Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
A Node.js interface to the Microsoft Push Notification Service (MPNS) for Windows Phone.
A Node.js module for sending toast and live tile updates to Windows Phones through the Microsoft Push Notification Service (MPNS), used by apps such as 4th & Mayor and services such as Azure Mobile Services.
Via npm:
$ npm install mpns
As a submodule of your Git project
$ git submodule add http://github.com/jeffwilcox/mpns.git mpns
$ git submodule update --init
[1.2, 2.0)
[1.1, 2.0)
[0.0, 2.0)
For the best cloud development experience, make sure to store the user's OS version whenever communicating information about the push channel.
Now that the developer preview is out for Windows Phone 8.1, the universal apps story shows strong convergence between Windows platforms.
As a result of this, new applications should use the Windows Notification Service (WNS). Existing applications that move to 8.1 as a base or port to Universal Apps should use WNS as well.
I highly recommend the tjanczuk/wns module for this, although it has not yet been updated for the latest 8.1 tile templates, FYI.
var mpns = require('mpns');
To send a toast, simply call the sendToast
method on mpns.
var mpns = require('mpns');
mpns.sendToast(pushUri, 'Bold Text', 'This is normal text');
// Optional callback
mpns.sendToast(pushUri, text1, text2, callback);
Each of the methods that send tile and toast notifications have two alternative parameter signatures:
send*(pushUri, [options], [callback])
send*(pushUri, string1, string2, ..., [callback])
The ordering of the parameters in the non-object calling method assumes ordering as documented in the toast or tile-specific sections below.
For toasts, the properties and ordering for them:
text1
the text of the toast, this first text will appear bold on the phonetext2
additional toast text, will appear in the normal font. It does not wrap.param
optional URI parameter within your application specifying the XAML page to open within the app, along with any query string parameters for the page's contextTo send a tile update, call the sendTile
method on mpns.
It is recommended that you use the options syntax for this call as it is possible for the live tile update to include just one component in the update, say the tile count, and not update other properties. To clear the value of a property, simply pass null
as the value.
The option names or ordering for parameters is:
backgroundImage
URI to the background image for the tile. Beware that the URI may be restricted to the whitelisted domain names that you provided in your application.count
the number to appear in the tiletitle
the title of the tilebackBackgroundImage
URI to the image to be on the flip side of the tilebackTitle
optional title for the back tilebackContent
optional content for the back tile (appears in a larger font size)id
optional ID for a secodary tileSome devices support an enhanced tile format called a "flip tile", which supports some additional parameters. This kind of tile can be sent using the sendFlipTile
method, which supports all of the above parameters as well as:
smallBackgroundImage
URI to the background image for the tile when it is shrunk to small sizewideBackgroundImage
URI to the background image for the tile when it is expanded to wide sizewideBackContent
content for the back tile (appears in a larger font size) when the tile is expanded to wide sizewideBackBackgroundImage
URI to the image to be on the flip side of the tile when the tile is expanded to wide sizeAnother format is called "iconic tile". This can be sent using sendIconicTile
method with the following parameters:
backgroundColor
hexadecimal color code in format ARGBcount
the number that apper on the right of an icontitle
the title of the tileiconImage
URI of the normal iconsmallIconImage
URI of the icon for small tilewideContent1
top line of text shown in a wide tilewideContent2
second line of textwideContent3
third line of textWhen creating the notification object, either provide the raw payload first, or as the options.payload
property.
var raw = new mpns.rawNotification('My Raw Payload', options);
Today the type on the request is set to UTF8 explicitly.
You may use authenticated channels for the push notifications. Further information can be found here:http://msdn.microsoft.com/en-us/library/windowsphone/develop/ff941099(v=vs.105).aspx
Authenticated push channels can be difficult to setup. Note that the WNS path forward from MPNS for Windows Phone 8.1 and newer apps does not require certificates and is a much cleaner way to go if you're building a new app today.
Authenticated channels require a TLS client certificate for client authentication against the MPNS server. The TLS certificate is registered in your Microsoft Phone Development Dashboard. The CN of the certificate is used in the APP as Service Name in the HttpNotificationChannel constructor.
To use authentication you must provide the client certificate (including the private key) to the options of the send* functions. The client certificate is used when the pushURI is a https URI.
The following options from tls.connect() can be specified:
pfx
Certificate, Private key and CA certificates to use for SSL. Default null.key
Private key to use for SSL. Default null.passphrase
A string of passphrase for the private key or pfx. Default null.cert
Public x509 certificate to use. Default null.ca
An authority certificate or array of authority certificates to check the remote host against.ciphers
A string describing the ciphers to use or exclude.rejectUnauthorized
If true, the server certificate is verified against the list of supplied CAs. An 'error' event is emitted if verification fails. Verification happens at the connection level, before the HTTP request is sent. Default true.var options = {
text1: 'Hello!',
text2: 'Great to see you today.'
cert: fs.readFileSync('mycert.pem'),
key: fs.readFileSync('mycertkey.pem')
};
mpns.sendToast(httpspushUri, options, callback);
If the options passed into a tile or push call include a proxy
value, the proxy server information will be used. The string value should be the URI to the proxy, including host, for example: { proxy: 'http://yourproxy:8080'}
.
A results object is passed back through the callback and has important information from MPNS.
deviceConnectionStatus
: The device status as reported by the service.notificationStatus
: The status of your provided notification.subscriptionStatus
: The status of the subscription URI.The object will also contain all the key fields for your toast or live tile update, plus the pushType. This makes it easy to store this information in a history log somewhere in the ether.
It is very important as a consumer that you store appropriate actionable data about failed push notification attempts. As a result, the callback's first parameter (err) is set to the standard results object as well as a few additional fields depending on the returned status code from the server.
Remember to take action on that information in order to be a good MPNS citizen. These values may be set in the error object and of interest to you:
minutesToDelay
: If this is present, it is the suggested minimum amount of time that you should wait until making another request to the same subscription URI. For HTTP 412s, for example, the minimum time is one hour and so the returned value defaults to 61.shouldDeleteChannel
: If this is set to true
, the channel is gone according to MPNS. Delete it from your channel/subscription database and never look back.innerError
: If an error is captured while trying to make the HTTP request, this will be set to that error callback instance.NPM module written and maintained by Jeff Wilcox with contributions from:
MIT
FAQs
A Node.js interface to the Microsoft Push Notification Service (MPNS) for Windows Phone.
We found that mpns demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.