Skip to content

Harden OneSignal notification config #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MAJINSI wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Harden OneSignal notification config #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3be644f
Harden OneSignal notification config
May 15, 2026
1d3f4b0
Address OneSignal notification review feedback
May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 41 additions & 19 deletions common/models/MobileNotification.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
<?php
namespace common\models;

use Yii;
use Yii;


/**
* Send oneSignal notifications
* @author krushn
*/
class MobileNotification {

/**
*
*
* @param string $headings
* @param string $subtitle
* @param string $content
Expand All @@ -26,23 +26,27 @@ class MobileNotification {
*/
public static function notifyCandidate($heading, $data, $filters, $subtitle = '', $content = '')
{
if(!isset(Yii::$app->params['oneSignalCandidateAPPID'])) {
return false;
if (
empty(Yii::$app->params['inCodeception']) &&
(empty(Yii::$app->params['oneSignalCandidateAPPID']) || empty(Yii::$app->params['oneSignalCandidateAPIKey']))
) {
Yii::warning('OneSignal candidate notification skipped because app id or API key is not configured.');
return false;
}
self::sendNotification(
Yii::$app->params['oneSignalCandidateAPPID'],

return self::sendNotification(
Yii::$app->params['oneSignalCandidateAPPID'],
Yii::$app->params['oneSignalCandidateAPIKey'],
$heading,
$data,
$filters,
$subtitle,
$heading,
$data,
$filters,
$subtitle,
$content
);
}

/**
*
*
* @param string $headings
* @param string $subtitle
* @param string $content
Expand All @@ -56,10 +60,15 @@ public static function notifyCandidate($heading, $data, $filters, $subtitle = ''
* ] $filters;
*/
public static function sendNotification($appId, $apiKey, $heading, $data, $filters, $subtitle = '', $content = '')
{
{
if(!empty(Yii::$app->params['inCodeception']))
return true;


if (empty($appId) || empty($apiKey)) {
Yii::warning('OneSignal notification skipped because app id or API key is not configured.');
return false;
}

$fields = [
'app_id' => $appId,
'filters' => $filters,
Expand Down Expand Up @@ -87,14 +96,27 @@ public static function sendNotification($appId, $apiKey, $heading, $data, $filte
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);

curl_exec($ch);
$response = curl_exec($ch);
if ($response === false) {
Yii::warning('OneSignal notification request failed: ' . curl_error($ch));
curl_close($ch);
return false;
}
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($status < 200 || $status >= 300) {
Yii::warning('OneSignal notification request returned HTTP ' . $status . ': ' . $response);
curl_close($ch);
return false;
}
curl_close($ch);

/*print("\n\nJSON received:\n");
print_r($response);
print("\n");*/
return true;
Comment thread
coderabbitai[bot] marked this conversation as resolved.
}
}

Binary file added docs/demo/studenthub-55-onesignal-hardening-demo.mp4
View file
Open in desktop
Binary file not shown.
12 changes: 12 additions & 0 deletions docs/onesignal-env.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# OneSignal environment configuration

Candidate push notifications use OneSignal through `common\models\MobileNotification`.

Set these variables in each runtime environment instead of committing OneSignal values to `params-local.php`:

- `ONESIGNAL_CANDIDATE_APP_ID`
- `ONESIGNAL_CANDIDATE_API_KEY`

If either variable is missing, candidate push notification sending fails closed and logs a warning. The application should still continue handling the request that attempted to enqueue the notification.

