Security News
Crates.io Users Targeted by Phishing Emails
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
By Sarah Gooding - Sep 12, 2025
a2
HTTP/2 Apple Push Notification Service for Rust using Tokio and async sending.
Requirements
Needs a Tokio executor version 1.0 or later and Rust compiler version 1.60.0 or later.
Features
- Fast asynchronous sending, based on h2 and hyper crates.
- Payload serialization/deserialization with serde.
- Provides a type-safe way of constructing different types of payloads. Custom
data through
Serialize, allowing use of structs or dynamic hashmaps. - Supports
.p12certificate databases to connect using a custom certificate. - Supports
.p8private keys to connect using authentication tokens. - If using authentication tokens, handles signature renewing for Apple's guidelines and caching for maximum performance.
- Cryptography primitives are provided either by openssl or ring.
Examples
The library supports connecting to Apple Push Notification service either using a certificate with a password or a private key with a team id and key id. Both are available from your Apple account and with both it is possible to send push notifications to one application.
To see it used in a real project, take a look to the Echo Server, which is a project by WalletConnect to handle incoming webhooks and converting them to push notifications.
Gotchas
We've been pushing some millions of notifications daily through this library and are quite happy with it. Some things to know, if you're evaluating the library for production use:
-
Do not open new connections for every request. Apple will treat it as Denial of Service attack and block the sending IP address. When using the same
Clientfor multiple requests, theClientkeeps the connection alive if pushing steady traffic through it. -
For one app, one connection is quite enough already for certain kind of loads. With http2 protocol, the events are asynchronous and the pipeline can hold several outgoing requests at the same time. The biggest reason to open several connections is for redundancy, running your sender service on different machines.
-
It seems to be Apple doesn't like when sending tons of notifications with faulty device tokens and it might lead to
ConnectionErrors. Do not send more notifications with tokens that returnUnregistered,BadDeviceTokenorDeviceTokenNotForTopic.
Tests
cargo test
FAQs
Unknown package
We found that a2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 05 May 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Custom Pull Request Alert Comment Headers
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
By André Staltz - Sep 12, 2025
Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025