This is Go, not Ruby. 😜

my go version is 1.6.2
but have no http2.GoAwayError

The docs aren't entirely clear about the lifespan of a push.Service. Is a new Service supposed to be created for each individual push notification (or batch of notifications), or is it intended to be long-lived and reused? If the latter is true, is it safe to use across different threads?

Here's what I've got working right now:

package main

import "github.com/RobotsAndPencils/buford/push"
...

var service push.Service

// InitAPNS initializes the APNS service for global access.
func InitAPNS() {
    filename := "/path/to/certificate.p12"
    password := "certificate_password"
    cert, key, err := certificate.Load(filename, password)
    if err != nil {
        log.Fatal(err.Error())
    }
    client, err := push.NewClient(certificate.TLS(cert, key))
    if err != nil {
        log.Fatal(err.Error())
    }
    service = push.Service{
        Client: client,
        Host: push.Development}
}

func SendPushNotification(deviceTokens []string, notificationDetails...) {
    ...
    service.PushBytes(token, nil, bytes)
    ...
}

I initialize my global Service once from main(), and then reuse it each time I call SendPushNotification() - usually from different threads. After 48 hours of running and maybe 50 total notifications, everything seems to be working ok. But, I haven't been able to test it under a real load yet.

Am I going about this the right way? Supposing that Service is meant to be long-lived, how can we catch connection errors? And if it's instead meant to created and destroyed with each notification, what suggestions do you have to avoid reading the certificate from disk each time? Thanks for the help.

To support Safari push notifications a new package could be added to Buford to create a .pushpackage which could then be served via HTTP.

https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/NotificationProgrammingGuideForWebsites/PushNotifications/PushNotifications.html

The main issue right now is that we need PKCS #7 signing which isn't currently provided by x/crypto.

for i := 0; i < len(js.Tokens); i++ {
tok := js.Tokens[i]
if tok != "" {
id, err := service.Push(token, nil, p)
}
}
Slow sending. What can you think up to speed sending?

It would be nice in the case of errors to return the status code and reason from Apple as part of your Error struct so that calling code wouldn't have to check for your error strings explicitly in order to respond to various conditions.

in #97 return type should be Error not builtin error.

With return type Error user will have options like getting timestamp of unregistered error

What sort of signal should exit this loop? (to clean up the goroutine)

go func() {
    for {
        // Response blocks until a response is available
        log.Println(queue.Response())
    }
}()

Response returns id string, deviceToken string, err error. Maybe a special error, like io.EOF?

This was mentioned at WWDC but is not yet mentioned in Apple's documentation.

Device tokens are currently 32 bytes (64 hexadecimal digits). Will they be either 64 or 200 digits? Will they be anywhere in between? It also said "may be growing", so maybe it won't even happen.

https://developer.apple.com/news/

So, I'm currently having trouble getting APNS to recognize what I believe to be valid device tokens. While attempting to resolve this issue I looked at the request being sent and was surprised to see HTTP/1.1 as the protocol. Am I incorrect in believing that I should be seeing HTTP/2.0?

&{Method:POST URL:https://api.development.push.apple.com/3/device/BBFD8AF1C6A685F8FE4294732D2700B587956508318C770328BE167149F180F6 Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Content-Type:[application/json]] Body:{Reader:0xc820573ad0} ContentLength:40 TransferEncoding:[] Close:false Host:api.development.push.apple.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil> Cancel:<nil>}

Hi, all

i have updatemy net/http2 package to the newest, i can still get this error #35

i find that this error is triggered when the program has been running for a while.
i think this is caused by the broken connection.

Note: You can alternatively use port 2197 when communicating with APNs. You might do this, for example, to allow APNs traffic through your firewall but to block other HTTPS traffic.

Support port 2197. Overriding Service.Host will probably just work, but I should test it out.

mutable-content=1 flag in APS payload

I'm just going to bucket everything in one issue for now.

• Review current API and gather feedback
• Support additional payloads, such as Safari and test custom values (via Map).
• Return the apns-id header
• Handle all documented errors returned by Apple
• Fully review Apple documentation to ensure nothing is missed
• Additional service tests and header tests. Go 1.6 beta in CI.
• Improve documentation
• Require Go 1.6 or report a meaningful error (not malformed HTTP status code "client")
• Try Buford with the production APN service (currently only used with the development environment)
• Try Safari push notifications
• Parse and return timestamp in response
• Ensure underlying connection is being reused. Do we need to configure anything or does it Just Work™?

