feat(push): owner-only subscribe/unsubscribe endpoints + VAPID config (T10)
POST/DELETE /api/subscriptions gated to the configured owner; runtime config carries the public VAPID key, owner email and the signing secret.
This commit is contained in:
23
server/api/subscriptions.delete.ts
Normal file
23
server/api/subscriptions.delete.ts
Normal file
@@ -0,0 +1,23 @@
|
||||
import { getDb } from '../db/client'
|
||||
import { deleteSubscriptionByEndpoint } from '../db/repositories/pushSubscriptions'
|
||||
import { getReporter } from '../utils/getReporter'
|
||||
import { isOwner } from '../utils/isOwner'
|
||||
|
||||
// Unenrol a device — when the owner turns notifications off, the client sends
|
||||
// the endpoint it is dropping. Owner-only, like enrolment.
|
||||
export default defineEventHandler(async (event) => {
|
||||
const email = await getReporter(event)
|
||||
const ownerEmail = useRuntimeConfig(event).public.ownerEmail
|
||||
if (!isOwner(email, ownerEmail)) {
|
||||
throw createError({ statusCode: 403, statusMessage: 'Notifications are restricted to the owner' })
|
||||
}
|
||||
|
||||
const body = await readBody<{ endpoint?: unknown }>(event)
|
||||
const endpoint = typeof body?.endpoint === 'string' ? body.endpoint : ''
|
||||
if (!endpoint) {
|
||||
throw createError({ statusCode: 400, statusMessage: 'endpoint is required' })
|
||||
}
|
||||
|
||||
const removed = await deleteSubscriptionByEndpoint(getDb(), endpoint)
|
||||
return { removed }
|
||||
})
|
||||
29
server/api/subscriptions.post.ts
Normal file
29
server/api/subscriptions.post.ts
Normal file
@@ -0,0 +1,29 @@
|
||||
import { type } from 'arktype'
|
||||
import { getDb } from '../db/client'
|
||||
import { saveSubscription } from '../db/repositories/pushSubscriptions'
|
||||
import { PushSubscriptionInput } from '../utils/pushSubscriptionInput'
|
||||
import { getReporter } from '../utils/getReporter'
|
||||
import { isOwner } from '../utils/isOwner'
|
||||
|
||||
// Enrol a device for Web Push (F8). Owner-only (G3): the session email must
|
||||
// match the configured owner. The auth middleware already requires a session.
|
||||
export default defineEventHandler(async (event) => {
|
||||
const email = await getReporter(event)
|
||||
const ownerEmail = useRuntimeConfig(event).public.ownerEmail
|
||||
if (!isOwner(email, ownerEmail)) {
|
||||
throw createError({ statusCode: 403, statusMessage: 'Notifications are restricted to the owner' })
|
||||
}
|
||||
|
||||
const input = PushSubscriptionInput(await readBody(event))
|
||||
if (input instanceof type.errors) {
|
||||
throw createError({ statusCode: 400, statusMessage: input.summary })
|
||||
}
|
||||
|
||||
await saveSubscription(getDb(), {
|
||||
endpoint: input.endpoint,
|
||||
p256dh: input.keys.p256dh,
|
||||
auth: input.keys.auth,
|
||||
reporterEmail: email,
|
||||
})
|
||||
return { ok: true }
|
||||
})
|
||||
Reference in New Issue
Block a user