\ts, conf, port := newTestServerWithAuth(t)\n\tdefer test.StopServer(t, s, port)\n\n\t// Add user\n\tapp, stdin, stdout, _ := newTestApp()\n\tstdin.WriteString(\"mypass\\nmypass\")\n\trequire.Nil(t, runUserCommand(app, conf, \"add\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil added with role user\")\n\n\t// Delete user\n\tapp, _, stdout, _ = newTestApp()\n\trequire.Nil(t, runUserCommand(app, conf, \"del\", \"phil\"))\n\trequire.Contains(t, stdout.String(), \"user phil removed\")\n\n\t// Delete user again (does not exist)\n\tapp, _, _, _ = newTestApp()\n\terr := runUserCommand(app, conf, \"del\", \"phil\")\n\trequire.Error(t, err)\n\trequire.Contains(t, err.Error(), \"user phil does not exist\")\n}\n\nfunc newTestServerWithAuth(t *testing.T) (s *server.Server, conf *server.Config, port int) {\n\tconfigFile := filepath.Join(t.TempDir(), \"server-dummy.yml\")\n\trequire.Nil(t, os.WriteFile(configFile, []byte(\"\"), 0600)) // Dummy config file to avoid lookup of real server.yml\n\tconf = server.NewConfig()\n\tconf.File = configFile\n\tconf.AuthFile = filepath.Join(t.TempDir(), \"user.db\")\n\tconf.AuthDefault = user.PermissionDenyAll\n\ts, port = test.StartServerWithConfig(t, conf)\n\treturn\n}\n\nfunc runUserCommand(app *cli.App, conf *server.Config, args ...string) error {\n\tuserArgs := []string{\n\t\t\"ntfy\",\n\t\t\"--log-level=ERROR\",\n\t\t\"user\",\n\t\t\"--config=\" + conf.File, // Dummy config file to avoid lookups of real file\n\t\t\"--auth-file=\" + conf.AuthFile,\n\t\t\"--auth-default-access=\" + conf.AuthDefault.String(),\n\t}\n\treturn app.Run(append(userArgs, args...))\n}\n" }, { "path": "cmd/webpush.go", "content": "//go:build !noserver && !nowebpush\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/SherClockHolmes/webpush-go\"\n\t\"github.com/urfave/cli/v2\"\n\t\"github.com/urfave/cli/v2/altsrc\"\n)\n\nvar flagsWebPush = append(\n\t[]cli.Flag{},\n\taltsrc.NewStringFlag(&cli.StringFlag{Name: \"output-file\", Aliases: []string{\"f\"}, Usage: \"write VAPID keys to this file\"}),\n)\n\nfunc init() {\n\tcommands = append(commands, cmdWebPush)\n}\n\nvar cmdWebPush = &cli.Command{\n\tName: \"webpush\",\n\tUsage: \"Generate keys, in the future manage web push subscriptions\",\n\tUsageText: \"ntfy webpush [keys]\",\n\tCategory: categoryServer,\n\n\tSubcommands: []*cli.Command{\n\t\t{\n\t\t\tAction: generateWebPushKeys,\n\t\t\tName: \"keys\",\n\t\t\tUsage: \"Generate VAPID keys to enable browser background push notifications\",\n\t\t\tUsageText: \"ntfy webpush keys\",\n\t\t\tCategory: categoryServer,\n\t\t\tFlags: flagsWebPush,\n\t\t},\n\t},\n}\n\nfunc generateWebPushKeys(c *cli.Context) error {\n\tprivateKey, publicKey, err := webpush.GenerateVAPIDKeys()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif outputFile := c.String(\"output-file\"); outputFile != \"\" {\n\t\tcontents := fmt.Sprintf(`---\nweb-push-public-key: %s\nweb-push-private-key: %s\n`, publicKey, privateKey)\n\t\terr = os.WriteFile(outputFile, []byte(contents), 0660)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = fmt.Fprintf(c.App.Writer, \"Web Push keys written to %s.\\n\", outputFile)\n\t} else {\n\t\t_, err = fmt.Fprintf(c.App.Writer, `Web Push keys generated. Add the following lines to your config file:\n\nweb-push-public-key: %s\nweb-push-private-key: %s\nweb-push-file: /var/cache/ntfy/webpush.db # or similar\nweb-push-email-address: \n\nSee https://ntfy.sh/docs/config/#web-push for details.\n`, publicKey, privateKey)\n\t}\n\treturn err\n}\n" }, { "path": "cmd/webpush_test.go", "content": "package cmd\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/urfave/cli/v2\"\n\t\"heckel.io/ntfy/v2/server\"\n)\n\nfunc TestCLI_WebPush_GenerateKeys(t *testing.T) {\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, runWebPushCommand(app, server.NewConfig(), \"keys\"))\n\trequire.Contains(t, stdout.String(), \"Web Push keys generated.\")\n}\n\nfunc TestCLI_WebPush_WriteKeysToFile(t *testing.T) {\n\ttempDir := t.TempDir()\n\tt.Chdir(tempDir)\n\tapp, _, stdout, _ := newTestApp()\n\trequire.Nil(t, runWebPushCommand(app, server.NewConfig(), \"keys\", \"--output-file=key-file.yaml\"))\n\trequire.Contains(t, stdout.String(), \"Web Push keys written to key-file.yaml\")\n\trequire.FileExists(t, filepath.Join(tempDir, \"key-file.yaml\"))\n}\n\nfunc runWebPushCommand(app *cli.App, conf *server.Config, args ...string) error {\n\twebPushArgs := []string{\n\t\t\"ntfy\",\n\t\t\"--log-level=ERROR\",\n\t\t\"webpush\",\n\t}\n\treturn app.Run(append(webPushArgs, args...))\n}\n" }, { "path": "db/db.go", "content": "package db\n\nimport (\n\t\"context\"\n\t\"database/sql\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"heckel.io/ntfy/v2/log\"\n)\n\nconst (\n\ttag = \"db\"\n\treplicaHealthCheckInitialDelay = 5 * time.Second\n\treplicaHealthCheckInterval = 30 * time.Second\n\treplicaHealthCheckTimeout = 10 * time.Second\n)\n\n// DB wraps a primary *sql.DB and optional read replicas. All standard query/exec methods\n// delegate to the primary. The ReadOnly() method returns a *sql.DB from a healthy replica\n// (round-robin), falling back to the primary if no replicas are configured or all are unhealthy.