[WIP] Add Apple JWT Token based authentication

Author: sideshow

.gitignore

@@ -22,3 +22,8 @@ _testmain.go
 *.exe
 *.test
 *.prof
+
+*.p12
+*.pem
+*.cer
+*.p8

README.md

@@ -1,12 +1,15 @@
 # APNS/2
 
+NOTE: This is an experimental branch for the purpose of testing the new token based authentication
+
 APNS/2 is a go package designed for simple, flexible and fast Apple Push Notifications on iOS, OSX and Safari using the new HTTP/2 Push provider API.
 
 [![Build Status](https://travis-ci.org/sideshow/apns2.svg?branch=master)](https://travis-ci.org/sideshow/apns2)  [![Coverage Status](https://coveralls.io/repos/sideshow/apns2/badge.svg?branch=master&service=github)](https://coveralls.io/github/sideshow/apns2?branch=master)  [![GoDoc](https://godoc.org/github.com/sideshow/apns2?status.svg)](https://godoc.org/github.com/sideshow/apns2)
 
 ## Features
 
 - Uses new Apple APNs HTTP/2 connection
+- Supports new Apple Token Based Authentication (JWT)
 - Works with older versions of go (1.5.x) not just 1.6
 - Supports new iOS 10 features such as Collapse IDs, Subtitles and Mutable Notifications
 - Supports persistent connections to APNs

_example/main.go renamed to _example/simple.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"log"
 
 	apns "github.com/sideshow/apns2"
@@ -9,17 +10,17 @@ import (
 
 func main() {
 
-	cert, pemErr := certificate.FromPemFile("../cert.pem", "")
+	cert, pemErr := certificate.FromP12File("../cert.p12", "")
 	if pemErr != nil {
 		log.Println("Cert Error:", pemErr)
 	}
 
 	notification := &apns.Notification{}
-	notification.DeviceToken = "11aa01229f15f0f0c52029d8cf8cd0aeaf2365fe4cebc4af26cd6d76b7919ef7"
-	notification.Topic = "com.sideshow.Apns2"
+	notification.DeviceToken = "cb7262544176c3f15efdcdcf9dd03418dfca82ba710c54ab6b1352350d442cb4"
+	notification.Topic = "com.Apns2"
 	notification.Payload = []byte(`{
 		  "aps" : {
-			"alert" : "Hello!"
+				"alert" : "Hello!"
 		  }
 		}
 	`)
@@ -28,9 +29,8 @@ func main() {
 	res, err := client.Push(notification)
 
 	if err != nil {
-		log.Println("Error:", err)
-		return
+		log.Fatal("Error: ", err)
+	} else {
+		fmt.Printf("%v %v %v\n", res.StatusCode, res.ApnsID, res.Reason)
 	}
-
-	log.Println("APNs ID:", res.ApnsID)
 }

_example/token.go

@@ -0,0 +1,42 @@
+package main
+
+import (
+	"fmt"
+	"log"
+
+	apns "github.com/sideshow/apns2"
+	"github.com/sideshow/apns2/token"
+)
+
+func main() {
+
+	authKey, err := token.AuthKeyFromFile("../APNSAuthKey_T64N7W47U9.p8")
+	if err != nil {
+		log.Fatal("token error:", err)
+	}
+
+	token := &token.Token{
+		AuthKey: authKey,
+		KeyID:   "T64N7W47U9",
+		TeamID:  "264H7447N5",
+	}
+
+	notification := &apns.Notification{}
+	notification.DeviceToken = "cb7262544176c3f15efdcdcf9dd03418dfca82ba710c54ab6b1352350d442cb4"
+	notification.Topic = "com.Apns2"
+	notification.Payload = []byte(`{
+			"aps" : {
+				"alert" : "Hello!"
+			}
+		}
+	`)
+
+	client := apns.NewTokenClient(token)
+	res, err := client.Push(notification)
+
+	if err != nil {
+		log.Fatal("error: ", err)
+	} else {
+		fmt.Printf("%v %v %v\n", res.StatusCode, res.ApnsID, res.Reason)
+	}
+}

certificate/certificate.go

@@ -26,7 +26,7 @@ var (
 // FromP12File loads a PKCS#12 certificate from a local file and returns a
 // tls.Certificate.
 //
-// Use "" as the password argument if the pem certificate is not password
+// Use "" as the password argument if the PKCS#12 certificate is not password
 // protected.
 func FromP12File(filename string, password string) (tls.Certificate, error) {
 	p12bytes, err := ioutil.ReadFile(filename)

client.go

@@ -13,6 +13,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/sideshow/apns2/token"
 	"golang.org/x/net/http2"
 )
 
@@ -37,9 +38,10 @@ var (
 
 // Client represents a connection with the APNs
 type Client struct {
-	HTTPClient  *http.Client
-	Certificate tls.Certificate
 	Host        string
+	Certificate tls.Certificate
+	Token       *token.Token
+	HTTPClient  *http.Client
 }
 
 // NewClient returns a new Client with an underlying http.Client configured with
@@ -76,6 +78,30 @@ func NewClient(certificate tls.Certificate) *Client {
 	}
 }
 
