1 of 21

2.0.x

Web-Push

Web Notifications made easy

WebPush can be used to send notifications to endpoints which server delivers Web Push notifications as described in the following specifications

Requirements

Mandatory

PHP 8.0+
A PSR-17 (HTTP Message Factory) implementation
A PSR-18 (HTTP Client) implementation
The JSON extension

Optional

A PSR-3 (Logger Interface) implementation for debugging

Extension Specific

VAPID extension

Required:
- openssl extension
- mbstring extension

This library provides JWT Provider implementations for and

Payload extension

Required:
- openssl extension
- mbstring extension

Fluent Syntax

In the documentation, you will see that methods are called “fluently”.

<?php

use WebPush\Payload\AES128GCM;
use WebPush\Payload\AESGCM;
use WebPush\Payload\PayloadExtension;

$payloadExtension = PayloadExtension::create()
    ->addContentEncoding(AESGCM::create()->maxPadding())
    ->addContentEncoding(AES128GCM::create()->maxPadding())
;

If you don’t adhere to this coding style, you are free to use the “standard” way of coding. The following example has the same behavior ase above.

<?php

use WebPush\Payload\AES128GCM;
use WebPush\Payload\AESGCM;
use WebPush\Payload\PayloadExtension;

$aesgcm = new AESGCM();
$aesgcm->maxPadding();

$aes128gcm = new AES128GCM();
$aes128gcm->maxPadding();

$payloadExtension = new PayloadExtension();
$payloadExtension->addContentEncoding($aesgcm);
$payloadExtension->addContentEncoding($aes128gcm);

Contributing

First of all, thank you for contributing.

Bugs or feature requests can be posted online on the GitHub issues section of the project.

Few rules to ease code reviews and merges:

You MUST follow the PSR-12 coding standard.
You MUST run the test suite (see below).
You MUST write (or update) unit tests when bugs are fixed or features are added.
You SHOULD write documentation.
You MAY follow the and .

We use the following branching workflow:

Each minor version has a dedicated branch (e.g. v1.1, v1.2, v2.0, v2.1…)
The default branch is set to the last minor version (e.g. v2.1).

To contribute use , please, write commit messages that make sense, and rebase your branch before submitting your PR.

Your PR should NOT be submitted to the master branch but to the last minor version branch or to another minor version in case of bug fix.

License

The MIT License (MIT)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Common Concepts

Overview

The Web Push protocol allows your application to easily engage users by sending notifications to the browser. The subscription to these notifications are done by the user (opt-in).

The notification types depend on the application. For example, it could be a notification for an internal message or an alert before account closure.

We will see in this documentation that the Web Push API offers several options to customize the notifications by adding buttons, vibration schema, images, urgency indictor and more.

You want to test it? Please go to to see what your browser already supports.

The Subscription

The subscription is created on client side when the end-user allows your application to send push messages.

On client side (Javascript), you can simply send to your server the object you receive using JSON.stringify.

Javascript examples to get a Subscription from the web browser are not provided here. Please refer to other resources such as blog posts or library documentation.

A subscription object will look like:

On server side, you can get a WebPush\Subscription object from the JSON string using the dedicated method WebPush\Subscription::createFromString.

Supported Content Encodings

By default, the content encoding aesgcm will be used. This encoding indicates how the payload of the notification should be formatted. The PushManager object from the Push API may list all acceptable encodings. In this case, it could be interesting to set these encodings to the Subscription object.

This will result in something like as follow:

The order of supportedContentEncodings is important. First supported item will be used. If possible, AES128GCM should be used as prefered content encoding.

The Notification

To reach the client (web browser), you need to send a Notification to the Subscription.

The Notification should have a payload. In this case, the payload will be encrypted on server side and decrypted by the client.

That payload may be a string or a JSON object. The structure of the latter is described in the next section.

TTL (Time-To-Live)

With this feature, a value in seconds is added to the notification. It suggests how long a push message is retained by the push service. A value of 0 (zero) indicates the notification is delivered immediately.

Topic

A push message that has been stored by the push service can be replaced with new content. If the user agent is offline during the time the push messages are sent, updating a push message avoids the situation where outdated or redundant messages are sent to the user agent.

Only push messages that have been assigned a topic can be replaced. A push message with a topic replaces any outstanding push message with an identical topic.

Urgency

For a device that is battery-powered, it is often critical it remains dormant for extended periods.

Radio communication in particular consumes significant power and limits the length of time the device can operate.

To avoid consuming resources to receive trivial messages, it is helpful if an application server can communicate the urgency of a message and if the user agent can request that the push server only forwards messages of a specific urgency.