Beyond that, I'd like to start adding some helpers for validations, such as checking for a valid device token. I have code for this from the previous API that just needs to be brought over. Some validations are across headers and the payload, such as not allowing ContentAvailable by itself without a LowPriority header. These validations should be opt in, at least in the lower level APIs, so you can choose performance.

It would be nice if the ID header was a UUID type that was sure to be valid. I don't know if it makes sense to pull in a specific UUID library or not? If someone isn't letting Apple generate the ID, I imagine they want something custom.

Hey,

I seem to have run into a certificate issue as I get the error: pkcs12: expected exactly two safe bags in the PFX PDU. I'm generating the Production Apple Push Notification Service SSL cert as described in Apple's docs and I had simply exported the certificate/private-key pair from my keychain to get a .p12 file and I'm using this p12 file's path as filename in line cert, err := certificate.Load(filename, password) of the package's example. The error is returned by pkcs12 package in the Decode method of cert.go and specifically, by pkcs12.Decode. Would you happen to know why this error occurs or maybe what steps need to be taken to get the correct p12 file?

Documentation is here:
https://developer.apple.com/library/prerelease/ios/documentation/UserExperience/Conceptual/PassKit_PG/Creating.html#//apple_ref/doc/uid/TP40012195-CH4-SW1

There is a new header apns-collapse-id to update or remove notifications. It is a string identifying the notification.

Swift also has a removeDeliveredNotifications API for UNUserNotificationCenter but it's not yet clear how to remotely remove notifications. It may be as simple as a DELETE action rather than POST, but I'm awaiting further information.

I find a bug in
https://github.com/RobotsAndPencils/buford/blob/master/push/service.go#L208
the response.Timestamp is Millisecond
but time.Unix() require seconds
so the Error.Timestamp is error

I fix it by Timestamp: time.Unix(response.Timestamp/1000, 0)

Hello there,

Recently I started seeing weird errors for push notifications on a DEV server.
No notification is sent now.

Post https://api.development.push.apple.com/3/device/{TOKEN}: remote error: tls: unknown certificate

Do you know what it could mean ?
Could it be that my certificate is expired ?

1. What version of Go are you using (go version)?
   1.7
2. What operating system (GOOS) are you using (go env) and what version?
   linux amd 64

cheers !

Currently Apple documentation states that opening multiple connections to Apple servers is the best practice if you have a large number of notifications to send.

From what I understand, when we create a client and a service in buford, we create a new connection to Apple servers. And when we use a queue with multiple workers we are are using multiple HTTP/2 streams on a single connection.

The application I am using buford in has a requirement where a large number of notifications should be delivered very quickly (ie: 100K in 15s), so I think I need to take advantage of multiple connections, but not really sure how to do that here.

The APS Alert has a new "subtitle" field in iOS 10 via "Introduction to Notifications"

Not yet in the documentation.

up to 4 KB (4096 bytes)

@leopay reports that net.http.client.Timeout no longer works since moving away from Client.Do in 2d03c35 (necessary to get the type assertion to GoAwayError).

What did you do? (steps to reproduce or a code sample is helpful)

➜  go go version
go version go1.6.2 darwin/amd64

➜  go go get -u -d github.com/RobotsAndPencils/buford
➜  go

package main

import(
  "encoding/json"
  "log"
  "crypto/tls"

  "github.com/RobotsAndPencils/buford/payload"
  "github.com/RobotsAndPencils/buford/payload/badge"
  "github.com/RobotsAndPencils/buford/push"
)

const (
  certFile = "../promiser-apns.pem"
  keyFile = "../promiser-apns.key"
  host = push.Development
  deviceToken = "afc61ee7a0d29ddbf68c7299017a549880f50bcb9a9b5e1a45c21dbfb064d047"
)

func main() {
  // load a certificate and use it to connect to the APN service:
  if cert, err := tls.LoadX509KeyPair(certFile, keyFile); err == nil {

    if client, err := push.NewClient(cert); err == nil {

      // construct a payload to send to the device:
      payloadObj := payload.APS{
        Alert: payload.Alert{Body: "Hello HTTP/2"},
        Badge: badge.New(42),
      }

      if payloadData, err := json.Marshal(payloadObj); err == nil {

        service := push.NewService(client, host)
        queue := push.NewQueue(service, 5)

        go func() {
          for resp := range queue.Responses {
            log.Println("++++>", resp)
          }
        }()

        headers := &push.Headers{
          Topic: "com.letsapp.BundleID",
        }

        // send the notifications
        for i := 0; i < 5; i++ {
          queue.Push(deviceToken, headers, payloadData)
        }