+// NewTokenClient returns a new Client with an underlying http.Client configured
+// with the correct APNs HTTP/2 transport settings. It does not connect to the APNs
+// until the first Notification is sent via the Push method.
+//
+// As per the Apple APNs Provider API, you should keep a handle on this client
+// so that you can keep your connections with APNs open across multiple
+// notifications; don’t repeatedly open and close connections. APNs treats rapid
+// connection and disconnection as a denial-of-service attack.
+func NewTokenClient(token *token.Token) *Client {
+	transport := &http2.Transport{
+		DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
+			return tls.DialWithDialer(&net.Dialer{Timeout: TLSDialTimeout}, network, addr, cfg)
+		},
+	}
+	return &Client{
+		Token: token,
+		HTTPClient: &http.Client{
+			Transport: transport,
+			Timeout:   HTTPClientTimeout,
+		},
+		Host: DefaultHost,
+	}
+}
+
 // Development sets the Client to use the APNs development push endpoint.
 func (c *Client) Development() *Client {
 	c.Host = HostDevelopment
@@ -95,13 +121,17 @@ func (c *Client) Production() *Client {
 // gateway, or an error if something goes wrong.
 func (c *Client) Push(n *Notification) (*Response, error) {
 	payload, err := json.Marshal(n)
-
 	if err != nil {
 		return nil, err
 	}
 
 	url := fmt.Sprintf("%v/3/device/%v", c.Host, n.DeviceToken)
 	req, _ := http.NewRequest("POST", url, bytes.NewBuffer(payload))
+
+	if c.Token != nil {
+		c.setTokenHeader(req)
+	}
+
 	setHeaders(req, n)
 	httpRes, err := c.HTTPClient.Do(req)
 	if err != nil {
@@ -120,6 +150,11 @@ func (c *Client) Push(n *Notification) (*Response, error) {
 	return response, nil
 }
 
+func (c *Client) setTokenHeader(r *http.Request) {
+	c.Token.GenerateIfExpired()
+	r.Header.Set("authorization", fmt.Sprintf("bearer %v", c.Token.Bearer))
+}
+
 func setHeaders(r *http.Request, n *Notification) {
 	r.Header.Set("Content-Type", "application/json; charset=utf-8")
 	if n.Topic != "" {

response.go

@@ -96,6 +96,7 @@ func (c *Response) Sent() bool {
 	return c.StatusCode == StatusSent
 }
 
+// Time represents a device uninstall time
 type Time struct {
 	time.Time
 }

token/token.go

@@ -0,0 +1,100 @@
+package token
+
+import (
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"io/ioutil"
+	"sync"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+const (
+	// TokenTimeout is the period of time in seconds that a token is valid for.
+	// If the timestamp for token issue is not within the last hour, APNs
+	// rejects subsequent push messages. This is set to under an hour so that
+	// we generate a new token before the existing one expires.
+	TokenTimeout = 3000
+)
+
+// Possible errors when parsing a .p8 file.
+var (
+	ErrAuthKeyWrongType = errors.New("token: AuthKey must be of type ecdsa.PrivateKey")
+)
+
+// Token represents an Apple Provider Authentication Token (JSON Web Token).
+type Token struct {
+	AuthKey  *ecdsa.PrivateKey
+	KeyID    string
+	TeamID   string
+	IssuedAt int64
+	Bearer   string
+	m        sync.Mutex
+}
+
+// AuthKeyFromFile loads a .p8 certificate from a local file and returns a
+// *ecdsa.PrivateKey.
+func AuthKeyFromFile(filename string) (*ecdsa.PrivateKey, error) {
+	bytes, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	return AuthKeyFromBytes(bytes)
+}
+
+// AuthKeyFromBytes loads a .p8 certificate from an in memory byte array and
+// returns an *ecdsa.PrivateKey.
+func AuthKeyFromBytes(bytes []byte) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode(bytes)
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	switch pk := key.(type) {
+	case *ecdsa.PrivateKey:
+		return pk, nil
+	default:
+		return nil, ErrAuthKeyWrongType
+	}
+}
+
+// GenerateIfExpired checks to see if the token is about to expire and
+// generates a new token.
+func (t *Token) GenerateIfExpired() {
+	t.m.Lock()
+	defer t.m.Unlock()
+	if t.Expired() {
+		t.Generate()
+	}
+}
+
+// Expired checks to see if the token has expired.
+func (t *Token) Expired() bool {
+	return time.Now().Unix() >= (t.IssuedAt + TokenTimeout)
+}
+
+// Generate creates a new token.
+func (t *Token) Generate() (bool, error) {
+	issuedAt := time.Now().Unix()
+	jwtToken := &jwt.Token{
+		Header: map[string]interface{}{
+			"alg": "ES256",
+			"kid": t.KeyID,
+		},
+		Claims: jwt.MapClaims{
+			"iss": t.TeamID,
+			"iat": issuedAt,
+		},
+		Method: jwt.SigningMethodES256,
+	}
+	bearer, err := jwtToken.SignedString(t.AuthKey)
+	if err != nil {
+		return false, err
+	}
+	t.IssuedAt = issuedAt
+	t.Bearer = bearer
+	return true, nil
+}