From f4f5edb230d5b25896cf166144a4a221ea4f7ec4 Mon Sep 17 00:00:00 2001 From: lrabane Date: Thu, 17 Feb 2022 19:12:20 +0100 Subject: [PATCH 1/4] Add auth support for subscribing --- cmd/subscribe.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/cmd/subscribe.go b/cmd/subscribe.go index b5a56933..739176e8 100644 --- a/cmd/subscribe.go +++ b/cmd/subscribe.go @@ -23,6 +23,7 @@ var cmdSubscribe = &cli.Command{ Flags: []cli.Flag{ &cli.StringFlag{Name: "config", Aliases: []string{"c"}, Usage: "client config file"}, &cli.StringFlag{Name: "since", Aliases: []string{"s"}, Usage: "return events since `SINCE` (Unix timestamp, or all)"}, + &cli.StringFlag{Name: "user", Aliases: []string{"u"}, Usage: "username[:password] used to auth against the server"}, &cli.BoolFlag{Name: "from-config", Aliases: []string{"C"}, Usage: "read subscriptions from config file (service mode)"}, &cli.BoolFlag{Name: "poll", Aliases: []string{"p"}, Usage: "return events and exit, do not listen for new events"}, &cli.BoolFlag{Name: "scheduled", Aliases: []string{"sched", "S"}, Usage: "also return scheduled/delayed events"}, @@ -40,6 +41,7 @@ ntfy subscribe TOPIC ntfy subscribe mytopic # Prints JSON for incoming messages for ntfy.sh/mytopic ntfy sub home.lan/backups # Subscribe to topic on different server ntfy sub --poll home.lan/backups # Just query for latest messages and exit + ntfy sub -u phil:mypass secret # Subscribe with username/password ntfy subscribe TOPIC COMMAND This executes COMMAND for every incoming messages. The message fields are passed to the @@ -81,6 +83,7 @@ func execSubscribe(c *cli.Context) error { } cl := client.New(conf) since := c.String("since") + user := c.String("user") poll := c.Bool("poll") scheduled := c.Bool("scheduled") fromConfig := c.Bool("from-config") @@ -93,6 +96,23 @@ func execSubscribe(c *cli.Context) error { if since != "" { options = append(options, client.WithSince(since)) } + if user != "" { + var pass string + parts := strings.SplitN(user, ":", 2) + if len(parts) == 2 { + user = parts[0] + pass = parts[1] + } else { + fmt.Fprint(c.App.ErrWriter, "Enter Password: ") + p, err := util.ReadPassword(c.App.Reader) + if err != nil { + return err + } + pass = string(p) + fmt.Fprintf(c.App.ErrWriter, "\r%s\r", strings.Repeat(" ", 20)) + } + options = append(options, client.WithBasicAuth(user, pass)) + } if poll { options = append(options, client.WithPoll()) } From b89c18e83d8d159dbda9dd7d738eae0e694e0cc9 Mon Sep 17 00:00:00 2001 From: lrabane Date: Thu, 17 Feb 2022 19:16:01 +0100 Subject: [PATCH 2/4] Add support for auth in client config --- client/client.yml | 4 ++++ client/config.go | 8 +++++--- client/config_test.go | 8 ++++++-- cmd/subscribe.go | 3 +++ 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/client/client.yml b/client/client.yml index 9f62990a..56733a14 100644 --- a/client/client.yml +++ b/client/client.yml @@ -16,6 +16,10 @@ # command: 'echo "$message"' # if: # priority: high,urgent +# - topic: secret +# command: 'notify-send "$m"' +# user: phill +# password: mypass # # Variables: # Variable Aliases Description diff --git a/client/config.go b/client/config.go index c44fac6c..0866cd1b 100644 --- a/client/config.go +++ b/client/config.go @@ -14,9 +14,11 @@ const ( type Config struct { DefaultHost string `yaml:"default-host"` Subscribe []struct { - Topic string `yaml:"topic"` - Command string `yaml:"command"` - If map[string]string `yaml:"if"` + Topic string `yaml:"topic"` + User string `yaml:"user"` + Password string `yaml:"password"` + Command string `yaml:"command"` + If map[string]string `yaml:"if"` } `yaml:"subscribe"` } diff --git a/client/config_test.go b/client/config_test.go index 8d322111..d601cdb4 100644 --- a/client/config_test.go +++ b/client/config_test.go @@ -13,7 +13,9 @@ func TestConfig_Load(t *testing.T) { require.Nil(t, os.WriteFile(filename, []byte(` default-host: http://localhost subscribe: - - topic: no-command + - topic: no-command-with-auth + user: phil + password: mypass - topic: echo-this command: 'echo "Message received: $message"' - topic: alerts @@ -26,8 +28,10 @@ subscribe: require.Nil(t, err) require.Equal(t, "http://localhost", conf.DefaultHost) require.Equal(t, 3, len(conf.Subscribe)) - require.Equal(t, "no-command", conf.Subscribe[0].Topic) + require.Equal(t, "no-command-with-auth", conf.Subscribe[0].Topic) require.Equal(t, "", conf.Subscribe[0].Command) + require.Equal(t, "phil", conf.Subscribe[0].User) + require.Equal(t, "mypass", conf.Subscribe[0].Password) require.Equal(t, "echo-this", conf.Subscribe[1].Topic) require.Equal(t, `echo "Message received: $message"`, conf.Subscribe[1].Command) require.Equal(t, "alerts", conf.Subscribe[2].Topic) diff --git a/cmd/subscribe.go b/cmd/subscribe.go index 739176e8..9000a163 100644 --- a/cmd/subscribe.go +++ b/cmd/subscribe.go @@ -162,6 +162,9 @@ func doSubscribe(c *cli.Context, cl *client.Client, conf *client.Config, topic, for filter, value := range s.If { topicOptions = append(topicOptions, client.WithFilter(filter, value)) } + if s.User != "" && s.Password != "" { + topicOptions = append(topicOptions, client.WithBasicAuth(s.User, s.Password)) + } subscriptionID := cl.Subscribe(s.Topic, topicOptions...) commands[subscriptionID] = s.Command } From 7e1a71b6949b292a9d9c341281f359a2f969c2b7 Mon Sep 17 00:00:00 2001 From: lrabane Date: Thu, 17 Feb 2022 20:26:04 +0100 Subject: [PATCH 3/4] Add docs for auth support with CLI --- docs/subscribe/cli.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/subscribe/cli.md b/docs/subscribe/cli.md index 2d3f83b4..52e005c0 100644 --- a/docs/subscribe/cli.md +++ b/docs/subscribe/cli.md @@ -196,3 +196,27 @@ EOF sudo systemctl daemon-reload sudo systemctl restart ntfy-client ``` + + +### Authentication +Depending on whether the server is configured to support [access control](../config.md#access-control), some topics +may be read/write protected so that only users with the correct credentials can subscribe or publish to them. +To publish/subscribe to protected topics, you can use [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication) +with a valid username/password. For your self-hosted server, **be sure to use HTTPS to avoid eavesdropping** and exposing +your password. + +You can either add your username and password to the configuration file: +=== "~/.config/ntfy/client.yml" + ```yaml + - topic: secret + command: 'notify-send "$m"' + user: phill + password: mypass + ``` + +Or with the `ntfy subscibe` command: +``` +ntfy subscribe \ + -u phil:mypass \ + ntfy.example.com/mysecrets +``` From 40be2a91531f986f175cd5669cd8e1d48f5d5eeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rogelio=20Dom=C3=ADnguez=20Hern=C3=A1ndez?= Date: Mon, 21 Feb 2022 16:21:42 -0600 Subject: [PATCH 4/4] add watchtower/shoutrrr examples --- docs/examples.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/examples.md b/docs/examples.md index f7c85d70..67aa73ff 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -75,3 +75,21 @@ One of my co-workers uses the following Ansible task to let him know when things method: POST body: "{{ inventory_hostname }} reseeding complete" ``` + +## Watchtower notifications (shoutrrr) +You can use `shoutrrr` generic webhook support to send watchtower notifications to your ntfy topic. + +Example docker-compose.yml: +```yml +services: + watchtower: + image: containrrr/watchtower + environment: + - WATCHTOWER_NOTIFICATIONS=shoutrrr + - WATCHTOWER_NOTIFICATION_URL=generic+https://ntfy.sh/my_watchtower_topic?title=WatchtowerUpdates +``` + +Or, if you only want to send notifications using shoutrrr: +``` +shoutrrr send -u "generic+https://ntfy.sh/my_watchtower_topic?title=WatchtowerUpdates" -m "testMessage" +```