\ntype DB struct {\n\tprimary *Host\n\treplicas []*Host\n\tcounter atomic.Uint64\n\tcancel context.CancelFunc\n}\n\n// New creates a new DB that wraps the given primary and optional replica connections.\n// If replicas is nil or empty, ReadOnly() simply returns the primary.\n// Replicas start unhealthy and are checked immediately by a background goroutine.\nfunc New(primary *Host, replicas []*Host) *DB {\n\tctx, cancel := context.WithCancel(context.Background())\n\td := &DB{\n\t\tprimary: primary,\n\t\treplicas: replicas,\n\t\tcancel: cancel,\n\t}\n\tif len(d.replicas) > 0 {\n\t\tgo d.healthCheckLoop(ctx)\n\t}\n\treturn d\n}\n\n// Query delegates to the primary database.\nfunc (d *DB) Query(query string, args ...any) (*sql.Rows, error) {\n\treturn d.primary.DB.Query(query, args...)\n}\n\n// QueryRow delegates to the primary database.\nfunc (d *DB) QueryRow(query string, args ...any) *sql.Row {\n\treturn d.primary.DB.QueryRow(query, args...)\n}\n\n// Exec delegates to the primary database.\nfunc (d *DB) Exec(query string, args ...any) (sql.Result, error) {\n\treturn d.primary.DB.Exec(query, args...)\n}\n\n// Begin delegates to the primary database.\nfunc (d *DB) Begin() (*sql.Tx, error) {\n\treturn d.primary.DB.Begin()\n}\n\n// Ping delegates to the primary database.\nfunc (d *DB) Ping() error {\n\treturn d.primary.DB.Ping()\n}\n\n// Primary returns the underlying primary *sql.DB. This is only intended for\n// one-time schema setup during store initialization, not for regular queries.\nfunc (d *DB) Primary() *sql.DB {\n\treturn d.primary.DB\n}\n\n// ReadOnly returns a *sql.DB suitable for read-only queries. It round-robins across healthy\n// replicas. If all replicas are unhealthy or none are configured, the primary is returned.\nfunc (d *DB) ReadOnly() *sql.DB {\n\tif len(d.replicas) == 0 {\n\t\treturn d.primary.DB\n\t}\n\tn := len(d.replicas)\n\tstart := int(d.counter.Add(1) - 1)\n\tfor i := 0; i < n; i++ {\n\t\tr := d.replicas[(start+i)%n]\n\t\tif r.healthy.Load() {\n\t\t\treturn r.DB\n\t\t}\n\t}\n\treturn d.primary.DB\n}\n\n// Close closes the primary database and all replicas, and stops the health-check goroutine.\nfunc (d *DB) Close() error {\n\td.cancel()\n\tfor _, r := range d.replicas {\n\t\tr.DB.Close()\n\t}\n\treturn d.primary.DB.Close()\n}\n\n// healthCheckLoop checks replicas immediately, then periodically on a ticker.\nfunc (d *DB) healthCheckLoop(ctx context.Context) {\n\tselect {\n\tcase <-ctx.Done():\n\t\treturn\n\tcase <-time.After(replicaHealthCheckInitialDelay):\n\t\td.checkReplicas(ctx)\n\t}\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\treturn\n\t\tcase <-time.After(replicaHealthCheckInterval):\n\t\t\td.checkReplicas(ctx)\n\t\t}\n\t}\n}\n\n// checkReplicas pings each replica with a timeout and updates its health status.\nfunc (d *DB) checkReplicas(ctx context.Context) {\n\tfor _, r := range d.replicas {\n\t\twasHealthy := r.healthy.Load()\n\t\tpingCtx, cancel := context.WithTimeout(ctx, replicaHealthCheckTimeout)\n\t\terr := r.DB.PingContext(pingCtx)\n\t\tcancel()\n\t\tif err != nil {\n\t\t\tr.healthy.Store(false)\n\t\t\tlog.Tag(tag).Error(\"Database replica %s is unhealthy: %s\", r.Addr, err)\n\t\t} else {\n\t\t\tr.healthy.Store(true)\n\t\t\tif !wasHealthy {\n\t\t\t\tlog.Tag(tag).Info(\"Database replica %s is healthy\", r.Addr)\n\t\t\t}\n\t\t}\n\t}\n}\n" }, { "path": "db/pg/pg.go", "content": "package pg\n\nimport (\n\t\"database/sql\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t_ \"github.com/jackc/pgx/v5/stdlib\" // PostgreSQL driver\n\n\t\"heckel.io/ntfy/v2/db\"\n)\n\n// Open opens a PostgreSQL connection pool for a primary database. It pings the database\n// to verify connectivity before returning.\nfunc Open(dsn string) (*db.Host, error) {\n\td, err := open(dsn)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to open database: %w\", err)\n\t}\n\tif err := d.DB.Ping(); err != nil {\n\t\treturn nil, fmt.Errorf(\"database ping failed on %v: %w\", d.Addr, err)\n\t}\n\treturn d, nil\n}\n\n// OpenReplica opens a PostgreSQL connection pool for a read replica. Unlike Open, it does\n// not ping the database, since replicas are health-checked in the background by db.DB.\nfunc OpenReplica(dsn string) (*db.Host, error) {\n\treturn open(dsn)\n}\n\n// open opens a PostgreSQL database connection pool from a DSN string. It supports custom\n// query parameters for pool configuration: pool_max_conns (default 10), pool_max_idle_conns,\n// pool_conn_max_lifetime, and pool_conn_max_idle_time. These parameters are stripped from\n// the DSN before passing it to the driver.