Web Notifications made easy
WebPush can be used to send notifications to endpoints which server delivers Web Push notifications as described in the following specifications
In addition, some features from the Push API are implemented. This specification is a working draft at the time of writing (2020-11).
This project allows sending notifications on compatible browsers. List and versions available at https://caniuse.com/push-api
PHP 8.0+
A PSR-17 (HTTP Message Factory) implementation
A PSR-18 (HTTP Client) implementation
The JSON
extension
A PSR-3 (Logger Interface) implementation for debugging
Required:
openssl
extension
mbstring
extension
A JWT Provider
Optional:
A PSR-3 (Logger Interface) implementation for debugging
This library provides JWT Provider implementations for web-token and lcobucci/jwt
Required:
openssl
extension
mbstring
extension
Optional:
A PSR-6 (Caching Interface) implementation
A PSR-3 (Logger Interface) implementation for debugging
In the documentation, you will see that methods are called “fluently”.
If you don’t adhere to this coding style, you are free to use the “standard” way of coding. The following example has the same behavior ase above.
First of all, thank you for contributing.
Bugs or feature requests can be posted online on the GitHub issues section of the project.
Few rules to ease code reviews and merges:
You MUST follow the PSR-12 coding standard.
You MUST run the test suite (see below).
You MUST write (or update) unit tests when bugs are fixed or features are added.
You SHOULD write documentation.
We use the following branching workflow:
Each minor version has a dedicated branch (e.g. v1.1, v1.2, v2.0, v2.1…)
The default branch is set to the last minor version (e.g. v2.1).
To contribute use Pull Requests, please, write commit messages that make sense, and rebase your branch before submitting your PR.
Your PR should NOT be submitted to the master branch but to the last minor version branch or to another minor version in case of bug fix.
The MIT License (MIT)
Copyright (c) 2020-2021 Spomky-Labs
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The Web Push protocol allows your application to easily engage users by sending notifications to the browser. The subscription to these notifications are done by the user (opt-in).
The notification types depend on the application. For example, it could be a notification for an internal message or an alert before account closure.
We will see in this documentation that the Web Push API offers several options to customize the notifications by adding buttons, vibration schema, images, urgency indictor and more.
You want to test it? Please go to this demo page to see what your browser already supports.
The subscription is created on client side when the end-user allows your application to send push messages.
On client side (Javascript), you can simply send to your server the object you receive using JSON.stringify
.
Javascript examples to get a Subscription from the web browser are not provided here. Please refer to other resources such as blog posts or library documentation.
A subscription object will look like:
On server side, you can get a WebPush\Subscription
object from the JSON string using the dedicated method WebPush\Subscription::createFromString
.
By default, the content encoding aesgcm
will be used. This encoding indicates how the payload of the notification should be formatted. The PushManager object from the Push API may list all acceptable encodings. In this case, it could be interesting to set these encodings to the Subscription object.
This will result in something like as follow:
The order of supportedContentEncodings
is important. First supported item will be used. If possible, AES128GCM
should be used as prefered content encoding.
To reach the client (web browser), you need to send a Notification to the Subscription.
The Notification should have a payload. In this case, the payload will be encrypted on server side and decrypted by the client.
That payload may be a string or a JSON object. The structure of the latter is described in the next section.
With this feature, a value in seconds is added to the notification. It suggests how long a push message is retained by the push service. A value of 0 (zero) indicates the notification is delivered immediately.
A push message that has been stored by the push service can be replaced with new content. If the user agent is offline during the time the push messages are sent, updating a push message avoids the situation where outdated or redundant messages are sent to the user agent.
Only push messages that have been assigned a topic can be replaced. A push message with a topic replaces any outstanding push message with an identical topic.
For a device that is battery-powered, it is often critical it remains dormant for extended periods.
Radio communication in particular consumes significant power and limits the length of time the device can operate.
To avoid consuming resources to receive trivial messages, it is helpful if an application server can communicate the urgency of a message and if the user agent can request that the push server only forwards messages of a specific urgency.
very-low
On power and Wi-Fi
Advertisements
low
On either power or Wi-Fi
Topic updates
normal
On neither power nor Wi-Fi
Chat or Calendar Message
high
Low battery
Incoming phone call or time-sensitive alert
Be carful with the very-low
urgency: it is not recognized by all Web-Push services
Your application may prefer asynchronous responses to request confirmation from the push service when a push message is delivered and then acknowledged by the user agent. The push service MUST support delivery confirmations to use this feature.