        // done sending notifications, wait for all responses and shutdown
        queue.Wait()

      } else {
        log.Printf("init client error: %v \n", err)
      }

    } else {
      log.Printf("init client error: %v \n", err)
    }

  } else {
    log.Printf("load cert error: %v \n", err)
  }
}

What did you expect to see?

2016/07/22 22:44:36 ++++> {token id error_nil}
2016/07/22 22:44:37 ++++> {token id error_nil}
2016/07/22 22:44:38 ++++> {token id error_nil}
2016/07/22 22:44:39 ++++> {token id error_nil}
2016/07/22 22:44:40 ++++> {token id error_nil}

What did you see instead?

2016/07/22 22:44:36 ++++> {token id error_nil}
2016/07/22 22:44:37 ++++> {token id error_nil}
2016/07/22 22:44:38 ++++> {token id error_nil}
2016/07/22 22:44:39 ++++> {token id error_nil}

Hello,

Install today 1.6 and i'm getting this message malformed HTTP status code "client"

the problem is here

resp, err := s.Client.Do(req)

if err != nil {
return err
}

Demo concurrent run print
queue.Responses undefined (type *push.Queue has no field or method Responses, but does have push.responses)

------------------------------ push/service.go -------------------------------
index d1388e1..2ccdaee 100644
@@ -30,6 +30,7 @@ const maxPayload = 4096 // 4KB at most
type Service struct {
Host string
Client *http.Client

• Topic string
  }

// NewService creates a new service to connect to APN.
@@ -72,6 +73,8 @@ func (s *Service) Push(deviceToken string, headers *Headers, payload []byte) (st
return "", err
}
req.Header.Set("Content-Type", "application/json")

• //Production mode need apns-topic
• req.Header.Set("apns-topic", s.Topic)
  headers.set(req.Header)

resp, err := s.Client.Do(req)

Transparent topic extraction can be problematic. One certificate can serve several topics, VoIP and debug ones. When a message is sent to a specific topic, there has to be a way to specify it.

http://jmoiron.net/blog/crossing-streams-a-love-letter-to-ioreader/ has some context on reasons to avoid a ReadAll. This fact is reflected in the current source - from the source:

    // TODO: could decode while reading instead
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return "", err
    }

    var response response
    json.Unmarshal(body, &response)

If I'm undersatnding correctly, I believe this TODO could be done by essentially doing

var response response
err = json.NewDecoder(resp.Body).Decode(&response)
if err != nil {
    return "", err
}

and it would be beneficial for performance

By invoking a netstat -antup | grep server | awk '{print $5}' | cut -d: -f1 | sort | uniq -c command on server I got a lot occurencies of APNS IPs with ESTABLISHED state, what is going wrong?

 38 17.110.226.29
 43 17.110.227.88
 36 17.110.227.89
 33 17.110.227.90
 32 17.110.227.91
 37 17.110.227.92
 45 17.110.227.93
 45 17.110.227.94
 48 17.110.227.95
 49 17.110.227.96
 26 17.143.164.136
 19 17.143.164.137
 30 17.143.164.138
 45 17.143.164.139
 39 17.143.164.140
 26 17.143.164.141
 38 17.143.164.142
 49 17.143.164.77
 17 17.143.164.78
 46 17.143.164.79
 15 17.172.233.39
 13 17.172.234.15
  4 17.172.234.16
 15 17.172.234.17
 15 17.172.234.18
 16 17.172.234.19
 10 17.172.234.20
 12 17.172.234.21
 18 17.172.234.22
 13 17.172.234.23

Where first column is occurency of second column (APNS IP).

Hello there,

recently I get unexpected EOF errors when I try to send notifications, 0 notification will work now.

What did you do? (steps to reproduce or a code sample is helpful)

• Try to send a notification

What did you expect to see?

• A notification

What did you see instead?

• Post https://api.push.apple.com/3/device/{token}: unexpected EOF in the logs.