\nfunc open(dsn string) (*db.Host, error) {\n\tu, err := url.Parse(dsn)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid database URL: %w\", err)\n\t}\n\tswitch u.Scheme {\n\tcase \"postgres\", \"postgresql\":\n\t\t// OK\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"invalid database URL scheme %q, must be \\\"postgres\\\" or \\\"postgresql\\\" (URL: %s)\", u.Scheme, censorPassword(u))\n\t}\n\tq := u.Query()\n\tmaxOpenConns, err := extractIntParam(q, \"pool_max_conns\", 10)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tmaxIdleConns, err := extractIntParam(q, \"pool_max_idle_conns\", 0)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tconnMaxLifetime, err := extractDurationParam(q, \"pool_conn_max_lifetime\", 0)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tconnMaxIdleTime, err := extractDurationParam(q, \"pool_conn_max_idle_time\", 0)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tu.RawQuery = q.Encode()\n\td, err := sql.Open(\"pgx\", u.String())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\td.SetMaxOpenConns(maxOpenConns)\n\tif maxIdleConns > 0 {\n\t\td.SetMaxIdleConns(maxIdleConns)\n\t}\n\tif connMaxLifetime > 0 {\n\t\td.SetConnMaxLifetime(connMaxLifetime)\n\t}\n\tif connMaxIdleTime > 0 {\n\t\td.SetConnMaxIdleTime(connMaxIdleTime)\n\t}\n\treturn &db.Host{\n\t\tAddr: u.Host,\n\t\tDB: d,\n\t}, nil\n}\n\nfunc extractIntParam(q url.Values, key string, defaultValue int) (int, error) {\n\ts := q.Get(key)\n\tif s == \"\" {\n\t\treturn defaultValue, nil\n\t}\n\tq.Del(key)\n\tv, err := strconv.Atoi(s)\n\tif err != nil {\n\t\treturn 0, fmt.Errorf(\"invalid %s value %q: %w\", key, s, err)\n\t}\n\treturn v, nil\n}\n\n// censorPassword returns a string representation of the URL with the password replaced by \"*****\".\nfunc censorPassword(u *url.URL) string {\n\tif password, hasPassword := u.User.Password(); hasPassword {\n\t\treturn strings.Replace(u.String(), \":\"+password+\"@\", \":*****@\", 1)\n\t}\n\treturn u.String()\n}\n\nfunc extractDurationParam(q url.Values, key string, defaultValue time.Duration) (time.Duration, error) {\n\ts := q.Get(key)\n\tif s == \"\" {\n\t\treturn defaultValue, nil\n\t}\n\tq.Del(key)\n\td, err := time.ParseDuration(s)\n\tif err != nil {\n\t\treturn 0, fmt.Errorf(\"invalid %s value %q: %w\", key, s, err)\n\t}\n\treturn d, nil\n}\n" }, { "path": "db/pg/pg_test.go", "content": "package pg\n\nimport (\n\t\"net/url\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestOpen_InvalidScheme(t *testing.T) {\n\t_, err := Open(\"postgresql+psycopg2://user:pass@localhost/db\")\n\trequire.Error(t, err)\n\trequire.Contains(t, err.Error(), `invalid database URL scheme \"postgresql+psycopg2\"`)\n\trequire.Contains(t, err.Error(), \"*****\")\n\trequire.NotContains(t, err.Error(), \"pass\")\n}\n\nfunc TestOpen_InvalidURL(t *testing.T) {\n\t_, err := Open(\"not a valid url\\x00\")\n\trequire.Error(t, err)\n\trequire.Contains(t, err.Error(), \"invalid database URL\")\n}\n\nfunc TestCensorPassword(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\turl string\n\t\texpected string\n\t}{\n\t\t{\n\t\t\tname: \"with password\",\n\t\t\turl: \"postgres://user:secret@localhost/db\",\n\t\t\texpected: \"postgres://user:*****@localhost/db\",\n\t\t},\n\t\t{\n\t\t\tname: \"without password\",\n\t\t\turl: \"postgres://localhost/db\",\n\t\t\texpected: \"postgres://localhost/db\",\n\t\t},\n\t\t{\n\t\t\tname: \"user only\",\n\t\t\turl: \"postgres://user@localhost/db\",\n\t\t\texpected: \"postgres://user@localhost/db\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tu, err := url.Parse(tt.url)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Equal(t, tt.expected, censorPassword(u))\n\t\t})\n\t}\n}\n" }, { "path": "db/test/test.go", "content": "package dbtest\n\nimport (\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\t\"heckel.io/ntfy/v2/db\"\n\t\"heckel.io/ntfy/v2/db/pg\"\n\t\"heckel.io/ntfy/v2/util\"\n)\n\nconst testPoolMaxConns = \"2\"\n\n// CreateTestPostgresSchema creates a temporary PostgreSQL schema and returns the DSN pointing to it.\n// It registers a cleanup function to drop the schema when the test finishes.\n// If NTFY_TEST_DATABASE_URL is not set, the test is skipped.\nfunc CreateTestPostgresSchema(t *testing.T) string {\n\tt.Helper()\n\tdsn := os.Getenv(\"NTFY_TEST_DATABASE_URL\")\n\tif dsn == \"\" {\n\t\tt.Skip(\"NTFY_TEST_DATABASE_URL not set\")\n\t}\n\tschema := fmt.Sprintf(\"test_%s\", util.RandomString(10))\n\tu, err := url.Parse(dsn)\n\trequire.Nil(t, err)\n\tq := u.Query()\n\tq.Set(\"pool_max_conns\", testPoolMaxConns)\n\tu.RawQuery = q.Encode()\n\tdsn = u.String()\n\tsetupHost, err := pg.Open(dsn)\n\trequire.Nil(t, err)\n\t_, err = setupHost.DB.Exec(fmt.Sprintf(\"CREATE SCHEMA %s\", schema))\n\trequire.Nil(t, err)\n\trequire.Nil(t, setupHost.DB.Close())\n\tq.Set(\"search_path\", schema)\n\tu.RawQuery = q.Encode()\n\tschemaDSN := u.String()\n\tt.Cleanup(func() {\n\t\tcleanHost, err := pg.Open(dsn)\n\t\tif err == nil {\n\t\t\tcleanHost.DB.Exec(fmt.Sprintf(\"DROP SCHEMA %s CASCADE\", schema))\n\t\t\tcleanHost.DB.Close()\n\t\t}\n\t})\n\treturn schemaDSN\n}\n\n// CreateTestPostgres creates a temporary PostgreSQL schema and returns an open *db.DB connection to it.