I have setup simple demo for MDM server. I can successfully recover initial plist with messagetype, pushmagic token, APNs token(32byte as base46) and unlocktoken. My issue is when I tried to decode APNs token using base64_decode php function, it returns with junk/garbage character. Can any help if I need to use anyother php function to decode APNs token?
Thanks,
Viral.
The token is just what it is: a token. What you're getting with base64_decode is just a byte-array, you cannot see any meaningful data in it or print it as a string. Just store it in binary form in your database. You need this token later on to identify the target device when you send a pending command notification to the APNS. It is the actually the same as a push-token for an app.
The content of the notification for the device is described in 1, and the APNS protocol in [2].
References
Apple Inc, Mobile Device Management Protocol Reference
Apple Push Notification Service
Just to add onto this. If you're using another library to abstract sending notifications, sometimes they expect the token to be 64 characters. With PHP, you can do this with $token = bin2hex(base64_decode($deviceToken));
However if the token is stored in your database as binary format, then the base64_decode can be omitted. The following is what is required when dealing with PHP PDO w/ Postgres:
bin2hex(stream_get_contents($deviceToken))
Related
we are migrating from Cert based Notification to Token based notifications,
I have my Device token and I generate JWT token using .p8 file, KId, App Id and issue time. iam using Curl command to send the Message to api.push.apple.com/3/device/.
Iam getting
HTTP/2 200
apns-id: C372B9BE-5C83-3CBB-0DF3-5B5B6D671B65 from Server, however, iam not receiving any notifications on to my Mobile.
any one aware of this issue, Please advise.
Appreciate it
According to this answer, push tokens are regularly rotated to help with privacy, and that my web service API implementation will see this as a new registration.
Does this mean that the web service API registration endpoint must detect the same device library identifier with a different pushToken as a different device? Or, does the device library identifier also change with the pushToken?
Both the device library identifier and the push token are regularly randomised. When a push token is rotated, you will receive a registration request with a new device library identifier and push token. You will not receive an I register request for the old identifier and token.
When making a push request for a token that has been rotated, you will receive a response from APNS letting you know that the token is no longer valid.
Therefore, when a device has rotated it’s token and you haven’t sent a push request, your database should show it registered with 2 identifiers.
I'm trying to host a discord bot on Heroku.
When it starts I get this error:
"UnhandledPromiseRejectionWarning: Error [TOKEN_INVALID]: An invalid token was provided".
But here is the weird part. It worked fine when I tested it first in Visual Studio Code. So in the process of me getting the files into Heroku, it got invalid.
Does anyone have a clue of how I can fix this?
Thx for any replies in advance.
Deploying app on heroku you have to change you client.login(token) to client.login(process.env.token) and add token to
as token - key and value - token copied from discord developers portal, remember (important note!) letters has to be the same, I mean, if you use capitals in process.env.TOKEN, the config var has to be now TOKEN.
I run into a similar problem, i encrypted the token so that i could store the encrypted token on heroku and decrypt it in the js to pass the actual token to the login method.
The weird part is, if i write the token directly as string into the js file or i use heroku and store it directly there, then it works. But if i store the encrypted token in heroku and decrypt it (and yes it is correctly decrypted) and give the decrypted token to the login method then it does not work.
I dunno if heroku make some weird stuff or discord.js doesnt support something i dont know...
So, what definitly works is:
You insert the token (client secret) on herokus config vars (settings from your dyno), then you use process.env.BOT_TOKEN and pass it to your Discord.Client().login().
I assume in your case its bot.login(process.env.BOT_TOKEN).
So for me it looks like the value i store in heruko and the value i send to discord must be the same...
You should enter a valid Discord bot token. You can obtain it by going to the Discord Developer Portal, then "Applications", select your bot, then go to "Bot" and click "Copy" under the token (it says click here to reveal).
I also encountered this situation.
I discovered that when using dotenv to read data from a .env file (Run on my computer), the names are not case sensitive. (could be wrong)
For example, TOKEN will be able to be treated as token, meaning when process.env.token can be returned with the value of TOKEN in the .env
file
But when I run on Heroku, what I just said will be gone (process.env.token will not return the value of TOKEN, but the token). Try double-checking that the name matches and correct it.
Like you've said, you logged into your bot with bot.login('TOKEN', () => { console.log; }
but bot.login doesn't support callback functions.
What I mean by this is, instead of the code before, you change it to bot.login('TOKEN').
As JWT tokens are sent over the headers to authenticate uses, a user can just inspect the web call in chrome dev tools and copy paste the token and use it to access the exposed API.
For example, if I am using this token to create a record, a malicious user can use the same token (by using the above mentioned way) to create a new record in Database.