Is there a way to know what happened ? Shouldn't buford tell a bit more on it ??

Thanks !

The response from APNS may include a timestamp for 410 Status Gone (and possibly an ErrUnregistered JSON response?)

the value of this key is the last time at which APNs confirmed that the device token was no longer valid for the topic. Stop pushing notifications until the device registers a token with a later timestamp with your provider.

This should be parsed and returned with the error. Apple's documentation doesn't say the type or format of the timestamp. There is a good chance it is a Unix timestamp in number of seconds since the epoch, but it would be good to get this error back to ensure that is the case.

What's New in the Apple Push Notification Service
https://developer.apple.com/videos/play/wwdc2016/724/

Starting with a review of the HTTP/2 based provider API, you will learn about an important new feature: Token Based Authentication. Learn to connect to APNs using authentication tokens for sending pushes via the HTTP/2 API, relieving you of the overhead associated with maintaining valid certificates.

TODO:

• Refresh my knowledge of JWT
• Write example that uses a Go JWT library
• Get a signing Key from Apple to test this out
• Review the APIs and dependencies
• Documentation of Certificate and Token authentication options

Now buford provides the function of push.NewClient(cert tls.Certifcate) (*http.Client, error) for creating a http/2 client.

client, err := push.NewClient(certificate)

But push.NewClient() can not customize http.Transport like the code below for a http/2 client.

// example definition
transport := &http.Transport{
        TLSClientConfig:     config,
        MaxIdleConnsPerHost: 16,
}

MaxIdleConnsPerHost is important for sending many notifications to APNs once. Accoding to the document below (Best Practices for Managing Connections), increasing connections to APNs seems to be recommended for improving performance. (MaxIdleConnsPerHost is 2 by default. )

https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/APNsProviderAPI.html#//apple_ref/doc/uid/TP40008194-CH101-SW1

Though it is good if there is the function for customizing http.Transport for a http/2 client, what do you think?

I have valid and expired certificates, but I don't want to include them in the open source project for obvious reasons.

There may be a way to store them on CI, or perhaps some level of mocking instead of full integration tests.

https://docs.travis-ci.com/user/encrypting-files/

I've noticed that you can extract the bundle-id from the certificate and put it into the Headers as Topic (it seems to be required), so you can avoid asking for it.

cert, err := certificate.Load(filename, passphrase)
if err != nil {
    log.Fatal(err)
}

commonName := cert.Leaf.Subject.CommonName
bundle := strings.Replace(commonName, "Apple Push Services: ", "", 1)

headers := &push.Headers{
    Topic: bundle,
}

Using x/net/http2 directly instead of ConfigureTransport could allow support for Go 1.5.x (if desired), and make it so NewClient() doesn't return an error.

https://github.com/sideshow/apns2/blob/master/client.go#L60

Buford is using Ubuntu-style release names with animals of the alphabet. But because this is a pushy library for push notifications, the names are characterized by being a school kid bully.

https://github.com/RobotsAndPencils/buford/releases

• bullied bandicoot
• cranky caribou
• dastardly dingo
• e
• f
• g
• h
• i
• j

In the previous versions of buford, the error struct had a field for device token of the notification. This was useful since for some errors (ie. ErrUnregistered) the device token needs to be removed from the backend. In the latest version this field seems to have been removed from the error struct.
This causes an issue in the concurrent scenario (push.NewQueue( service, workers) where there is no way to track for which device the error is received and makes it hard to act on it.

Headers contain an ID which should be a UUID with 32 lowercase hexadecimal digits (or blank). Currently there is no validation for this field.

This sounds like something that could affect Buford users:

Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.

https://groups.google.com/forum/#!msg/golang-announce/9eqIHqaWvck/kXsfO0ogLAAJ

Maybe an error here should fall back to the status code error path:
https://github.com/RobotsAndPencils/buford/blob/master/push/service.go#L184

