ntfy/server/server_web_push_test.go

package server

import (
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/http/httptest"
	"strings"
	"sync/atomic"
	"testing"

	"github.com/SherClockHolmes/webpush-go"
	"github.com/stretchr/testify/require"
	"heckel.io/ntfy/user"
	"heckel.io/ntfy/util"
)

func TestServer_WebPush_TopicAdd(t *testing.T) {
	s := newTestServer(t, newTestConfigWithWebPush(t))

	response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), nil)
	require.Equal(t, 200, response.Code)
	require.Equal(t, `{"success":true}`+"\n", response.Body.String())

	subs, err := s.webPush.SubscriptionsForTopic("test-topic")
	require.Nil(t, err)

	require.Len(t, subs, 1)
	require.Equal(t, subs[0].BrowserSubscription.Endpoint, "https://example.com/webpush")
	require.Equal(t, subs[0].BrowserSubscription.Keys.P256dh, "p256dh-key")
	require.Equal(t, subs[0].BrowserSubscription.Keys.Auth, "auth-key")
	require.Equal(t, subs[0].UserID, "")
}

func TestServer_WebPush_TopicUnsubscribe(t *testing.T) {
	s := newTestServer(t, newTestConfigWithWebPush(t))

	addSubscription(t, s, "test-topic", "https://example.com/webpush")
	requireSubscriptionCount(t, s, "test-topic", 1)

	response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{}), nil)
	require.Equal(t, 200, response.Code)
	require.Equal(t, `{"success":true}`+"\n", response.Body.String())

	requireSubscriptionCount(t, s, "test-topic", 0)
}

func TestServer_WebPush_TopicSubscribeProtected_Allowed(t *testing.T) {
	config := configureAuth(t, newTestConfigWithWebPush(t))
	config.AuthDefault = user.PermissionDenyAll
	s := newTestServer(t, config)

	require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
	require.Nil(t, s.userManager.AllowAccess("ben", "test-topic", user.PermissionReadWrite))

	response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), map[string]string{
		"Authorization": util.BasicAuth("ben", "ben"),
	})
	require.Equal(t, 200, response.Code)
	require.Equal(t, `{"success":true}`+"\n", response.Body.String())

	subs, err := s.webPush.SubscriptionsForTopic("test-topic")
	require.Nil(t, err)
	require.Len(t, subs, 1)
	require.True(t, strings.HasPrefix(subs[0].UserID, "u_"))
}

func TestServer_WebPush_TopicSubscribeProtected_Denied(t *testing.T) {
	config := configureAuth(t, newTestConfigWithWebPush(t))
	config.AuthDefault = user.PermissionDenyAll
	s := newTestServer(t, config)

	response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), nil)
	require.Equal(t, 403, response.Code)

	requireSubscriptionCount(t, s, "test-topic", 0)
}

func TestServer_WebPush_DeleteAccountUnsubscribe(t *testing.T) {
	config := configureAuth(t, newTestConfigWithWebPush(t))
	s := newTestServer(t, config)

	require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
	require.Nil(t, s.userManager.AllowAccess("ben", "test-topic", user.PermissionReadWrite))

	response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), map[string]string{
		"Authorization": util.BasicAuth("ben", "ben"),
	})

	require.Equal(t, 200, response.Code)
	require.Equal(t, `{"success":true}`+"\n", response.Body.String())

	requireSubscriptionCount(t, s, "test-topic", 1)

	request(t, s, "DELETE", "/v1/account", `{"password":"ben"}`, map[string]string{
		"Authorization": util.BasicAuth("ben", "ben"),
	})
	// should've been deleted with the account
	requireSubscriptionCount(t, s, "test-topic", 0)
}

func TestServer_WebPush_Publish(t *testing.T) {
	s := newTestServer(t, newTestConfigWithWebPush(t))

	var received atomic.Bool

	upstreamServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, err := io.ReadAll(r.Body)
		require.Nil(t, err)
		require.Equal(t, "/push-receive", r.URL.Path)
		require.Equal(t, "high", r.Header.Get("Urgency"))
		require.Equal(t, "", r.Header.Get("Topic"))
		received.Store(true)
	}))
	defer upstreamServer.Close()

	addSubscription(t, s, "test-topic", upstreamServer.URL+"/push-receive")

	request(t, s, "PUT", "/test-topic", "web push test", nil)

	waitFor(t, func() bool {
		return received.Load()
	})
}

func TestServer_WebPush_PublishExpire(t *testing.T) {
	s := newTestServer(t, newTestConfigWithWebPush(t))

	var received atomic.Bool

	upstreamServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, err := io.ReadAll(r.Body)
		require.Nil(t, err)
		// Gone
		w.WriteHeader(410)
		w.Write([]byte(``))
		received.Store(true)
	}))
	defer upstreamServer.Close()

	addSubscription(t, s, "test-topic", upstreamServer.URL+"/push-receive")
	addSubscription(t, s, "test-topic-abc", upstreamServer.URL+"/push-receive")

	requireSubscriptionCount(t, s, "test-topic", 1)
	requireSubscriptionCount(t, s, "test-topic-abc", 1)

	request(t, s, "PUT", "/test-topic", "web push test", nil)

	waitFor(t, func() bool {
		return received.Load()
	})

	// Receiving the 410 should've caused the publisher to expire all subscriptions on the endpoint

	requireSubscriptionCount(t, s, "test-topic", 0)
	requireSubscriptionCount(t, s, "test-topic-abc", 0)
}

func payloadForTopics(t *testing.T, topics []string) string {
	topicsJson, err := json.Marshal(topics)
	require.Nil(t, err)

	return fmt.Sprintf(`{
		"topics": %s,
		"browser_subscription":{
			"endpoint": "https://example.com/webpush",
			"keys": {
				"p256dh": "p256dh-key",
				"auth": "auth-key"
			}
		}
	}`, topicsJson)
}

func addSubscription(t *testing.T, s *Server, topic string, url string) {
	err := s.webPush.AddSubscription(topic, "", webpush.Subscription{
		Endpoint: url,
		Keys: webpush.Keys{
			// connected to a local test VAPID key, not a leak!
			Auth:   "kSC3T8aN1JCQxxPdrFLrZg",
			P256dh: "BMKKbxdUU_xLS7G1Wh5AN8PvWOjCzkCuKZYb8apcqYrDxjOF_2piggBnoJLQYx9IeSD70fNuwawI3e9Y8m3S3PE",
		},
	})
	require.Nil(t, err)
}

func requireSubscriptionCount(t *testing.T, s *Server, topic string, expectedLength int) {
	subs, err := s.webPush.SubscriptionsForTopic("test-topic")
	require.Nil(t, err)

	require.Len(t, subs, expectedLength)
}
Add web push tests 2023-05-30 03:57:21 +12:00			`package server`

			`import (`
Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`"encoding/json"`
			`"fmt"`
Add web push tests 2023-05-30 03:57:21 +12:00			`"io"`
			`"net/http"`
			`"net/http/httptest"`
Random tiny changes 2023-05-31 06:23:03 +12:00			`"strings"`
Add web push tests 2023-05-30 03:57:21 +12:00			`"sync/atomic"`
			`"testing"`

			`"github.com/SherClockHolmes/webpush-go"`
			`"github.com/stretchr/testify/require"`
			`"heckel.io/ntfy/user"`
			`"heckel.io/ntfy/util"`
			`)`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`func TestServer_WebPush_TopicAdd(t *testing.T) {`
Add web push tests 2023-05-30 03:57:21 +12:00			`s := newTestServer(t, newTestConfigWithWebPush(t))`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), nil)`
Add web push tests 2023-05-30 03:57:21 +12:00			`require.Equal(t, 200, response.Code)`
			require.Equal(t, `{"success":true}`+"\n", response.Body.String())

Random tiny changes 2023-05-31 06:23:03 +12:00			`subs, err := s.webPush.SubscriptionsForTopic("test-topic")`
Replace if err-nil-Fatal check with require.Nil 2023-06-01 04:02:04 +12:00			`require.Nil(t, err)`
Add web push tests 2023-05-30 03:57:21 +12:00
			`require.Len(t, subs, 1)`
			`require.Equal(t, subs[0].BrowserSubscription.Endpoint, "https://example.com/webpush")`
			`require.Equal(t, subs[0].BrowserSubscription.Keys.P256dh, "p256dh-key")`
			`require.Equal(t, subs[0].BrowserSubscription.Keys.Auth, "auth-key")`
Random tiny changes 2023-05-31 06:23:03 +12:00			`require.Equal(t, subs[0].UserID, "")`
Add web push tests 2023-05-30 03:57:21 +12:00			`}`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`func TestServer_WebPush_TopicUnsubscribe(t *testing.T) {`
			`s := newTestServer(t, newTestConfigWithWebPush(t))`

			`addSubscription(t, s, "test-topic", "https://example.com/webpush")`
			`requireSubscriptionCount(t, s, "test-topic", 1)`

			`response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{}), nil)`
			`require.Equal(t, 200, response.Code)`
			require.Equal(t, `{"success":true}`+"\n", response.Body.String())