Urgency

Device State

Examples

Be carful with the very-low urgency: it is not recognized by all Web-Push services

Asynchronous Response

Your application may prefer asynchronous responses to request confirmation from the push service when a push message is delivered and then acknowledged by the user agent. The push service MUST support delivery confirmations to use this feature.

The async mode is not recognised by all Web Push services. In case of failure, you should try sending syncnotifications.

JSON Messages

As mentioned in the overview section, the specification . This structure contains properties that the client should be understood and render an appropriate way.

The library provides a WebPush\Message class with convenient methods to ease the creation of a message.

Please note that the second and the third parameters are needed for v1.1+ branch but bill be removed in v2.0.

The resulting notification payload will look like as follow:

On client side, you can easily load that payload and display the notification:

The Status Report

After sending a notification, you will receive a StatusReport object.

This status report has the following properties:

The notification
The subscription
The PSR-7 request
The PSR-7 response

Because of the presence of the Request and Response object, the StatusReport object cannot be serialized.

Depending on the status code, you will be able to know if it is a success or not. In case of success, you can directly access the management link (location header parameter) or the links entity fields in case of asynchronous call. In case of failure, the response code indicates the main reason for rejection (invalid authorization token, expired endpoint...)

One of the failure reasons could be the expiration of the subscription (too old or cancelled by the end-user). This can be checked with the method hasExpired(). In this case, you should simply delete the subscription as it is not possible to send notifications anymore.

VAPID

Voluntary Application Server Identification

“VAPID” stands for “Voluntary Application Server Identification”.

This feature allows to application server to send information about itself to a push service.

A consistent identity can be used by a push service to establish behavioral expectations for an application server. Significant deviations from an established norm can then be used to trigger exception-handling procedures.

Voluntarily provided contact information can be used to contact an application server operator in the case of exceptional situations. Additionally, the design of RFC8030 relies on maintaining the secrecy of push message subscription URIs.

Any application server in possession of a push message subscription URI is able to send messages to the user agent.

If use of a subscription could be limited to a single application server, this would reduce the impact of the push message subscription URI being learned by an unauthorized party.

In order to use this feature, you must generate ECDSA key pairs. Hereafter an example using OpenSSL.

The Library

Installation

The library can be installed using the package spomky-labs/web-push-lib

In addition to this package, you must install the required dependencies that are namely:

The Extension Manager

The Web Push service requires an Extension Manager. This object manages extensions that will manipulate the request before sending it to the Push Service.

In the example below, we add all basic extensions.

Please note that the TTL Extension is usually required by Push Services. To avoid any trouble, please use all extensions.

Payload Extension

The payload extension allows Notifications to have a payload. This extension requires Content Encoding objects that will be responsible of the payload encryption.

The library provides the AESGCM and AES128GCM content encoding. These encodings are normally supported by all Push Services. The library is able to support any future encoding is deemed necessary.

VAPID Extension

The authenticates your server and prevent malicious application to send notifications to your users. The header contains a signed JSON Web Token (JWS).

The library provides bridges for the following libraries web-token and lcobucci/jwt.

Please install web-token/jwt-signature-algorithm-ecdsa or lcobucci/jwt depending on the library you want to use.

The public key used with your server shall be the same as the one in your Javascript application.

If this public/private key changes, subscriptions will become invalid.

The Web Push Service

The WebPush object requires a PSR-17 Request Factory, a PSR-18 Http Client and an Extension Manager.

use Nyholm\Psr7\Factory\Psr17Factory;
use Symfony\Component\HttpClient\Psr18Client;
use WebPush\WebPush;

$client = new Psr18Client();
$requestFactory = new Psr17Factory();

$service = new WebPush($client, $requestFactory, $extensionManager);

The service is now ready to send Notifications to the Subscriptions. The StatusReport object that is returned is explained here.

<?php

use WebPush\Subscription;
use WebPush\Notification;

$subscription = Subscription::createFromString('{"endpoint":"https://updates.push.services.mozilla.com/wpush/v2/AAAAAAAA[…]AAAAAAAAA","keys":{"auth":"XXXXXXXXXXXXXX","p256dh":"YYYYYYYY[…]YYYYYYYYYYYYY"}}');
$notification = Notification::create()
    ->withPayload('Hello world')
;

$statusReport = $service->send($notification, $subscription);

In this example, we load the Subscription object from a string, but usually to retrieve the Subscription objects from a database or a dedicated storage.

The Symfony Bundle

Installation

The bundle can be installed using the package spomky-labs/web-push-bundle

In addition to this package, you must install the required dependencies that are namely:

Configuration

VAPID Support

To enable the VAPID header feature, you must install a JWS Provider (see installation) and configure it with your public and private key (see this page to create these keys)

When using lcobucci/jwt, the configuration is very similar.

