FOSS Warn with Self-Hosted ntfy

FOSS Warn is an open source app for Android (and Linux) that doesn’t rely on Google Play services to notify you about emergency alerts sent out to the population by authorities. I primarily use it as a replacement for the German NINA app.

Since version 1.0, FOSS Warn relies on UnifiedPush (UP) providers to handle push notifications. UnifiedPush is a relatively niche standard in the FOSS community for push notifications not handled by Google or Apple relays. I happen to host my own ntfy instance already to handle Prometheus alerts.

When FOSS Warn updated to version 1.0, I couldn’t get notifications to work. It would always fail with a somewhat cryptic error in the “Notification Self Check” flow at the “Test subscription and notifications” stage that my UP provider was not available to use. The exact error was:

Something went wrong. Can not subscribe. Please try again later. The server responded with RegisterAreaError: Your push service is invalid or not reachable. Please check your push notification server.

Turns out, I had my ntfy instance configured with authentication, and had this in my configuration:

auth-default-access: "deny-all"

As such, no anonymous access to my ntfy instance is possible, which hopefully prevents abuse. But it appears that there is no way in FOSS Warn to pass authentication information to the public alert server that registers with the UnifiedPush service (my ntfy instance, in that case).

How to Fix

The solution was to make the specific topic used by FOSS Warn available without authentication. Thankfully, this self-check page (and the “Troubleshoot notifications” menu entry) prints the full ntfy endpoint, which includes the topic. The format displayed looks something like https://<ntfy endpoint>/<ntfy topic>?up=1.

The topic is a random string and as such already kind of secret information that besides your FOSS Warn app and the alerts server, no one should be aware of to abuse.

Use the topic to set up unauthenticated access via an access control list (ACL). This can be done via configuration file or ad-hoc via the CLI. I haven’t migrated my instance to declarative configuration files for ACLs yet, so I ran:

ntfy access '*' <topic> rw

After doing this, FOSS Warn started working after another self-check and I was able to register places to receive notifications for.