feat: Add Web Push support

Author: p1gp1g

Cargo.lock

@@ -23,6 +23,7 @@ serde_json = "1.0.122"
 sled = "0.34.2"
 structopt = "0.3.15"
 tokio = { version = "1.39.2", features = ["full"] }
+web-push-native = "0.4.0"
 yup-oauth2 = "9.0.0"
 
 [dev-dependencies]

Cargo.toml

@@ -8,22 +8,50 @@ that forwards "device tokens" to Apple and Google "Push Services"
 that in turn wake up the clients
 using [Chatmail core](https://github.com/chatmail/core/) on user's devices.
 
-## Usage 
+## Usage
 
-### Certificates
+### OpenPGP key
+
+The OpenPGP key can be generated using [rsop](https://codeberg.org/heiko/rsop):
+
+```console
+$ rsop generate-key --profile rfc9580 > openpgp.privkey
+$ rsop extract-cert < privkey > openpgp.pubkey
+```
+
+### APNS Certificates
 
 The certificate file provided must be a `.p12` file. Instructions for how to create can be found [here](https://stackoverflow.com/a/28962937/1358405).
 
+
+### FCM token
+
+The FCM token can be retrieved in the Firebase console.
+
+### VAPID key
+
+The VAPID key can be generated with openssl. The VAPID public key will be printed during startup:
+
+```console
+$ openssl ecparam -name prime256v1 -genkey -noout -out vapid.privkey
+$ openssl pkcs8 -topk8 -in vapid.privkey -nocrypt -out vapid.pk8
+```
+
 ### Running
 
-```sh
+```console
 $ cargo build --release
-$ ./target/release/notifiers --certificate-file <file.p12> --password <password>
+$ ./target/release/notifiers --certificate-file <file.p12> --password <password> --fcm-key-path <fcm.private> --openpgp-keyring-path <openpgp.privkey> --vapid-key-path <vapid.pk8>
 ```
 
+- `file.p12` is APNS certificate
+- `password` is file.p12 password
+- `fcm.private` is the FCM token
+- `openpgp.privkey` is the generated OpenPGP key
+
 ### Registering devices
 
-```sh
+```console
 $ curl -X POST -d '{ "token": "<device token>" }' http://localhost:9000/register
 ```
 

README.md

@@ -36,6 +36,10 @@ struct Opt {
     #[structopt(long)]
     fcm_key_path: String,
 
+    /// Path to VAPID private key.
+    #[structopt(long)]
+    vapid_key_path: String,
+
     /// Path to the OpenPGP private keyring.
     ///
     /// OpenPGP keys are used to decrypt tokens
@@ -67,6 +71,7 @@ async fn main() -> Result<()> {
         metrics_state,
         opt.interval,
         opt.fcm_key_path,
+        opt.vapid_key_path,
         opt.openpgp_keyring_path,
     )
     .await?;

src/main.rs

@@ -30,6 +30,9 @@ pub struct Metrics {
     /// Number of successfully sent visible UBports notifications.
     pub ubports_notifications_total: Counter,
 
+    /// Number of successfully sent visible web push notifications.
+    pub webpush_notifications_total: Counter,
+
     /// Number of debounced notifications.
     pub debounced_notifications_total: Counter,
 
@@ -74,6 +77,13 @@ impl Metrics {
             ubports_notifications_total.clone(),
         );
 
+        let webpush_notifications_total = Counter::default();
+        registry.register(
+            "webpush_notifications",
+            "Number of web push notifications",
+            ubports_notifications_total.clone(),
+        );
+
         let debounced_notifications_total = Counter::default();
         registry.register(
             "debounced_notifications",
@@ -121,6 +131,7 @@ impl Metrics {
             direct_notifications_total,
             fcm_notifications_total,
             ubports_notifications_total,
+            webpush_notifications_total,
             debounced_notifications_total,
             debounced_set_size,
             heartbeat_notifications_total,

src/metrics.rs

@@ -85,7 +85,9 @@ async fn wakeup(
     let device_token: NotificationToken = key_device_token.as_str().parse()?;
 
     let (client, device_token) = match device_token {
-        NotificationToken::Fcm { .. } | NotificationToken::UBports(..) => {
+        NotificationToken::Fcm { .. }
+        | NotificationToken::UBports(..)
+        | NotificationToken::WebPush { .. } => {
             // Only APNS tokens can be registered for periodic notifications.
             info!("Removing FCM token {key_device_token}");
             schedule

src/notifier.rs

@@ -6,11 +6,14 @@ use anyhow::{bail, Error, Result};
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Response};
 use axum::routing::{get, post};
+use base64::Engine as _;
 use chrono::{Local, TimeDelta};
 use log::*;
 use serde::Deserialize;
 use std::str::FromStr;
 use std::time::Instant;
+use web_push_native::jwt_simple::prelude::ES256KeyPair;
+use web_push_native::{p256, Auth, WebPushBuilder};
 
 use crate::metrics::Metrics;
 use crate::state::State;
@@ -81,6 +84,16 @@ pub(crate) enum NotificationToken {
     /// Ubuntu touch app
     UBports(String),
 