\n// It registers cleanup functions to close the DB and drop the schema when the test finishes.\n// If NTFY_TEST_DATABASE_URL is not set, the test is skipped.\nfunc CreateTestPostgres(t *testing.T) *db.DB {\n\tt.Helper()\n\tschemaDSN := CreateTestPostgresSchema(t)\n\ttestHost, err := pg.Open(schemaDSN)\n\trequire.Nil(t, err)\n\td := db.New(testHost, nil)\n\tt.Cleanup(func() {\n\t\td.Close()\n\t})\n\treturn d\n}\n" }, { "path": "db/types.go", "content": "package db\n\nimport (\n\t\"database/sql\"\n\t\"sync/atomic\"\n)\n\n// Beginner is an interface for types that can begin a database transaction.\n// Both *sql.DB and *DB implement this.\ntype Beginner interface {\n\tBegin() (*sql.Tx, error)\n}\n\n// Querier is an interface for types that can execute SQL queries.\n// *sql.DB, *sql.Tx, and *DB all implement this.\ntype Querier interface {\n\tQuery(query string, args ...any) (*sql.Rows, error)\n}\n\n// Host pairs a *sql.DB with the host:port it was opened against.\ntype Host struct {\n\tAddr string // \"host:port\"\n\tDB *sql.DB\n\thealthy atomic.Bool\n}\n" }, { "path": "db/util.go", "content": "package db\n\nimport \"database/sql\"\n\n// ExecTx executes a function within a database transaction. If the function returns an error,\n// the transaction is rolled back. Otherwise, the transaction is committed.\nfunc ExecTx(db Beginner, f func(tx *sql.Tx) error) error {\n\ttx, err := db.Begin()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer tx.Rollback()\n\tif err := f(tx); err != nil {\n\t\treturn err\n\t}\n\treturn tx.Commit()\n}\n\n// QueryTx executes a function within a database transaction and returns the result. If the function\n// returns an error, the transaction is rolled back. Otherwise, the transaction is committed.\nfunc QueryTx[T any](db Beginner, f func(tx *sql.Tx) (T, error)) (T, error) {\n\ttx, err := db.Begin()\n\tif err != nil {\n\t\tvar zero T\n\t\treturn zero, err\n\t}\n\tdefer tx.Rollback()\n\tt, err := f(tx)\n\tif err != nil {\n\t\treturn t, err\n\t}\n\tif err := tx.Commit(); err != nil {\n\t\treturn t, err\n\t}\n\treturn t, nil\n}\n" }, { "path": "docker-compose.yml", "content": "services:\n ntfy:\n image: binwiederhier/ntfy\n container_name: ntfy\n command:\n - serve\n environment:\n - TZ=UTC # optional: Change to your desired timezone\n user: UID:GID # optional: Set custom user/group or uid/gid\n volumes:\n - /var/cache/ntfy:/var/cache/ntfy\n - /etc/ntfy:/etc/ntfy\n ports:\n - 80:80\n restart: unless-stopped\n" }, { "path": "docs/_overrides/main.html", "content": "{% extends \"base.html\" %}\n\n{% block announce %}\n\n\nIf you like ntfy, please consider sponsoring me via GitHub Sponsors\nor Liberapay\n\n \n, or subscribing to ntfy Pro.\n\n{% endblock %}\n" }, { "path": "docs/config.md", "content": "# Configuring the ntfy server\nThe ntfy server can be configured in three ways: using a config file (typically at `/etc/ntfy/server.yml`, \nsee [server.yml](https://github.com/binwiederhier/ntfy/blob/main/server/server.yml)), via command line arguments \nor using environment variables.\n\n## Quick start\nBy default, simply running `ntfy serve` will start the server at port 80. No configuration needed. Batteries included 😀. \nIf everything works as it should, you'll see something like this:\n```\n$ ntfy serve\n2021/11/30 19:59:08 Listening on :80\n```\n\nYou can immediately start [publishing messages](publish.md), or subscribe via the [Android app](subscribe/phone.md),\n[the web UI](subscribe/web.md), or simply via [curl or your favorite HTTP client](subscribe/api.md). To configure \nthe server further, check out the [config options table](#config-options) or simply type `ntfy serve --help` to\nget a list of [command line options](#command-line-options).\n\n## Example config\n!!! info\n Definitely check out the **[server.yml](https://github.com/binwiederhier/ntfy/blob/main/server/server.yml)** file. It contains examples and detailed descriptions of all the settings.\n You may also want to look at how ntfy.sh is configured in the [ntfy-ansible](https://github.com/binwiederhier/ntfy-ansible) repository.\n\nThe most basic settings are `base-url` (the external URL of the ntfy server), the HTTP/HTTPS listen address (`listen-http`\nand `listen-https`), and socket path (`listen-unix`). All the other things are additional features.