You cannot enable both web-token and lcobucci/jwt at the same time

Token Lifetime

By default, the library generates VAPID headers that are valid for 1 hour. You can change this value if needed. The parameter requires a relative string as showed .

The token lifetime should not be greater than 24 hours. Most of the Web Push Services will reject such long-life tokens

Payload Support

Padding

To obfuscate the real length of the notifications, messages can be padded before encryption. This operation consists in the concatenation of your message and arbitrary data in front of it. When encrypted, the messages will have the same size which reduces attacks.

By default, the padding is set to recommended i.e. ~3k bytes.

Acceptable values for this parameter are:

none: no padding
recommended: default value
max

Please don't use "none" unless your are sending notifications in a development environment.

The value "max" increases the integrity protection of the messages, but there are known issues on Android and notification are not correctly delivered.

Caching

The notifications . This payload is encrypted on server side and, during this process, a random key is generated.

The creation of this random key takes approximately 150ms and can impact your server performance when sending thousand of notifications at once.

To reduce the impact on your server, you can enable the caching feature and reuse the encryption key for a defined period of time.

As encryption keys will be stored in the cache, you should make sure the cache is not shared otherwise you may have a security issue.

This parameter requires a PSR-6 Cache compatible service. If you set Psr\Log\CacheItemPoolInterface, the default Symfony cache will be used.

You can see the impact of this feature on the CI/CD Pipelines of this library. Go the and find a summary table displayed at the end of each test.

Debugging

If you have troubles sending notifications, you can log some messages from the libray. To do so, you just have to set the parameter logger in the configuration.

This parameter requires a PSR-3 logger. If you set Psr\Log\LoggerInterface, the Symfony logger will be used (PSR-3 copmpatible).

The Web Push Service

The bundle provides a public Web Push service that you can inject this service into your application components.

In the following example, let's imagine that a notification is dispatched using the Symfony Messanger component and catched by an event handler. This handler will fetch all subscriptions and send the notification.

The SubscriptionRepository class is totally fictive

src/MessageHandler/SendNotification.php

<?php

declare(strict_types=1);

namespace App\MessageHandler;

use App\Message\SubscriptionExpired;
use Symfony\Component\Messenger\Handler\MessageHandlerInterface;
use Symfony\Component\Messenger\MessageBusInterface;
use WebPush\Notification;
use WebPush\WebPush;

final class SendPushNotifications implements MessageHandlerInterface
{
    private MessageBusInterface $messageBus;
    private SubscriptionRepository $repository;
    private WebPush $webPush;

    public function __construct(MessageBusInterface $messageBus, SubscriptionRepository $repository, WebPush $webPush)
    {
        $this->messageBus = $messageBus;
        $this->repository = $repository;
        $this->webPush = $webPush;
    }

    public function __invoke(Notification $notification): void
    {
        // Fetch all subscriptions
        $subscriptions = $this->repository->fetchAllSubscriptions();
        foreach ($subscriptions as $subscription) {
            //Sends the notification to the subscriber
            $report = $this->webPush->send($notification, $subscription);

            //If the subscription expired
            if ($report->subscriptionExpired()) {
                //We dispatch a new message and expect for
                // the subscription to be deleted
                $this->messageBus->dispatch(
                    new SubscriptionExpired($subscription)
                );
            }
        }
    }
}

Doctrine

The bundle provides new Doctrine type and Schema to simplify the way you store the Subscription objects with Doctrine.

Using The Doctrine Mapping

Configuration

To enable this feature, the following configuration option shall be set:

This will tell the bundle to register the Subscription object as a Doctrine mapped-superclass. The DoctrineBundle shall be enabled. No additional configuration is required.

The `Subscription` Entity

First of all, we need to create a Subscription Entity that extends the Subscription object. In this example, we also need to associate one or more Subscription entities to a specific user (Many To One relationship).

In this exaple, we assume you already have a valid User entity class.

The `User` Entity

Now, to have a bidirectional relationship between this class and the User entity class, we will add this relationship to the User class.

Sending Notifications To A User

Now that your entities are set, you can register Subcriptions and assign them to your users. To send a Notification to a specific user, you just have to get all subscriptions using $user->getSubscriptions().

Using Doctrine Type

The bundle auto-register the Doctrine type webpush_subscription. The Subscription object will automatically be converted.

Using Your Own Entity Class

New in v1.1!

Starting with v1.1, it is possible to use your own Subscription entity class. The only constraint is that it shall implement the interface WebPush\SubscriptionInterface or shall have a method that returns an object that implements this interface.

Example

Please have a look at the demo available at .