The OneSignal API request keeps TLS peer verification enabled. Do not disable `CURLOPT_SSL_VERIFYPEER` for this integration.
4 changes: 2 additions & 2 deletions environments/circle-ci/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'test_candidate_public',
'algolia_fulltimer_index' => 'test_fulltimer_public',
'oneSignalCandidateAPPID' => 'fe766231-6156-4537-8037-84e3fe1be5da',
'oneSignalCandidateAPIKey' => 'YTBkODdlMjctOGQ0Ny00NDgwLTkyMmYtOWQ1NTI5ODlmZjY1',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/dev-server-nginx-debug/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'dev_candidate_public',
'algolia_fulltimer_index' => 'dev_fulltimer_public',
'oneSignalCandidateAPPID' => 'fe766231-6156-4537-8037-84e3fe1be5da',
'oneSignalCandidateAPIKey' => 'YTBkODdlMjctOGQ0Ny00NDgwLTkyMmYtOWQ1NTI5ODlmZjY1',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/dev-server-nginx/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'dev_candidate_public',
'algolia_fulltimer_index' => 'dev_fulltimer_public',
'oneSignalCandidateAPPID' => 'fe766231-6156-4537-8037-84e3fe1be5da',
'oneSignalCandidateAPIKey' => 'YTBkODdlMjctOGQ0Ny00NDgwLTkyMmYtOWQ1NTI5ODlmZjY1',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/dev-server-railway/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'dev_candidate_public',
'algolia_fulltimer_index' => 'dev_fulltimer_public',
'oneSignalCandidateAPPID' => 'fe766231-6156-4537-8037-84e3fe1be5da',
'oneSignalCandidateAPIKey' => 'YTBkODdlMjctOGQ0Ny00NDgwLTkyMmYtOWQ1NTI5ODlmZjY1',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/dev-server/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'dev_candidate_public',
'algolia_fulltimer_index' => 'dev_fulltimer_public',
'oneSignalCandidateAPPID' => 'fe766231-6156-4537-8037-84e3fe1be5da',
'oneSignalCandidateAPIKey' => 'YTBkODdlMjctOGQ0Ny00NDgwLTkyMmYtOWQ1NTI5ODlmZjY1',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/dev/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'dev_candidate_public',
'algolia_fulltimer_index' => 'dev_fulltimer_public',
'oneSignalCandidateAPPID' => 'fe766231-6156-4537-8037-84e3fe1be5da',
'oneSignalCandidateAPIKey' => 'YTBkODdlMjctOGQ0Ny00NDgwLTkyMmYtOWQ1NTI5ODlmZjY1',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/docker/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'krushn_candidate_public',
'algolia_fulltimer_index' => 'krushn_fulltimer_public',
'oneSignalCandidateAPPID' => 'c62352ca-2f6c-44a2-896c-84c2f17db9ac',
'oneSignalCandidateAPIKey' => 'M2E4Mjc4OWMtNGVlZi00OTRiLTkxZTAtOWU2NmM5ZDFiZmM4',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/krushn-nginx/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'krushn_candidate_public',
'algolia_fulltimer_index' => 'krushn_fulltimer_public',
'oneSignalCandidateAPPID' => 'c62352ca-2f6c-44a2-896c-84c2f17db9ac',
'oneSignalCandidateAPIKey' => 'M2E4Mjc4OWMtNGVlZi00OTRiLTkxZTAtOWU2NmM5ZDFiZmM4',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/krushn/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'krushn_candidate_public',
'algolia_fulltimer_index' => 'krushn_fulltimer_public',
'oneSignalCandidateAPPID' => 'c62352ca-2f6c-44a2-896c-84c2f17db9ac',
'oneSignalCandidateAPIKey' => 'M2E4Mjc4OWMtNGVlZi00OTRiLTkxZTAtOWU2NmM5ZDFiZmM4',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance+fake@bawes.net',
'candidateAppUrl' => 'https://student.dev.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.dev.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/prod-nginx/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'prod_candidate_public',
'algolia_fulltimer_index' => 'prod_fulltimer_public',
'oneSignalCandidateAPPID' => '265d4bf5-5333-445d-8fba-08f1c389aa5f',
'oneSignalCandidateAPIKey' => 'ZmY3OWFlMzAtN2VjNS00OWMxLTgwOWQtYjA2MDUyMzQxM2Y5',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance@bawes.net',
'candidateAppUrl' => 'https://student.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/prod-railway/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'prod_candidate_public',
'algolia_fulltimer_index' => 'prod_fulltimer_public',
'oneSignalCandidateAPPID' => '265d4bf5-5333-445d-8fba-08f1c389aa5f',
'oneSignalCandidateAPIKey' => 'ZmY3OWFlMzAtN2VjNS00OWMxLTgwOWQtYjA2MDUyMzQxM2Y5',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance@bawes.net',
'candidateAppUrl' => 'https://student.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.studenthub.co/',
Expand Down
4 changes: 2 additions & 2 deletions environments/prod/common/config/params-local.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
],
'algolia_candidate_index' => 'prod_candidate_public',
'algolia_fulltimer_index' => 'prod_fulltimer_public',
'oneSignalCandidateAPPID' => '265d4bf5-5333-445d-8fba-08f1c389aa5f',
'oneSignalCandidateAPIKey' => 'ZmY3OWFlMzAtN2VjNS00OWMxLTgwOWQtYjA2MDUyMzQxM2Y5',
'oneSignalCandidateAPPID' => getenv('ONESIGNAL_CANDIDATE_APP_ID') ?: '',
'oneSignalCandidateAPIKey' => getenv('ONESIGNAL_CANDIDATE_API_KEY') ?: '',
'finance_transfer' => 'finance@bawes.net',
'candidateAppUrl' => 'https://student.studenthub.co/',
'inspectorAppUrl' => 'https://inspector.studenthub.co/',
Expand Down
29 changes: 29 additions & 0 deletions tests/check-onesignal-env-config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/usr/bin/env bash
set -euo pipefail

if rg -n "oneSignalCandidate(APPID|APIKey)'\\s*=>\\s*'[A-Za-z0-9-]{20,}'" environments --glob 'params-local.php'; then
echo "OneSignal candidate credentials must come from runtime environment variables." >&2
exit 1
fi

while IFS= read -r params_file; do
rg -n "getenv\\('ONESIGNAL_CANDIDATE_APP_ID'\\)" "$params_file" >/dev/null || {
echo "$params_file must read ONESIGNAL_CANDIDATE_APP_ID from the runtime environment." >&2
exit 1
}
rg -n "getenv\\('ONESIGNAL_CANDIDATE_API_KEY'\\)" "$params_file" >/dev/null || {
echo "$params_file must read ONESIGNAL_CANDIDATE_API_KEY from the runtime environment." >&2
exit 1
}
done < <(find environments -path '*/common/config/params-local.php' -type f | sort)

if rg -n "CURLOPT_SSL_VERIFYPEER,\\s*[Ff][Aa][Ll][Ss][Ee]" common/models/MobileNotification.php; then
echo "OneSignal requests must not disable TLS peer verification." >&2
exit 1
fi

rg -n "CURLOPT_CONNECTTIMEOUT" common/models/MobileNotification.php >/dev/null
rg -n "CURLOPT_TIMEOUT" common/models/MobileNotification.php >/dev/null
rg -n "CURLINFO_HTTP_CODE" common/models/MobileNotification.php >/dev/null

echo "OneSignal notification config uses runtime env vars and keeps TLS verification enabled."