\n\nHere are a few working sample configs using a `/etc/ntfy/server.yml` file:\n\n=== \"server.yml (HTTP-only, with cache + attachments)\"\n ``` yaml\n base-url: \"http://ntfy.example.com\"\n cache-file: \"/var/cache/ntfy/cache.db\"\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n ```\n\n=== \"server.yml (HTTP+HTTPS, with cache + attachments)\"\n ``` yaml\n base-url: \"http://ntfy.example.com\"\n listen-http: \":80\"\n listen-https: \":443\"\n key-file: \"/etc/letsencrypt/live/ntfy.example.com.key\"\n cert-file: \"/etc/letsencrypt/live/ntfy.example.com.crt\"\n cache-file: \"/var/cache/ntfy/cache.db\"\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n ```\n\n=== \"server.yml (behind proxy, with cache + attachments)\"\n ``` yaml\n base-url: \"http://ntfy.example.com\"\n listen-http: \":2586\"\n cache-file: \"/var/cache/ntfy/cache.db\"\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n behind-proxy: true\n ```\n\n=== \"server.yml (PostgreSQL, behind proxy)\"\n ``` yaml\n base-url: \"https://ntfy.example.com\"\n listen-http: \":2586\"\n database-url: \"postgres://ntfy:mypassword@db.example.com:5432/ntfy?sslmode=require\"\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n behind-proxy: true\n auth-default-access: \"deny-all\"\n ```\n\n=== \"server.yml (ntfy.sh config)\"\n ``` yaml\n # All the things: Behind a proxy, Firebase, cache, attachments, \n # SMTP publishing & receiving\n\n base-url: \"https://ntfy.sh\"\n listen-http: \"127.0.0.1:2586\"\n firebase-key-file: \"/etc/ntfy/firebase.json\"\n cache-file: \"/var/cache/ntfy/cache.db\"\n behind-proxy: true\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n smtp-sender-addr: \"email-smtp.us-east-2.amazonaws.com:587\"\n smtp-sender-user: \"AKIDEADBEEFAFFE12345\"\n smtp-sender-pass: \"Abd13Kf+sfAk2DzifjafldkThisIsNotARealKeyOMG.\"\n smtp-sender-from: \"ntfy@ntfy.sh\"\n smtp-server-listen: \":25\"\n smtp-server-domain: \"ntfy.sh\"\n smtp-server-addr-prefix: \"ntfy-\"\n keepalive-interval: \"45s\"\n ```\n\nAlternatively, you can also use command line arguments or environment variables to configure the server. Here's an example\nusing Docker Compose (i.e. `docker-compose.yml`):\n\n=== \"Docker Compose (w/ auth, cache, attachments)\"\n ``` yaml\n\tservices:\n\t ntfy:\n\t image: binwiederhier/ntfy\n\t restart: unless-stopped\n\t environment:\n\t NTFY_BASE_URL: http://ntfy.example.com\n\t NTFY_CACHE_FILE: /var/lib/ntfy/cache.db\n\t NTFY_AUTH_FILE: /var/lib/ntfy/auth.db\n\t NTFY_AUTH_DEFAULT_ACCESS: deny-all\n\t NTFY_AUTH_USERS: 'phil:$$2a$$10$$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin' # Must escape '$' as '$$'\n\t NTFY_BEHIND_PROXY: true\n\t NTFY_ATTACHMENT_CACHE_DIR: /var/lib/ntfy/attachments\n\t NTFY_ENABLE_LOGIN: true\n\t volumes:\n\t - ./:/var/lib/ntfy\n\t ports:\n\t - 80:80\n\t command: serve\n ```\n\n=== \"Docker Compose (w/ auth, cache, web push, iOS)\"\n ``` yaml\n\tservices:\n\t ntfy:\n\t image: binwiederhier/ntfy\n\t restart: unless-stopped\n\t environment:\n\t NTFY_BASE_URL: http://ntfy.example.com\n\t NTFY_CACHE_FILE: /var/lib/ntfy/cache.db\n\t NTFY_AUTH_FILE: /var/lib/ntfy/auth.db\n\t NTFY_AUTH_DEFAULT_ACCESS: deny-all\n\t NTFY_BEHIND_PROXY: true\n\t NTFY_ATTACHMENT_CACHE_DIR: /var/lib/ntfy/attachments\n\t NTFY_ENABLE_LOGIN: true\n\t NTFY_UPSTREAM_BASE_URL: https://ntfy.sh\n\t NTFY_WEB_PUSH_PUBLIC_KEY: \n\t NTFY_WEB_PUSH_PRIVATE_KEY: \n\t NTFY_WEB_PUSH_FILE: /var/lib/ntfy/webpush.db\n\t NTFY_WEB_PUSH_EMAIL_ADDRESS: \n\t volumes:\n\t - ./:/var/lib/ntfy\n\t ports:\n\t - 8093:80\n\t command: serve\n ```\n\n## Config generator\n\nThis generator helps you configure your self-hosted ntfy instance. It's not fully featured, but it is a good starting point. Please refer to the relevant sections in the doc for more details.\n\n
\n\n
\n\n
\n \n
The config generator helps you create a custom config for your self-hosted ntfy instance. Click to open.
\n
\n\n
\n
\n
\n
\n
\nConfig generatorBETA\nThis generator helps you configure your self-hosted ntfy instance. It's not fully featured, but it is a good starting point.\n
\n
\n\n\n
\n
\n
\n
\n \n \n
\n
\n
\n
General
\n
Database
\n
Users
\n
Message Cache
\n
Attachments
\n
Web Push
\n
Email
\n
\n
\n
\n
\n\n\n
\n
\n\n
\n\n\n
\n
\n
\n\n
\n\n\n\n
\n
\n
\n\n
\n\n\n
\n
\n
\n\n
\n\n\n
\n
\n
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n
\n\n\n
\n
\n
\n
\n
Configure user management, access control, and provisioned users/ACLs. See access control for details.
\n
\n\n\n
\n
\n\n\n
\n
\n\n
\n\n\n\n
\n
\n
\n\n
\n\n\n
\n
\n\n\n\n\n
\n\n
\n\n
\n
\n\n
\n\n
\n
\n\n
\n\n
\n
\n
\n
Configure the message cache to allow devices to retrieve missed notifications. See message cache for details.
\n
\n\n\n
\n
\n\n\n
\n
\n
\n
Allow users to upload and attach files to notifications. See attachments for details.
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n
\n
Enable browser push notifications via the Web Push API. VAPID keys are generated automatically. See web push for details.
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n
\n
Configure outgoing email notifications and/or incoming email publishing. See email notifications and email publishing for details.
\n
\n
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n
\n
\n
\n\n\n
\n
\n\n\n
\n
\n\n\n
\n
\n
\n
\n
Configure the PostgreSQL connection. See PostgreSQL for details.
\n
\n\n\n
\n
\n\n\n
\n
\n
\n
\n
server.yml
\n
docker-compose.yml
\n
Env variables
\n\n
\n
\n
Configure options on the left to generate your config...