How can I stop this from happening? Is using Token Encryption with public key of server the way to stop this?
Token represents user identity. It is normal, that user can view his own token.
Token is validated on the server. Normally there is is no easy way to fake a token. Use cannot generate a new token on his own.
Communication between browser and server should be done via TLS. Then no third party will be able to see the token.
If your user gives access to his browser to somebody else, then yes, the other person can potentially access the token and used it later on on another computer, it this token is not expired yet. But this is not specific to the token, this is like giving access to your password to smb else.
Several steps can be taken as given below:
You should use https connection instead of http connection. This will encrypt your message which is sent to server or received from server. So if a man in the middle catches your packet, he can't do anything because message is encrypted.
Also add a short time validity for jwt token depending your app behavior.
Add an appropriate key size for your self-signed token validation. AES keys shorter than 128 bits, or RSA keys shorter than 1024 bits for legacy apps.2048 bits encryption now a days popular.
HSM (Hardware Security Module) can be introduce for signing and encryption task while key are not accessible from OS or software level.
You should be digging deep for more here[cheat sheet for jwt token OWASP].
I'm sending my push notifications with an APNs Auth Key ("never expires") which worked well until suddenly I get
403 Forbidden: {"reason":"InvalidProviderToken"}
as a response when sending push notifications. What could be the reason for this when it worked once and suddenly it doesn't without having an expiration date? In the meantime it worked again for some pushes, but now I get the error again... Did anyone else experience this?
EDIT
Not sure but it seems as if this only happens on the Ubuntu server, not on my local (OS X) machine...
we have exactly the same problem when sending pushes to different team ids using the same connection. The steps to reproduce are:
Open a connection to APNS and use the same connection to:
Send a token based push to topic com.companyA.xxx of team id 1234: APNS accepts and delivers the push successfully.
Send a token based push to topic io.companyB.xxx of team id 5678: APNS responds HTTP 400 BadRequest The device token does not match the specified topic
Send again a token based push to topic io.companyB.xxx of team id 5678: APNS responds HTTP 403 Forbidden: the provider token is not valid or the token signature could not be verified.
After this it becomes impossible to send any push and the connection has to be closed and reopened.
The workaround we ended up doing is to open one connection per team id. The APNS documentation does not mention anything like that so I do consider this as a bug and I opened a bug report.
I've seen this in a couple of circumstances:
Resubmitting expired provider tokens seems to get the token blacklisted and results in subsequent InvalidProviderToken rejections rather than ExpiredProviderToken rejections. Check you logs for token expiry messages. Check your system clock to make sure that you're not generating tokens with skewed timestamps.
Submitting to invalid topics will invalidate all provider tokens on the connection (even previously valid ones). Only submit to topics that the key is bound to and only use one key per connection.
For me, there was an issue with bad configuration. I was using the wrong Team ID. Please make sure that all configuration is correct before you look into any other solutions.
The server does respond with an InvalidToken and/or an ExpiredToken error. Your authentication token shouldn't contain any '=', '+', '-', Double check if your token hasn't this any of those. Also the signature (3rd part of the token, should be Base64URL encoded, so without the previous mentioned characters).
for me the server time was invalid, fixing the server time solved the issue
I asked Apple to change my account from a personal account, to a business account. My push notification certificate still said everything was fine, but the notifications weren't working, and I was getting the response Invalid Token. Once I revoked the certificate and issued a new one (in apple connect), everything worked fine.
I wasted so much time trying to figure out why the push notifications weren't working. Hopefully this will save someone else some time!
I had been using the Name of the key instead of the Key ID. Verifying on https://developer.apple.com/account/resources/authkeys/review/ showed the correct value.
My case is with the json pretty print format. Unlike musickit which can accept jwt pretty print format, the APNs only accept the raw format.
In details:
My message was:
{
"alg": "ES256",
"kid": "SOMEKEYID"
}
{
"iss": "SOMETEAM",
"iat": 1581110460
}
I verified the result jwt via jwt.io, however the APNs keeps telling me InvalidProviderToken. I have tried everything above. No use.
Finally I changed the message to:
{"alg":"ES256","kid":"SOMEKEYID"}
{"iss":"SOMETEAM","iat":1581128155}
then it pass with no error.
Turns out APNs do not accept json pretty format!
Apple's APN documentation says:
APNs supports only provider authentication tokens that are signed with
the ES256 algorithm. Unsecured JWTs [JSON Web Tokens], or JWTs signed
with other algorithms, are rejected, and your provider server receives
the InvalidProviderToken (403) response.
So, it appears that the problem is not with your auth kiey; it's actually an issue with the web token that was generated from your key.