panic: close of closed channel

goroutine 46 [running]:
panic(0x7c8aa0, 0xc8206dc8c0)
/home/users/tianwanli01/Code/Go/go-go1.6/src/runtime/panic.go:464 +0x3e6
golang.org/x/net/http2.(_ClientConn).streamByID(0xc820082b00, 0x100000001, 0x0)
/home/users/tianwanli01/Code/Go/gopath/src/golang.org/x/net/http2/transport.go:913 +0x101
golang.org/x/net/http2.(_ClientConn).forgetStreamID(0xc820082b00, 0xc800000001)
/home/users/tianwanli01/Code/Go/gopath/src/golang.org/x/net/http2/transport.go:904 +0x2e
golang.org/x/net/http2.(_ClientConn).RoundTrip(0xc820082b00, 0xc82060c000, 0xc8206ee480, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/gopath/src/golang.org/x/net/http2/transport.go:605 +0x600
golang.org/x/net/http2.(_Transport).RoundTripOpt(0xc8206308c0, 0xc82060c000, 0xc820045300, 0xc8204fc300, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/gopath/src/golang.org/x/net/http2/transport.go:263 +0x296
golang.org/x/net/http2.(_Transport).RoundTrip(0xc8206308c0, 0xc82060c000, 0x0, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/gopath/src/golang.org/x/net/http2/transport.go:238 +0x41
net/http.(_Transport).RoundTrip(0xc820748480, 0xc82060c000, 0xc820748480, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/go-go1.6/src/net/http/transport.go:318 +0x8e0
net/http.send(0xc82060c000, 0x7f87122d7528, 0xc820748480, 0x0, 0x0, 0x0, 0xc820634230, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/go-go1.6/src/net/http/client.go:260 +0x6b7
net/http.(_Client).send(0xc8206ef590, 0xc82060c000, 0x0, 0x0, 0x0, 0xd, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/go-go1.6/src/net/http/client.go:155 +0x185
net/http.(_Client).doFollowingRedirects(0xc8206ef590, 0xc82060c000, 0x9ff768, 0x0, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/go-go1.6/src/net/http/client.go:475 +0x8a4
net/http.(_Client).Do(0xc8206ef590, 0xc82060c000, 0xc, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/go-go1.6/src/net/http/client.go:191 +0x1e4
github.com/WanliTian/apns/vendor/github.com/RobotsAndPencils/buford/push.(_Service).PushBytes(0xc82010f760, 0xc8206fc200, 0x40, 0xc820475e78, 0xc82070a090, 0x65, 0x83, 0x0, 0x0, 0x0, ...)
/home/users/tianwanli01/Code/Go/gopath/src/github.com/WanliTian/apns/vendor/github.com/RobotsAndPencils/buford/push/service.go:173 +0x397
github.com/WanliTian/apns/vendor/github.com/RobotsAndPencils/buford/push.(_Service).Push(0xc82010f760, 0xc8206fc200, 0x40, 0xc820475e78, 0x7c7520, 0xc8207142a0, 0x0, 0x0, 0x0, 0x0)
/home/users/tianwanli01/Code/Go/gopath/src/github.com/WanliTian/apns/vendor/github.com/RobotsAndPencils/buford/push/service.go:159 +0x105
main.(_Worker).start(0xc8206d6190)

Libraries for the HTTP/2 Notification API

https://github.com/alloy/lowdown (Ruby)

BadCertificateEnvironment #33 #76
unknown certificate #80

Hitting Apple with an HTTP/1.1 request results in the error malformed HTTP status code "client". (#26)

Importing golang.org/x/net/http2 (#27) means that GODEBUG=http2client=0 no longer disables http2. But if for some reason http2 isn't established, it would be nice to catch that sooner and report a friendly error.

Now that the http/2 library is a dependency (#27), Go 1.6 may not be a requirement. It may be possible to support Go 1.5.3 by removing the +build go1.6 build tag, but this will require testing.

Apple allows between 400 to 4000 streams.

net/http2 is hard coded at 1000 streams (maxConcurrentStreams):
https://github.com/golang/net/blob/313cf39d4ac368181bce6960ac9be9e7cee67e68/http2/transport.go#L409 (thanks to @sideshow for pointing this out)

In addition to streams, multiple connections can be used. From Apple docs:

You can establish multiple connections to APNs servers to improve performance. When you send a large number of remote notifications, distribute them across connections to several server endpoints. This improves performance, compared to using a single connection, by letting you send remote notifications faster and by letting APNs deliver them faster.

You can check the health of your connection using an HTTP/2 PING frame. Docs

for i := 0; i < len(js.Tokens); i++ { tok := js.Tokens[i] if tok != "" { id, err := service.Push(token, nil, p) } }
Slow sending. What can you think up to speed sending?