\n
\n
\n
\n
\n
\n
\n\n## Database options\nntfy uses a database for storing messages ([message cache](#message-cache)), users and [access control](#access-control), and [web push](#web-push) subscriptions.\nYou can choose between **SQLite** and **PostgreSQL** as the database backend.\n\n### SQLite\nBy default, ntfy uses SQLite with separate database files for each store. This is the simplest setup and requires\nno external dependencies:\n\n* `cache-file`: Database file for the [message cache](#message-cache).\n* `auth-file`: Database file for authentication and [access control](#access-control). If set, enables auth.\n* `web-push-file`: Database file for [web push](#web-push) subscriptions.\n\n### PostgreSQL (EXPERIMENTAL)\nAs an alternative, you can configure ntfy to use PostgreSQL for **all** database-backed stores by setting the\n`database-url` option to a PostgreSQL connection string.\n\nWhen `database-url` is set, ntfy will use PostgreSQL for the [message cache](#message-cache),\n[access control](#access-control), and [web push](#web-push) subscriptions instead of SQLite. The `cache-file`,\n`auth-file`, and `web-push-file` options **must not** be set in this case.\n\nNote that setting `database-url` implicitly enables authentication and access control (equivalent to setting\n`auth-file` with SQLite). The default access is `read-write`, so anonymous users can still read and write to all\ntopics. To restrict access, set `auth-default-access` to `deny-all` (see [access control](#access-control)).\n\nYou can also set this via the environment variable `NTFY_DATABASE_URL` or the command line flag `--database-url`.\n\nTo offload read-heavy queries from the primary database, you can optionally configure one or more read replicas\nusing the `database-replica-urls` option. When configured, non-critical read-only queries (e.g. fetching messages, checking access permissions, etc)\nare distributed across the replicas using round-robin, while all writes and correctness-critical reads continue to go\nto the primary. If a replica becomes unhealthy, ntfy automatically falls back to the primary until the replica recovers.\nYou can also set this via the environment variable `NTFY_DATABASE_REPLICA_URLS` (comma-separated) or the command line\nflag `--database-replica-urls`.\n\nExamples:\n\n=== \"Simple\"\n ```yaml\n database-url: \"postgres://user:pass@host:5432/ntfy\"\n ```\n \n=== \"With SSL and pool tuning\"\n ```yaml\n database-url: \"postgres://user:pass@host:5432/ntfy?sslmode=require&pool_max_conns=50&pool_conn_max_idle_time=5m\"\n ```\n \n=== \"With CA certificate\"\n ```yaml\n database-url: \"postgres://user:pass@host:25060/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30\"\n ```\n\n=== \"With read replicas\"\n ```yaml\n database-url: \"postgres://user:pass@primary:5432/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30\"\n database-replica-urls:\n - \"postgres://user:pass@replica1:5432/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30\"\n - \"postgres://user:pass@replica2:5432/ntfy?sslmode=require&sslrootcert=/etc/ntfy/db-ca-cert.pem&pool_max_conns=30\"\n ```\n\nThe database URL supports the standard [PostgreSQL connection parameters](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS)\nas query parameters, such as `sslmode`, `connect_timeout`, `sslcert`, `sslkey`, `sslrootcert`, and `application_name`.\nSee the [pgx driver documentation](https://pkg.go.dev/github.com/jackc/pgx/v5) for the full list of supported parameters.\n\nIn addition, ntfy supports the following custom query parameters to tune the connection pool (these apply to both\nthe primary and replica URLs):\n\n| Parameter | Default | Description |\n|---------------------------|---------|----------------------------------------------------------------------------------|\n| `pool_max_conns` | 10 | Maximum number of open connections to the database |\n| `pool_max_idle_conns` | - | Maximum number of idle connections in the pool |\n| `pool_conn_max_lifetime` | - | Maximum amount of time a connection may be reused (Go duration, e.g. `5m`, `1h`) |\n| `pool_conn_max_idle_time` | - | Maximum amount of time a connection may be idle (Go duration, e.g. `30s`, `5m`) |\n\n\n## Message cache\nIf desired, ntfy can temporarily keep notifications in an in-memory or an on-disk cache. Caching messages for a short period\nof time is important to allow [phones](subscribe/phone.md) and other devices with brittle Internet connections to be able to retrieve\nnotifications that they may have missed. \n\nBy default, ntfy keeps messages **in-memory for 12 hours**, which means that **cached messages do not survive an application\nrestart**. You can override this behavior by setting `cache-file` (SQLite) or `database-url` (PostgreSQL).\n\n* `cache-duration`: defines the duration for which messages are stored in the cache (default is `12h`). \n\nYou can also entirely disable the cache by setting `cache-duration` to `0`. When the cache is disabled, messages are only\npassed on to the connected subscribers, but never stored on disk or even kept in memory longer than is needed to forward\nthe message to the subscribers.\n\nSubscribers can retrieve cached messaging using the [`poll=1` parameter](subscribe/api.md#poll-for-messages), as well as the\n[`since=` parameter](subscribe/api.md#fetch-cached-messages).\n\n## Attachments\nIf desired, you may allow users to upload and [attach files to notifications](publish.md#attachments). To enable\nthis feature, you have to simply configure an attachment cache directory and a base URL (`attachment-cache-dir`, `base-url`). \nOnce these options are set and the directory is writable by the server user, you can upload attachments via PUT.\n\nBy default, attachments are stored in the disk-cache **for only 3 hours**. The main reason for this is to avoid legal issues\nand such when hosting user controlled content. Typically, this is more than enough time for the user (or the auto download \nfeature) to download the file. The following config options are relevant to attachments:\n\n* `base-url` is the root URL for the ntfy server; this is needed for the generated attachment URLs\n* `attachment-cache-dir` is the cache directory for attached files\n* `attachment-total-size-limit` is the size limit of the on-disk attachment cache (default: 5G)\n* `attachment-file-size-limit` is the per-file attachment size limit (e.g. 300k, 2M, 100M, default: 15M)\n* `attachment-expiry-duration` is the duration after which uploaded attachments will be deleted (e.g. 3h, 20h, default: 3h)\n\nHere's an example config using mostly the defaults (except for the cache directory, which is empty by default): \n\n=== \"/etc/ntfy/server.yml (minimal)\"\n ``` yaml\n base-url: \"https://ntfy.sh\"\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n ```\n\n=== \"/etc/ntfy/server.yml (all options)\"\n ``` yaml\n base-url: \"https://ntfy.sh\"\n attachment-cache-dir: \"/var/cache/ntfy/attachments\"\n attachment-total-size-limit: \"5G\"\n attachment-file-size-limit: \"15M\"\n attachment-expiry-duration: \"3h\"\n visitor-attachment-total-size-limit: \"100M\"\n visitor-attachment-daily-bandwidth-limit: \"500M\"\n ```\n\nPlease also refer to the [rate limiting](#rate-limiting) settings below, specifically `visitor-attachment-total-size-limit`\nand `visitor-attachment-daily-bandwidth-limit`. Setting these conservatively is necessary to avoid abuse.