Files
andon/server/api/subscriptions.post.ts
Julien Calixte ea7384591c feat(push): owner-only subscribe/unsubscribe endpoints + VAPID config (T10)
POST/DELETE /api/subscriptions gated to the configured owner; runtime
config carries the public VAPID key, owner email and the signing secret.
2026-05-28 01:20:20 +02:00

30 lines
1.1 KiB
TypeScript

import { type } from 'arktype'
import { getDb } from '../db/client'
import { saveSubscription } from '../db/repositories/pushSubscriptions'
import { PushSubscriptionInput } from '../utils/pushSubscriptionInput'
import { getReporter } from '../utils/getReporter'
import { isOwner } from '../utils/isOwner'
// Enrol a device for Web Push (F8). Owner-only (G3): the session email must
// match the configured owner. The auth middleware already requires a session.
export default defineEventHandler(async (event) => {
const email = await getReporter(event)
const ownerEmail = useRuntimeConfig(event).public.ownerEmail
if (!isOwner(email, ownerEmail)) {
throw createError({ statusCode: 403, statusMessage: 'Notifications are restricted to the owner' })
}
const input = PushSubscriptionInput(await readBody(event))
if (input instanceof type.errors) {
throw createError({ statusCode: 400, statusMessage: input.summary })
}
await saveSubscription(getDb(), {
endpoint: input.endpoint,
p256dh: input.keys.p256dh,
auth: input.keys.auth,
reporterEmail: email,
})
return { ok: true }
})