feat(push): owner-only subscribe/unsubscribe endpoints + VAPID config (T10)

POST/DELETE /api/subscriptions gated to the configured owner; runtime
config carries the public VAPID key, owner email and the signing secret.
This commit is contained in:
Julien Calixte
2026-05-28 01:20:20 +02:00
parent 5016c5cd47
commit ea7384591c
4 changed files with 74 additions and 4 deletions

View File

@@ -17,7 +17,13 @@ NUXT_OAUTH_GOOGLE_CLIENT_ID=
NUXT_OAUTH_GOOGLE_CLIENT_SECRET=
NUXT_OAUTH_GOOGLE_REDIRECT_URL=
# Web Push / VAPID (Task 10)
VAPID_PUBLIC_KEY=
VAPID_PRIVATE_KEY=
VAPID_SUBJECT=mailto:example@theodo.com
# Web Push / VAPID (Task 10) — Nuxt binds these to runtimeConfig at runtime.
# Generate the key pair with `pnpm vapid:keys`. The public key is sent to the
# browser; the private key signs pushes server-side (T11) and must stay secret.
NUXT_PUBLIC_VAPID_PUBLIC_KEY=
NUXT_VAPID_PRIVATE_KEY=
NUXT_VAPID_SUBJECT=mailto:example@theodo.com
# Push notifications go to this single owner only (G3). Not secret — also gates
# the client-side "Enable notifications" button.
NUXT_PUBLIC_OWNER_EMAIL=