The async
mode is not recognised by all Web Push services. In case of failure, you should try sending sync
notifications.
As mentioned in the overview section, the specification defines a structure for the payload. This structure contains properties that the client should be understood and render an appropriate way.
The library provides a WebPush\Message
class with convenient methods to ease the creation of a message.
Please note that the second and the third parameters are needed for v1.1+
branch but bill be removed in v2.0
.
The resulting notification payload will look like as follow:
On client side, you can easily load that payload and display the notification:
After sending a notification, you will receive a StatusReport object.
This status report has the following properties:
The notification
The subscription
The PSR-7 request
The PSR-7 response
Because of the presence of the Request and Response object, the StatusReport object cannot be serialized.
Depending on the status code, you will be able to know if it is a success or not. In case of success, you can directly access the management link (location
header parameter) or the links entity fields in case of asynchronous call. In case of failure, the response code indicates the main reason for rejection (invalid authorization token, expired endpoint...)
One of the failure reasons could be the expiration of the subscription (too old or cancelled by the end-user). This can be checked with the method hasExpired()
. In this case, you should simply delete the subscription as it is not possible to send notifications anymore.
Voluntary Application Server Identification
“VAPID” stands for “Voluntary Application Server Identification”.
This feature allows to application server to send information about itself to a push service.
A consistent identity can be used by a push service to establish behavioral expectations for an application server. Significant deviations from an established norm can then be used to trigger exception-handling procedures.
Voluntarily provided contact information can be used to contact an application server operator in the case of exceptional situations. Additionally, the design of RFC8030 relies on maintaining the secrecy of push message subscription URIs.
Any application server in possession of a push message subscription URI is able to send messages to the user agent.
If use of a subscription could be limited to a single application server, this would reduce the impact of the push message subscription URI being learned by an unauthorized party.
In order to use this feature, you must generate ECDSA key pairs. Hereafter an example using OpenSSL.
The library can be installed using the package spomky-labs/web-push-lib
In addition to this package, you must install the required dependencies that are namely:
In the following example, we will install nyholm/prs7
and symfony/http-client
.
The VAPID header authenticates your server and prevent malicious application to send notifications to your users. The header contains a signed JSON Web Token (JWS).
The library provides bridges for the following libraries web-token
and lcobucci/jwt
.
Please install web-token/jwt-signature-algorithm-ecdsa
or lcobucci/jwt
depending on the library you want to use.
It is possible to use any other JWS provider. This will be detailed in the future.
The Web Push service requires an Extension Manager. This object manages extensions that will manipulate the request before sending it to the Push Service.
In the example below, we add all basic extensions.
Please note that the TTL Extension is usually required by Push Services. To avoid any trouble, please use all extensions.
The payload extension allows Notifications to have a payload. This extension requires Content Encoding objects that will be responsible of the payload encryption.
The library provides the AESGCM
and AES128GCM
content encoding. These encodings are normally supported by all Push Services. The library is able to support any future encoding is deemed necessary.
The VAPID header authenticates your server and prevent malicious application to send notifications to your users. The header contains a signed JSON Web Token (JWS).
The library provides bridges for the following libraries web-token
and lcobucci/jwt
.
Please install web-token/jwt-signature-algorithm-ecdsa
or lcobucci/jwt
depending on the library you want to use.
The public key used with your server shall be the same as the one in your Javascript application.
If this public/private key changes, subscriptions will become invalid.
The WebPush object requires a PSR-17 Request Factory, a PSR-18 Http Client and an Extension Manager.
The service is now ready to send Notifications to the Subscriptions. The StatusReport object that is returned is explained here.
In this example, we load the Subscription object from a string, but usually to retrieve the Subscription objects from a database or a dedicated storage.
The bundle can be installed using the package spomky-labs/web-push-bundle
In addition to this package, you must install the required dependencies that are namely:
In the following example, we will install nyholm/prs7
and symfony/http-client
.