\n\n## Access control\nBy default, the ntfy server is open for everyone, meaning **everyone can read and write to any topic** (this is how\nntfy.sh is configured). To restrict access to your own server, you can optionally configure authentication and authorization. \n\nntfy's auth implements two roles (`user` and `admin`) and per-topic `read` and `write` permissions using an \n[access control list (ACL)](https://en.wikipedia.org/wiki/Access-control_list). Access control entries can be applied \nto users as well as the special everyone user (`*`), which represents anonymous API access. \n\nTo set up auth, **configure the following options**:\n\n* `auth-file` is the user/access database (SQLite); it is created automatically if it doesn't already exist; suggested \n location `/var/lib/ntfy/user.db` (easiest if deb/rpm package is used). Alternatively, if `database-url` is set, \n auth is automatically enabled using PostgreSQL (see [database options](#database-options)).\n* `auth-default-access` defines the default/fallback access if no access control entry is found; it can be\n set to `read-write` (default), `read-only`, `write-only` or `deny-all`. **If you are setting up a private instance,\n you'll want to set this to `deny-all`** (see [private instance example](#example-private-instance)).\n\nOnce configured, you can use \n\n- the `ntfy user` command and the `auth-users` config option to [add or modify users](#users-and-roles)\n- the `ntfy access` command and the `auth-access` option to [modify the access control list](#access-control-list-acl)\nand topic patterns, and\n- the `ntfy token` command and the `auth-tokens` config option to [manage access tokens](#access-tokens) for users.\n\nThese commands **directly edit the auth database** (as defined in `auth-file`), so they only work on the server, \nand only if the user accessing them has the right permissions.\n\n### Users and roles\nUsers can be added to the ntfy user database in two different ways\n\n* [Using the CLI](#users-via-the-cli): Using the `ntfy user` command, you can manually add/update/remove users.\n* [In the config](#users-via-the-config): You can provision users in the `server.yml` file via `auth-users` key.\n\n#### Users via the CLI\nThe `ntfy user` command allows you to add/remove/change users in the ntfy user database, as well as change\npasswords or roles (`user` or `admin`). In practice, you'll often just create one admin \nuser with `ntfy user add --role=admin ...` and be done with all this (see [example below](#example-private-instance)).\n\n**Roles:**\n\n* Role `user` (default): Users with this role have no special permissions. Manage access using `ntfy access`\n (see [below](#access-control-list-acl)).\n* Role `admin`: Users with this role can read/write to all topics. Granular access control is not necessary.\n\n**Example commands** (type `ntfy user --help` or `ntfy user COMMAND --help` for more details):\n\n```\nntfy user list # Shows list of users (alias: 'ntfy access')\nntfy user add phil # Add regular user phil \nntfy user add --role=admin phil # Add admin user phil\nntfy user del phil # Delete user phil\nntfy user change-pass phil # Change password for user phil\nntfy user change-role phil admin # Make user phil an admin\nntfy user change-tier phil pro # Change phil's tier to \"pro\"\nntfy user hash # Generate password hash, use with auth-users config option\n```\n\n#### Users via the config\nAs an alternative to manually creating users via the `ntfy user` CLI command, you can provision users declaratively in\nthe `server.yml` file by adding them to the `auth-users` array. This is useful for general admins, or if you'd like to\ndeploy your ntfy server via Docker/Ansible without manually editing the database.\n\nThe `auth-users` option is a list of users that are automatically created/updated when the server starts. Users\npreviously defined in the config but later removed will be deleted. Each entry is defined in the format `::`.\n\nHere's an example with two users: `phil` is an admin, `ben` is a regular user.\n\n=== \"Declarative users in /etc/ntfy/server.yml\"\n ``` yaml\n auth-file: \"/var/lib/ntfy/user.db\"\n auth-users:\n - \"phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin\"\n - \"ben:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user\"\n ```\n\n=== \"Declarative users via env variables\"\n ```\n # Comma-separated list, use single quotes to avoid issues with the bcrypt hash \n NTFY_AUTH_FILE='/var/lib/ntfy/user.db'\n NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:admin,ben:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user'\n ```\n\nThe password hash can be created using `ntfy user hash` or an [online bcrypt generator](https://bcrypt-generator.com/) (though\nnote that you're putting your password in an untrusted website).\n\n!!! important\n Users added declaratively via the config file are marked in the database as \"provisioned users\". Removing users\n from the config file will **delete them from the database** the next time ntfy is restarted.\n\n Also, users that were originally manually created will be \"upgraded\" to be provisioned users if they are added to\n the config. Adding a user manually, then adding it to the config, and then removing it from the config will hence\n lead to the **deletion of that user**.\n\n### Access control list (ACL)\nThe access control list (ACL) **manages access to topics for non-admin users, and for anonymous access (`everyone`/`*`)**.\nEach entry represents the access permissions for a user to a specific topic or topic pattern. Entries can be created in\ntwo different ways:\n\n* [Using the CLI](#acl-entries-via-the-cli): Using the `ntfy access` command, you can manually edit the access control list.\n* [In the config](#acl-entries-via-the-config): You can provision ACL entries in the `server.yml` file via `auth-access` key.\n\n#### ACL entries via the CLI\nThe ACL can be displayed or modified with the `ntfy access` command:\n\n```\nntfy access # Shows access control list (alias: 'ntfy user list')\nntfy access USERNAME # Shows access control entries for USERNAME\nntfy access USERNAME TOPIC PERMISSION # Allow/deny access for USERNAME to TOPIC\n```\n\nA `USERNAME` is an existing user, as created with `ntfy user add` (see [users and roles](#users-and-roles)), or the \nanonymous user `everyone` or `*`, which represents clients that access the API without username/password.\n\nA `TOPIC` is either a specific topic name (e.g. `mytopic`, or `phil_alerts`), or a wildcard pattern that matches any\nnumber of topics (e.g. `alerts_*` or `ben-*`). Only the wildcard character `*` is supported. It stands for zero to any \nnumber of characters.