Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@walletpass/pass-js
Advanced tools
Apple Wallet Pass generating and pushing updates from Node.js
A Node.js library for generating Apple Wallet passes with localizations, NFC and web service push updates support. Written in Typescript.
Install with NPM
or yarn
:
npm install @walletpass/pass-js --save
yarn add @walletpass/pass-js
To start with, you'll need a certificate issued by the iOS Provisioning Portal. You need one certificate per Pass Type ID.
After adding this certificate to your Keychain, you need to export it as a
.p12
file first, then convert that file into a .pem
file using the passkit-keys
command:
./bin/passkit-keys ./pathToKeysFolder
and copy it into the keys directory.
The Apple Worldwide Developer Relations Certification Authority certificate is not needed anymore since it is already included in this package.
Start with a template. A template has all the common data fields that will be shared between your passes.
const { Template } = require("@walletpass/pass-js");
// Create a Template from local folder, see __test__/resources/passes for examples
// .load will load all fields from pass.json,
// as well as all images and com.example.passbook.pem file as key
// and localization string too
const template = await Template.load(
"./path/to/templateFolder",
"secretKeyPasswod"
);
// or
// create a Template from a Buffer with ZIP content
const s3 = new AWS.S3({ apiVersion: "2006-03-01", region: "us-west-2" });
const s3file = await s3
.getObject({
Bucket: "bucket",
Key: "pass-template.zip"
})
.promise();
const template = await Template.fromBuffer(s3file.Body);
// or create it manually
const template = new Template("coupon", {
passTypeIdentifier: "pass.com.example.passbook",
teamIdentifier: "MXL",
backgroundColor: "red",
sharingProhibited: true
});
await template.images.add("icon", iconPngFileBuffer)
.add("logo", pathToLogoPNGfile)
The first argument is the pass style (coupon
, eventTicket
, etc), and the
second optional argument has any fields you want to set on the template.
You can access template fields directly, or from chained accessor methods, e.g:
template.passTypeIdentifier = "pass.com.example.passbook";
template.teamIdentifier = "MXL";
The following template fields are required:
passTypeIdentifier
- The Apple Pass Type ID, which has the prefix pass.
teamIdentifier
- May contain an IYou can set any available fields either on a template or pass instance, such as: backgroundColor
,
foregroundColor
, labelColor
, logoText
, organizationName
,
suppressStripShine
and webServiceURL
.
In addition, you need to tell the template where to find the key file:
await template.loadCertificate(
"/etc/passbook/certificate_and_key.pem",
"secret"
);
// or set them as strings
template.setCertificate(pemEncodedPassCertificate);
template.setPrivateKey(pemEncodedPrivateKey, optionalKeyPassword);
If you have images that are common to all passes, you may want to specify them once in the template:
// specify a single image with specific density and localization
await pass.images.add("icon", iconFilename, "2x", "ru");
// load all appropriate images in all densities and localizations
await template.images.load("./images");
You can add the image itself or a Buffer
. Image format is enforced to be PNG.
Alternatively, if you have one directory containing the template file pass.json
, the key
com.example.passbook.pem
and all the needed images, you can just use this single command:
const template = await Template.load(
"./path/to/templateFolder",
"secretKeyPasswod"
);
You can use the options parameter of the template factory functions to set the allowHttp
property. This enables you to use a webServiceUrl
in your pass.json
that uses the HTTP protocol instead of HTTPS for development purposes:
const template = await Template.load(
"./path/to/templateFolder",
"secretKeyPasswod",
{
allowHttp: true,
},
);
To create a new pass from a template:
const pass = template.createPass({
serialNumber: "123456",
description: "20% off"
});
Just like the template, you can access pass fields directly, e.g:
pass.serialNumber = "12345";
pass.description = "20% off";
In the JSON specification, structure fields (primary fields, secondary fields, etc) are represented as arrays, but items must have distinct key properties. Le sigh.
To make it easier, you can use methods of standard Map object or add
that
will do the logical thing. For example, to add a primary field:
pass.primaryFields.add({ key: "time", label: "Time", value: "10:00AM" });
To get one or all fields:
const dateField = pass.primaryFields.get("date");
for (const [key, { value }] of pass.primaryFields.entries()) {
// ...
}
To remove one or all fields:
pass.primaryFields.delete("date");
pass.primaryFields.clear();
Adding images to a pass is the same as adding images to a template (see above).
If you have dates in your fields make sure they are in ISO 8601 format with timezone or a Date
instance.
For example:
const { constants } = require('@destinationstransfers/passkit');
pass.primaryFields.add({ key: "updated", label: "Updated at", value: new Date(), dateStyle: constants.dateTimeFormat.SHORT, timeStyle: constants.dateTimeFormat.SHORT });
// there is also a helper setDateTime method
pass.auxiliaryFields.setDateTime(
'serviceDate',
'DATE',
serviceMoment.toDate(),
{
dateStyle: constants.dateTimeFormat.MEDIUM,
timeStyle: constants.dateTimeFormat.NONE,
changeMessage: 'Service date changed to %@.',
},
);
// main fields also accept Date objects
pass.relevantDate = new Date(2020, 1, 1, 10, 0);
template.expirationDate = new Date(2020, 10, 10, 10, 10);
This library fully supports both string localization and/or images localization:
// everything from template
// will load all localized images and strings from folders like ru.lproj/ or fr-CA.lproj/
await template.load(folderPath);
// Strings
pass.localizations
.add("en-GB", {
GATE: "GATE",
DEPART: "DEPART",
ARRIVE: "ARRIVE",
SEAT: "SEAT",
PASSENGER: "PASSENGER",
FLIGHT: "FLIGHT"
})
.add("ru", {
GATE: "ВЫХОД",
DEPART: "ВЫЛЕТ",
ARRIVE: "ПРИЛЁТ",
SEAT: "МЕСТО",
PASSENGER: "ПАССАЖИР",
FLIGHT: "РЕЙС"
});
// Images
await template.images.add(
"logo" | "icon" | etc,
imageFilePathOrBufferWithPNGdata,
"1x" | "2x" | "3x" | undefined,
"ru"
);
Localization applies for all fields' label
and value
. There is a note about that in documentation.
To generate a file:
const buf = await pass.asBuffer();
await fs.writeFile("pathToPass.pass", buf);
You can send the buffer directly to an HTTP server response:
app.use(async (ctx, next) => {
ctx.status = 200;
ctx.type = passkit.constants.PASS_MIME_TYPE;
ctx.body = await pass.asBuffer();
});
If the pass file generates without errors but you aren't able to open your pass on an iPhone, plug the iPhone into a Mac with macOS 10.14+ and open the 'Console' application. On the left, you can select your iPhone. You will then be able to inspect any errors that occur while adding the pass.
This projects started as fork of assaf/node-passbook. Since version 5.0 our module is not API compatible, please see Releases for more information.
new Buffer
, etc)openssl
spawning with native Javascript RSA implementation (via node-forge
)Template.pushUpdates(pushToken)
that sends APN update request for a given pass type to a pushToken (get pushToken
at your PassKit Web Service implementation)This project exists thanks to all the people who contribute. [Contribute].
Become a financial contributor and help us sustain our community. [Contribute]
Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]
FAQs
Apple Wallet Pass generating and pushing updates from Node.js
We found that @walletpass/pass-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.