+    /// Web Push - for UnifiedPush
+    WebPush {
+        /// Push endpoint to send to
+        endpoint: String,
+        /// UA Public key in the uncompressed form, URL-safe Base64 encoded without padding
+        ua_public_key: String,
+        /// Authentication secret from the UA, URL-safe Base64 encoded without padding
+        ua_auth: String,
+    },
+
     /// Android App.
     Fcm {
         /// Package name such as `chat.delta`.
@@ -112,6 +125,21 @@ impl FromStr for NotificationToken {
             }
         } else if let Some(s) = s.strip_prefix("ubports-") {
             Ok(Self::UBports(s.to_string()))
+        } else if let Some(s) = s.strip_prefix("webpush:") {
+            let mut iter = s.splitn(3, '|');
+            if let (Some(endpoint), Some(ua_public_key), Some(ua_auth)) = (
+                iter.next().map(|x| x.to_string()),
+                iter.next().map(|x| x.to_string()),
+                iter.next().map(|x| x.to_string()),
+            ) {
+                Ok(Self::WebPush {
+                    endpoint,
+                    ua_public_key,
+                    ua_auth,
+                })
+            } else {
+                bail!("Invalid web push token");
+            }
         } else if let Some(token) = s.strip_prefix("sandbox:") {
             Ok(Self::ApnsSandbox(token.to_string()))
         } else {
@@ -120,6 +148,47 @@ impl FromStr for NotificationToken {
     }
 }
 
+/// Notify Web Push endpoint
+///
+/// Defined by 3 RFC:
+/// - Server to Server API in [RFC8030](https://www.rfc-editor.org/rfc/rfc8030)
+/// - Encryption in [RFC8291](https://www.rfc-editor.org/rfc/rfc8291)
+/// - Authorization in [RFC8292](https://www.rfc-editor.org/rfc/rfc8292) (VAPID)
+async fn notify_webpush(
+    client: &reqwest::Client,
+    vapid_key: &ES256KeyPair,
+    endpoint: &str,
+    ua_public: &str,
+    ua_auth: &str,
+    metrics: &Metrics,
+) -> Result<StatusCode> {
+    let request = WebPushBuilder::new(
+        endpoint.parse()?,
+        p256::PublicKey::from_sec1_bytes(
+            &base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(ua_public)?,
+        )?,
+        Auth::clone_from_slice(&base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(ua_auth)?),
+    )
+    .with_vapid(vapid_key, "https://github.com/chatmail/notifiers/issues")
+    .build("ping")?;
+
+    let res = client
+        .post(endpoint)
+        .headers(request.headers().clone())
+        .body(request.into_body())
+        .send()
+        .await?;
+    metrics.webpush_notifications_total.inc();
+
+    let status = res.status();
+    // Map web push responses to chatmail/relay notifier values
+    match status.as_u16() {
+        201 => Ok(StatusCode::OK),
+        404 | 403 | 401 => Ok(StatusCode::GONE),
+        _ => Ok(status),
+    }
+}
+
 /// Notify the UBports push server
 ///
 /// API documentation is available at
@@ -312,16 +381,33 @@ async fn notify_device(
     let device_token: NotificationToken = device_token.as_str().parse()?;
 
     let status_code = match device_token {
+        NotificationToken::WebPush {
+            endpoint,
+            ua_public_key,
+            ua_auth,
+        } => {
+            let client = state.http_client().clone();
+            let metrics = state.metrics();
+            notify_webpush(
+                &client,
+                state.vapid_key(),
+                &endpoint,
+                &ua_public_key,
+                &ua_auth,
+                metrics,
+            )
+            .await?
+        }
         NotificationToken::UBports(token) => {
-            let client = state.fcm_client().clone();
+            let client = state.http_client().clone();
             let metrics = state.metrics();
             notify_ubports(&client, &token, metrics).await?
         }
         NotificationToken::Fcm {
             package_name,
             token,
         } => {
-            let client = state.fcm_client().clone();
+            let client = state.http_client().clone();
             let Ok(fcm_token) = state.fcm_token().await else {
                 return Ok(StatusCode::INTERNAL_SERVER_ERROR);
             };

src/server.rs

@@ -5,6 +5,9 @@ use std::time::Duration;
 
 use a2::{Client, Endpoint};
 use anyhow::{Context as _, Result};
+use base64::Engine as _;
+use web_push_native::jwt_simple::prelude::ECDSAP256PublicKeyLike as _;
+use web_push_native::p256::pkcs8::DecodePrivateKey as _;
 
 use crate::debouncer::Debouncer;
 use crate::metrics::Metrics;
@@ -19,11 +22,11 @@ pub struct State {
 pub struct InnerState {
     schedule: Schedule,
 
-    fcm_client: reqwest::Client,
+    http_client: reqwest::Client,
 
-    production_client: Client,
+    apns_production_client: Client,
 
-    sandbox_client: Client,
+    apns_sandbox_client: Client,
 
     topic: Option<String>,
 
@@ -34,6 +37,8 @@ pub struct InnerState {
 
     fcm_authenticator: yup_oauth2::authenticator::DefaultAuthenticator,
 
+    vapid_key: web_push_native::jwt_simple::prelude::ES256KeyPair,
+
     /// Decryptor for incoming tokens
     /// storing the secret keyring inside.
     openpgp_decryptor: PgpDecryptor,
@@ -51,13 +56,14 @@ impl State {
         metrics: Metrics,
         interval: Duration,
         fcm_key_path: String,
+        vapid_key_path: String,
         openpgp_keyring_path: String,
     ) -> Result<Self> {
         let schedule = Schedule::new(db)?;
-        let fcm_client = reqwest::ClientBuilder::new()
+        let http_client = reqwest::ClientBuilder::new()
             .timeout(Duration::from_secs(60))
             .build()
-            .context("Failed to build FCM client")?;
+            .context("Failed to build HTTP client (FCM/UBPorts/WebPush)")?;
 
         let fcm_key: yup_oauth2::ServiceAccountKey =
             yup_oauth2::read_service_account_key(fcm_key_path)
@@ -68,12 +74,21 @@ impl State {
             .await
             .context("Failed to create authenticator")?;
 
-        let production_client =
+        let apns_production_client =
             Client::certificate(&mut certificate, password, Endpoint::Production)
                 .context("Failed to create production client")?;
         certificate.rewind()?;
-        let sandbox_client = Client::certificate(&mut certificate, password, Endpoint::Sandbox)
-            .context("Failed to create sandbox client")?;
+        let apns_sandbox_client =
+            Client::certificate(&mut certificate, password, Endpoint::Sandbox)
+                .context("Failed to create sandbox client")?;
+
+        let p256_sk =
+            web_push_native::p256::ecdsa::SigningKey::read_pkcs8_pem_file(&vapid_key_path)?;
+        let vapid_key =
+            web_push_native::jwt_simple::prelude::ES256KeyPair::from_bytes(&p256_sk.to_bytes())?;
+        let vapid_pubkey = &base64::engine::general_purpose::URL_SAFE_NO_PAD
+            .encode(vapid_key.public_key().public_key().to_bytes_uncompressed());
+        log::warn!("VAPID pubkey={vapid_pubkey}");
 
         let mut keyring_file = std::fs::File::open(openpgp_keyring_path)?;
         let mut keyring = String::new();
@@ -83,13 +98,14 @@ impl State {
         Ok(State {
             inner: Arc::new(InnerState {
                 schedule,
-                fcm_client,
-                production_client,
-                sandbox_client,
+                http_client,
+                apns_production_client,
+                apns_sandbox_client,
                 topic,
                 metrics,
                 interval,
                 fcm_authenticator,
+                vapid_key,
                 openpgp_decryptor,
                 debouncer: Default::default(),
             }),
@@ -100,8 +116,8 @@ impl State {
         &self.inner.schedule
     }
 
-    pub fn fcm_client(&self) -> &reqwest::Client {
-        &self.inner.fcm_client
+    pub fn http_client(&self) -> &reqwest::Client {
+        &self.inner.http_client
     }
 
     pub async fn fcm_token(&self) -> Result<Option<String>> {
@@ -115,12 +131,16 @@ impl State {
         Ok(token)
     }
 
+    pub fn vapid_key(&self) -> &web_push_native::jwt_simple::prelude::ES256KeyPair {
+        &self.inner.vapid_key
+    }
+
     pub fn production_client(&self) -> &Client {
-        &self.inner.production_client
+        &self.inner.apns_production_client
     }
 
     pub fn sandbox_client(&self) -> &Client {
-        &self.inner.sandbox_client
+        &self.inner.apns_sandbox_client
     }
 
     pub fn topic(&self) -> Option<&str> {