\n\nA `PERMISSION` is any of the following supported permissions:\n\n* `read-write` (alias: `rw`): Allows [publishing messages](publish.md) to the given topic, as well as \n [subscribing](subscribe/api.md) and reading messages\n* `read-only` (aliases: `read`, `ro`): Allows only subscribing and reading messages, but not publishing to the topic\n* `write-only` (aliases: `write`, `wo`): Allows only publishing to the topic, but not subscribing to it\n* `deny` (alias: `none`): Allows neither publishing nor subscribing to a topic \n\n**Example commands** (type `ntfy access --help` for more details):\n```\nntfy access # Shows entire access control list\nntfy access phil # Shows access for user phil\nntfy access phil mytopic rw # Allow read-write access to mytopic for user phil\nntfy access everyone mytopic rw # Allow anonymous read-write access to mytopic\nntfy access everyone \"up*\" write # Allow anonymous write-only access to topics \"up...\"\nntfy access --reset # Reset entire access control list\nntfy access --reset phil # Reset all access for user phil\nntfy access --reset phil mytopic # Reset access for user phil and topic mytopic\n```\n\n**Example ACL:**\n```\n$ ntfy access\nuser phil (admin)\n- read-write access to all topics (admin role)\nuser ben (user)\n- read-write access to topic garagedoor\n- read-write access to topic alerts*\n- read-only access to topic furnace\nuser * (anonymous)\n- read-only access to topic announcements\n- read-only access to topic server-stats\n- no access to any (other) topics (server config)\n```\n\nIn this example, `phil` has the role `admin`, so he has read-write access to all topics (no ACL entries are necessary).\nUser `ben` has three topic-specific entries. He can read, but not write to topic `furnace`, and has read-write access\nto topic `garagedoor` and all topics starting with the word `alerts` (wildcards). Clients that are not authenticated\n(called `*`/`everyone`) only have read access to the `announcements` and `server-stats` topics.\n\n#### ACL entries via the config\nAs an alternative to manually creating ACL entries via the `ntfy access` CLI command, you can provision access control\nentries declaratively in the `server.yml` file by adding them to the `auth-access` array, similar to the `auth-users` \noption (see [users via the config](#users-via-the-config).\n\nThe `auth-access` option is a list of access control entries that are automatically created/updated when the server starts.\nWhen entries are removed, they are deleted from the database. Each entry is defined in the format `::`.\n\nThe `` can be any existing, provisioned user as defined in the `auth-users` section (see [users via the config](#users-via-the-config)),\nor `everyone`/`*` for anonymous access. The `` can be a specific topic name or a pattern with wildcards (`*`). The \n`` can be one of the following:\n\n* `read-write` or `rw`: Allows both publishing to and subscribing to the topic\n* `read-only`, `read`, or `ro`: Allows only subscribing to the topic\n* `write-only`, `write`, or `wo`: Allows only publishing to the topic\n* `deny-all`, `deny`, or `none`: Denies all access to the topic\n\nHere's an example with several ACL entries:\n\n=== \"Declarative ACL entries in /etc/ntfy/server.yml\"\n ``` yaml\n auth-file: \"/var/lib/ntfy/user.db\"\n auth-users:\n - \"phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:user\"\n - \"ben:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user\"\n auth-access:\n - \"phil:mytopic:rw\"\n - \"ben:alerts-*:rw\"\n - \"ben:system-logs:ro\"\n - \"*:announcements:ro\" # or: \"everyone:announcements,ro\"\n ```\n\n=== \"Declarative ACL entries via env variables\"\n ```\n # Comma-separated list\n NTFY_AUTH_FILE='/var/lib/ntfy/user.db'\n NTFY_AUTH_USERS='phil:$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C:user,ben:$2a$10$NKbrNb7HPMjtQXWJ0f1pouw03LDLT/WzlO9VAv44x84bRCkh19h6m:user'\n NTFY_AUTH_ACCESS='phil:mytopic:rw,ben:alerts-*:rw,ben:system-logs:ro,*:announcements:ro'\n ```\n\nIn this example, the `auth-users` section defines two users, `phil` and `ben`. The `auth-access` section defines\naccess control entries for these users. `phil` has read-write access to the topic `mytopic`, while `ben` has read-write\naccess to all topics starting with `alerts-` and read-only access to the topic `system-logs`. The last entry allows\nanonymous users (i.e. clients that do not authenticate) to read the `announcements` topic.\n\n### Access tokens\nIn addition to username/password auth, ntfy also provides authentication via access tokens. Access tokens are useful\nto avoid having to configure your password across multiple publishing/subscribing applications. For instance, you may\nwant to use a dedicated token to publish from your backup host, and one from your home automation system.\n\n!!! info\n As of today, access tokens grant users **full access to the user account**. Aside from changing the password,\n and deleting the account, every action can be performed with a token. Granular access tokens are on the roadmap,\n but not yet implemented.\n\nYou can create access tokens in two different ways:\n\n* [Using the CLI](#tokens-via-the-cli): Using the `ntfy token` command, you can manually add/update/remove tokens.\n* [In the config](#tokens-via-the-config): You can provision access tokens in the `server.yml` file via `auth-tokens` key.\n\n#### Tokens via the CLI\nThe `ntfy token` command can be used to manage access tokens for users. Tokens can have labels, and they can expire\nautomatically (or never expire). Each user can have up to 60 tokens (hardcoded). \n\n**Example commands** (type `ntfy token --help` or `ntfy token COMMAND --help` for more details):\n```\nntfy token list # Shows list of tokens for all users\nntfy token list phil # Shows list of tokens for user phil\nntfy token add phil # Create token for user phil which never expires\nntfy token add --expires=2d phil # Create token for user phil which expires in 2 days\nntfy token remove phil tk_th2sxr... # Delete token\nntfy token generate # Generate random token, can be used in auth-tokens config option\n```\n\n**Creating an access token:**\n```\n$ ntfy token add --expires=30d --label=\"backups\" phil\n$ ntfy token list\nuser phil\n- tk_7eevizlsiwf9yi4uxsrs83r4352o0 (backups), expires 15 Mar 23 14:33 EDT, accessed from 0.0.0.0 at 13 Feb 23 13:33 EST\n```\n\nOnce an access token is created, you can **use it to authenticate against the ntfy server, e.g. when you publish or\nsubscribe to topics**. To learn how, check out [authenticate via access tokens](publish.md#access-tokens).\n\n#### Tokens via the config\nAccess tokens can be pre-provisioned in the `server.yml` configuration file using the `auth-tokens` config option.\nThis is useful for automated setups, Docker environments, or when you want to define tokens declaratively.\n\nThe `auth-tokens` option is a list of access tokens that are automatically created/updated when the server starts.\nWhen entries are removed, they are deleted from the database. Each entry is defined in the format `:[: