starred/ntfy
1
0
Fork 0
mirror of https://github.com/binwiederhier/ntfy.git synced 2026-05-09 08:26:00 +02:00
Code Issues 368 Projects Packages Wiki Activity

[GH-ISSUE #550] New action: message #416

New issue
Open
opened 2026-05-07 00:23:57 +02:00 by BreizhHardware · 7 comments
BreizhHardware commented 2026-05-07 00:23:57 +02:00
Owner
Copy link

Originally created by @doits on GitHub (Dec 17, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/550

It would be nice to have action buttons that simply send a message back when pressed, for example:

ntfy publish \
    --actions '[
        {
            "action": "message",
            "label": "Turn down",
            "message": "Yes, turn down the A/C",
            "priority": 4
        }
    ]' \
    myhome \
    "You left the house. Turn down the A/C?"

When clicked, the message Yes, turn down the A/C (key: message) is sent to the topic with priority 4 (key: priority) by the client.

This could be used by other subscribers of the topic to:

  • do something (something subscribed to the topic and listening for specific messages, e.g. a server waiting for commands to do some home automation)
  • as a fast response to an incoming message (e.g. if the notification is a alert multiple people receive, one person could notify the others that they will take care of it)

What do you think about the idea?

Originally created by @doits on GitHub (Dec 17, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/550 It would be nice to have action buttons that simply send a message back when pressed, for example: ```bash ntfy publish \ --actions '[ { "action": "message", "label": "Turn down", "message": "Yes, turn down the A/C", "priority": 4 } ]' \ myhome \ "You left the house. Turn down the A/C?" ``` When clicked, the message `Yes, turn down the A/C` (key: `message`) is sent to the topic with priority `4` (key: `priority`) by the client. This could be used by other subscribers of the topic to: - do something (something subscribed to the topic and listening for specific messages, e.g. a server waiting for commands to do some home automation) - as a fast response to an incoming message (e.g. if the notification is a alert multiple people receive, one person could notify the others that they will take care of it) What do you think about the idea?
BreizhHardware commented 2026-05-07 00:23:57 +02:00
Author
Owner
Copy link

@wunter8 commented on GitHub (Jan 17, 2023):

You can send messages to ntfy topics using the existing HTTP action, but creating a shorthand action to do this might be nice.

ntfy publish \
    --actions '[
        {
            "action": "http",
            "label": "Turn down",
            "url": "https://ntfy.sh",
            "method": "POST",
            "body": "{
                \"topic\": \"myhome",
                \"message\": \"Yes, turn down the A/C\",
                \"priority\": 4
            }"
        }
    ]' \
    myhome \
    "You left the house. Turn down the A/C?"

(I didn't test the above command specifically, but I've done it in the past and this is the idea)

<!-- gh-comment-id:1385655782 --> @wunter8 commented on GitHub (Jan 17, 2023): You can send messages to ntfy topics using the existing HTTP action, but creating a shorthand action to do this might be nice. ``` ntfy publish \ --actions '[ { "action": "http", "label": "Turn down", "url": "https://ntfy.sh", "method": "POST", "body": "{ \"topic\": \"myhome", \"message\": \"Yes, turn down the A/C\", \"priority\": 4 }" } ]' \ myhome \ "You left the house. Turn down the A/C?" ``` (I didn't test the above command specifically, but I've done it in the past and this is the idea)
BreizhHardware commented 2026-05-07 00:23:58 +02:00
Author
Owner
Copy link

@doits commented on GitHub (Jan 29, 2023):

Ah right good idea that you can simply do it like this. Couldn't test it yet, maybe you know if this works with credentials? E.g. if the topic can only be accessed/posted to with authentication, will it use the same credentials the topic is subscribed with?

<!-- gh-comment-id:1407676494 --> @doits commented on GitHub (Jan 29, 2023): Ah right good idea that you can simply do it like this. Couldn't test it yet, maybe you know if this works with credentials? E.g. if the topic can only be accessed/posted to with authentication, will it use the same credentials the topic is subscribed with?
BreizhHardware commented 2026-05-07 00:23:58 +02:00
Author
Owner
Copy link

@wunter8 commented on GitHub (Jan 29, 2023):

I'm pretty sure it won't use the same credentials the topic is subscribed with. You could test it out and see. If I'm right and it doesn't include the authentication automatically, you can just add an Authorization header into the HTTP action: https://docs.ntfy.sh/publish/#send-http-request

<!-- gh-comment-id:1407683756 --> @wunter8 commented on GitHub (Jan 29, 2023): I'm pretty sure it won't use the same credentials the topic is subscribed with. You could test it out and see. If I'm right and it doesn't include the authentication automatically, you can just add an `Authorization` header into the HTTP action: https://docs.ntfy.sh/publish/#send-http-request
BreizhHardware commented 2026-05-07 00:23:58 +02:00
Author
Owner
Copy link

@doits commented on GitHub (Jan 29, 2023):

you can just add an Authorization header into the HTTP action

Yeah, I thought about this, too, though this would give write access to everybody receiving the message (might be OK, depending on the scenario), BUT if the authorization header could be extracted from the message (probably not with the default ntfy client, but in theory since it is sent to the client) it could be used to write arbitrary things to the topic, even at a later time when the user is removed from that topic (unless the shared credentials are rotated ...).

So I feel this is not the best way to implement this scenario securely (in fact every scenario where a long lived, shared authorization header is sent, because it could be misused for other things or at a later time where maybe a user should not have access anymore).

I'll test a little bit and see what I can come up with for my scenario.

<!-- gh-comment-id:1407703368 --> @doits commented on GitHub (Jan 29, 2023): > you can just add an Authorization header into the HTTP action Yeah, I thought about this, too, though this would give write access to everybody receiving the message (might be OK, depending on the scenario), BUT if the authorization header could be extracted from the message (probably not with the default ntfy client, but in theory since it is sent to the client) it could be used to write arbitrary things to the topic, even at a later time when the user is removed from that topic (unless the shared credentials are rotated ...). So I feel this is not the best way to implement this scenario *securely* (in fact every scenario where a long lived, shared authorization header is sent, because it could be misused for other things or at a later time where maybe a user should not have access anymore). I'll test a little bit and see what I can come up with for my scenario.
BreizhHardware commented 2026-05-07 00:23:58 +02:00
Author
Owner
Copy link

@wunter8 commented on GitHub (Jan 29, 2023):

Automatically sending a client's authentication to every HTTP action wouldn't be great either because you'd be leaking creds. But the client could probably be updated to check if the URL of the HTTP action is one that has saved credentials already, then send the HTTP request using the saved credentials. That doesn't sound too bad to me.

<!-- gh-comment-id:1407706672 --> @wunter8 commented on GitHub (Jan 29, 2023): Automatically sending a client's authentication to every HTTP action wouldn't be great either because you'd be leaking creds. But the client could probably be updated to check if the URL of the HTTP action is one that has saved credentials already, then send the HTTP request using the saved credentials. That doesn't sound too bad to me.
BreizhHardware commented 2026-05-07 00:23:58 +02:00
Author
Owner
Copy link

@wunter8 commented on GitHub (Jan 29, 2023):

binwiederhier is also working on revokable access tokens right now. So you could send a short lived (they can be created with an expiration date/time) access token as a header in the HTTP action instead of a specific user:pass combination

<!-- gh-comment-id:1407707262 --> @wunter8 commented on GitHub (Jan 29, 2023): binwiederhier is also working on revokable access tokens right now. So you could send a short lived (they can be created with an expiration date/time) access token as a header in the HTTP action instead of a specific user:pass combination
BreizhHardware commented 2026-05-07 00:23:58 +02:00
Author
Owner
Copy link

@doits commented on GitHub (Jan 29, 2023):

Automatically sending a client's authentication to every HTTP action wouldn't be great either because you'd be leaking creds

Yeah, of course, it should be sent only if sending a message to the topic where on actually is subscribed to with some credentials (not in general for a REST message, that was never the idea). That would be possible with a separate action (which this issue is about in the first place).

But the client could probably be updated to check if the URL of the HTTP action is one that has saved credentials already, then send the HTTP request using the saved credentials. That doesn't sound too bad to me.

👍 that would solve it.

binwiederhier is also working on revokable access tokens right now. So you could send a short lived (they can be created with an expiration date/time) access token as a header in the HTTP action instead of a specific user:pass combination

This would solve it, too. So let's see where this goes.

<!-- gh-comment-id:1407708781 --> @doits commented on GitHub (Jan 29, 2023): > Automatically sending a client's authentication to every HTTP action wouldn't be great either because you'd be leaking creds Yeah, of course, it should be sent only if sending a message to the topic where on actually is subscribed to with some credentials (not in general for a REST message, that was never the idea). That would be possible with a separate action (which this issue is about in the first place). > But the client could probably be updated to check if the URL of the HTTP action is one that has saved credentials already, then send the HTTP request using the saved credentials. That doesn't sound too bad to me. :+1: that would solve it. > binwiederhier is also working on revokable access tokens right now. So you could send a short lived (they can be created with an expiration date/time) access token as a header in the HTTP action instead of a specific user:pass combination This would solve it, too. So let's see where this goes.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/web/fast-uri-3.1.2
email-verification
attachment-no-http2
attachment-fixes
attachment-s3
config-generator
postgres-replica
dockers-v2
postgres-support
postgres-webpush+user+message
postgres-webpush+user
postgres-webpush
1364-copy-action
crashfix
user-header
scalar-api-docs
cancel-scheduled
update-available
windows-server
303-update-notifications
postgres
admin-ui
require-login
http-clipboard
message-cache-lock
debian-stripe
predefined-users
busy-timeout
template-dir
ipv6
client-ip-header
apns-fix
feat_optional_require_login
security-updates
pg-message-cache
templating-disallow
templating-3
templating-2
message-size-limit+delay-limit
remove-rate-topics
html-emails
cf-priority
acl-underscores
auth-user-header
markdown
img-attach
web-improvements
utf8-headers
matrix-507-reject
http-response-writer
new-homepage-design
e2e
canary
windows
electron
update-messages
webhook-templating
v2.22.0
v2.21.0
v2.20.1
v2.20.0
v2.19.2
v2.19.1
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.14.0
v2.13.0
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.31.0
v1.30.1
v1.29.1
v1.29.0
v1.28.0
v1.27.2
v1.27.1
v1.26.0
v1.25.2
v1.25.1
v1.25.0
v1.24.0
v1.23.0
v1.22.0
v1.21.2
v1.21.1
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.0
v1.14.1
v1.14.0
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.2
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.3
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
ai-generated

   
android-app

   
android-app

   
android-app

   
🪲 bug

   
build

   
build

   
dependencies

   
docs

   
enhancement

   
enhancement

   
🔥 HOT

   
in-progress 🏃

   
ios

   
prio:low

   
prio:low

   
pull-request
Mirrored from GitHub Pull Request

  
question

   
🔒 security

   
server

   
server

   
unified-push

   
web-app

   
website
No labels
ai-generated
android-app
android-app
android-app
🪲 bug
build
build
dependencies
docs
enhancement
enhancement
🔥 HOT
in-progress 🏃
ios
prio:low
prio:low
pull-request
question
🔒 security
server
server
unified-push
web-app
website
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ntfy#416
No description provided.