<?php declare(strict_types=1); namespace App\Entity; use function array_key_exists; use Assert\Assertion; use DateTimeInterface; use Safe\DateTimeImmutable; use function Safe\json_decode; class Subscription implements SubscriptionInterface { /** * @ORM\Id * @ORM\Column(type="integer") * @ORM\GeneratedValue(strategy="AUTO") */ private ?int $id = null; /** * @ORM\Column(type="integer") */ private string $endpoint; /** * @ORM\Column(type="array") * * @var string[] */ private array $keys = []; /** * @ORM\Column(type="array") * * @var string[] */ private array $supportedContentEncodings = ['aesgcm']; /** * @ORM\Column(type="integer", nullable=true) */ private ?int $expirationTime = null; public function __construct(string $endpoint) { $this->endpoint = $endpoint; } /** * @param string[] $contentEncodings */ public function setContentEncodings(array $contentEncodings): self { $this->supportedContentEncodings = $contentEncodings; return $this; } public function getKeys(): array { return $this->keys; } public function hasKey(string $key): bool { return isset($this->keys[$key]); } /** * @return array<string, string> */ public function getKey(string $key): string { Assertion::keyExists($this->keys, $key, 'The key does not exist'); return $this->keys[$key]; } public function setKeys(array $keys): self { $this->keys = $keys; return $this; } public function getExpirationTime(): ?int { return $this->expirationTime; } public function setExpirationTime(?int $expirationTime): self { $this->expirationTime = $expirationTime; return $this; } public function getEndpoint(): string { return $this->endpoint; } /** * @return string[] */ public function getSupportedContentEncodings(): array { return $this->supportedContentEncodings; } /** * @return array<string, string|string[]> */ public function jsonSerialize(): array { return [ 'endpoint' => $this->endpoint, 'supportedContentEncodings' => $this->supportedContentEncodings, 'keys' => $this->keys, ]; } }

2.0.x

Web-Push

Requirements

hashtagMandatory

hashtagOptional

hashtagExtension Specific

hashtagVAPID extension

hashtagPayload extension

Fluent Syntax

Contributing

License

Common Concepts

Overview

The Subscription

hashtagSupported Content Encodings

The Notification

hashtagTTL (Time-To-Live)

hashtagTopic

hashtagUrgency

hashtagAsynchronous Response

hashtagJSON Messages

The Status Report

VAPID

The Library

Installation

The Extension Manager

hashtagPayload Extension

hashtagVAPID Extension

The Web Push Service

The Symfony Bundle

Installation

Configuration

hashtagVAPID Support

hashtagToken Lifetime

hashtagPayload Support

hashtagPadding

hashtagCaching

hashtagDebugging

The Web Push Service

Doctrine

hashtagUsing The Doctrine Mapping

hashtagConfiguration

hashtagThe Subscription Entity

hashtagThe User Entity

hashtagSending Notifications To A User

hashtagUsing Doctrine Type

hashtagUsing Your Own Entity Class

Example

Overview

Requirements

hashtagMandatory

hashtagOptional

hashtagExtension Specific

hashtagVAPID extension

hashtagPayload extension

VAPID

Contributing

Web-Push

Installation

hashtagVAPID Header

Example

Doctrine

hashtagUsing The Doctrine Mapping

hashtagConfiguration

hashtagThe Subscription Entity

hashtagThe User Entity

hashtagSending Notifications To A User

hashtagUsing Doctrine Type

hashtagUsing Your Own Entity Class

The Notification

hashtagTTL (Time-To-Live)

hashtagTopic

hashtagUrgency

hashtagAsynchronous Response

hashtagJSON Messages

Fluent Syntax

Installation

hashtagVAPID Header

The Web Push Service

The Status Report

Mandatory

Optional

Extension Specific

VAPID extension

Payload extension

Supported Content Encodings

TTL (Time-To-Live)

Topic

Urgency

Asynchronous Response

JSON Messages

Payload Extension

VAPID Extension

VAPID Support

Token Lifetime

Payload Support

Padding

Caching

Debugging

Using The Doctrine Mapping

Configuration

The `Subscription` Entity

The `User` Entity

Sending Notifications To A User

Using Doctrine Type

Using Your Own Entity Class

Mandatory

Optional

Extension Specific

VAPID extension

Payload extension

VAPID Header

Using The Doctrine Mapping

Configuration

The `Subscription` Entity

The `User` Entity

Sending Notifications To A User

Using Doctrine Type

Using Your Own Entity Class

TTL (Time-To-Live)

Topic

Urgency

Asynchronous Response

JSON Messages

VAPID Header

Supported Content Encodings

Payload Extension

VAPID Extension

VAPID Support

Token Lifetime

Payload Support

Padding

Caching

Debugging