If you use Symfony Flex, the bundle is ready to be used. Otherwise, you must enable it. The bundle class is WebPush\Bundle\WebPushBundle
.
When done, the bundle is ready and can send the notifications. However, there are extra packages we highly recommend to install and set up.
The VAPID header authenticates your server and prevent malicious application to send notifications to your users. The header contains a signed JSON Web Token (JWS).
The library provides bridges for the following libraries web-token
and lcobucci/jwt
.
Please install web-token/jwt-signature-algorithm-ecdsa
or lcobucci/jwt
depending on the library you want to use.
It is possible to use any other JWS provider. This will be detailed in the future.
To enable the VAPID header feature, you must install a JWS Provider (see installation) and configure it with your public and private key (see this page to create these keys)
When using lcobucci/jwt
, the configuration is very similar.
You cannot enable both web-token
and lcobucci/jwt
at the same time
By default, the library generates VAPID headers that are valid for 1 hour. You can change this value if needed. The parameter requires a relative string as showed in the PHP documentation.
The token lifetime should not be greater than 24 hours. Most of the Web Push Services will reject such long-life tokens
To obfuscate the real length of the notifications, messages can be padded before encryption. This operation consists in the concatenation of your message and arbitrary data in front of it. When encrypted, the messages will have the same size which reduces attacks.
By default, the padding is set to recommended
i.e. ~3k bytes.
Acceptable values for this parameter are:
none
: no padding
recommended
: default value
max
: see warning below
an integer: should be between 0
and 4078
or 3993
for AESGCM
and AES128GCM
respectively
Please don't use "none
" unless your are sending notifications in a development environment.
The value "max
" increases the integrity protection of the messages, but there are known issues on Android and notification are not correctly delivered.
The notifications may have a payload. This payload is encrypted on server side and, during this process, a random key is generated.
The creation of this random key takes approximately 150ms and can impact your server performance when sending thousand of notifications at once.
To reduce the impact on your server, you can enable the caching feature and reuse the encryption key for a defined period of time.
As encryption keys will be stored in the cache, you should make sure the cache is not shared otherwise you may have a security issue.
This parameter requires a PSR-6 Cache compatible service. If you set Psr\Log\CacheItemPoolInterface
, the default Symfony cache will be used.
You can see the impact of this feature on the CI/CD Pipelines of this library. Go the https://github.com/Spomky-Labs/web-push/actions?query=workflow%3ABenchmark and find a summary table displayed at the end of each test.
If you have troubles sending notifications, you can log some messages from the libray. To do so, you just have to set the parameter logger in the configuration.
This parameter requires a PSR-3 logger. If you set Psr\Log\LoggerInterface
, the Symfony logger will be used (PSR-3 copmpatible).
The bundle provides a public Web Push service that you can inject this service into your application components.
In the following example, let's imagine that a notification is dispatched using the Symfony Messanger component and catched by an event handler. This handler will fetch all subscriptions and send the notification.
The SubscriptionRepository class is totally fictive
The bundle provides new Doctrine type and Schema to simplify the way you store the Subscription
objects with Doctrine.
To enable this feature, the following configuration option shall be set:
This will tell the bundle to register the Subscription object as a Doctrine mapped-superclass. The DoctrineBundle shall be enabled. No additional configuration is required.
Subscription
EntityFirst of all, we need to create a Subscription Entity that extends the Subscription object. In this example, we also need to associate one or more Subscription entities to a specific user (Many To One relationship).
In this exaple, we assume you already have a valid User entity class.
User
EntityNow, to have a bidirectional relationship between this class and the User entity class, we will add this relationship to the User class.
Now that your entities are set, you can register Subcriptions and assign them to your users. To send a Notification to a specific user, you just have to get all subscriptions using $user->getSubscriptions()
.
The bundle auto-register the Doctrine type webpush_subscription. The Subscription object will automatically be converted.
New in v1.1!
Starting with v1.1, it is possible to use your own Subscription entity class. The only constraint is that it shall implement the interface WebPush\SubscriptionInterface
or shall have a method that returns an object that implements this interface.
Please have a look at the demo available at https://github.com/Spomky-Labs/web-push-demo.