			`requireSubscriptionCount(t, s, "test-topic", 0)`
			`}`

Add web push tests 2023-05-30 03:57:21 +12:00			`func TestServer_WebPush_TopicSubscribeProtected_Allowed(t *testing.T) {`
			`config := configureAuth(t, newTestConfigWithWebPush(t))`
			`config.AuthDefault = user.PermissionDenyAll`
			`s := newTestServer(t, config)`

			`require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))`
			`require.Nil(t, s.userManager.AllowAccess("ben", "test-topic", user.PermissionReadWrite))`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), map[string]string{`
Add web push tests 2023-05-30 03:57:21 +12:00			`"Authorization": util.BasicAuth("ben", "ben"),`
			`})`
			`require.Equal(t, 200, response.Code)`
			require.Equal(t, `{"success":true}`+"\n", response.Body.String())

Random tiny changes 2023-05-31 06:23:03 +12:00			`subs, err := s.webPush.SubscriptionsForTopic("test-topic")`
			`require.Nil(t, err)`
Add web push tests 2023-05-30 03:57:21 +12:00			`require.Len(t, subs, 1)`
Random tiny changes 2023-05-31 06:23:03 +12:00			`require.True(t, strings.HasPrefix(subs[0].UserID, "u_"))`
Add web push tests 2023-05-30 03:57:21 +12:00			`}`

			`func TestServer_WebPush_TopicSubscribeProtected_Denied(t *testing.T) {`
			`config := configureAuth(t, newTestConfigWithWebPush(t))`
			`config.AuthDefault = user.PermissionDenyAll`
			`s := newTestServer(t, config)`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), nil)`
Add web push tests 2023-05-30 03:57:21 +12:00			`require.Equal(t, 403, response.Code)`

			`requireSubscriptionCount(t, s, "test-topic", 0)`
			`}`

			`func TestServer_WebPush_DeleteAccountUnsubscribe(t *testing.T) {`
			`config := configureAuth(t, newTestConfigWithWebPush(t))`
			`s := newTestServer(t, config)`

			`require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))`
			`require.Nil(t, s.userManager.AllowAccess("ben", "test-topic", user.PermissionReadWrite))`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`response := request(t, s, "PUT", "/v1/account/web-push", payloadForTopics(t, []string{"test-topic"}), map[string]string{`
Add web push tests 2023-05-30 03:57:21 +12:00			`"Authorization": util.BasicAuth("ben", "ben"),`
			`})`

			`require.Equal(t, 200, response.Code)`
			require.Equal(t, `{"success":true}`+"\n", response.Body.String())

			`requireSubscriptionCount(t, s, "test-topic", 1)`

			request(t, s, "DELETE", "/v1/account", `{"password":"ben"}`, map[string]string{
			`"Authorization": util.BasicAuth("ben", "ben"),`
			`})`
			`// should've been deleted with the account`
			`requireSubscriptionCount(t, s, "test-topic", 0)`
			`}`

			`func TestServer_WebPush_Publish(t *testing.T) {`
			`s := newTestServer(t, newTestConfigWithWebPush(t))`

			`var received atomic.Bool`

			`upstreamServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`_, err := io.ReadAll(r.Body)`
			`require.Nil(t, err)`
			`require.Equal(t, "/push-receive", r.URL.Path)`
			`require.Equal(t, "high", r.Header.Get("Urgency"))`
			`require.Equal(t, "", r.Header.Get("Topic"))`
			`received.Store(true)`
			`}))`
			`defer upstreamServer.Close()`

			`addSubscription(t, s, "test-topic", upstreamServer.URL+"/push-receive")`

			`request(t, s, "PUT", "/test-topic", "web push test", nil)`

			`waitFor(t, func() bool {`
			`return received.Load()`
			`})`
			`}`

			`func TestServer_WebPush_PublishExpire(t *testing.T) {`
			`s := newTestServer(t, newTestConfigWithWebPush(t))`

			`var received atomic.Bool`

			`upstreamServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`_, err := io.ReadAll(r.Body)`
			`require.Nil(t, err)`
			`// Gone`
			`w.WriteHeader(410)`
			w.Write([]byte(``))
			`received.Store(true)`
			`}))`
			`defer upstreamServer.Close()`

			`addSubscription(t, s, "test-topic", upstreamServer.URL+"/push-receive")`
			`addSubscription(t, s, "test-topic-abc", upstreamServer.URL+"/push-receive")`

			`requireSubscriptionCount(t, s, "test-topic", 1)`
			`requireSubscriptionCount(t, s, "test-topic-abc", 1)`

			`request(t, s, "PUT", "/test-topic", "web push test", nil)`

			`waitFor(t, func() bool {`
			`return received.Load()`
			`})`

			`// Receiving the 410 should've caused the publisher to expire all subscriptions on the endpoint`

			`requireSubscriptionCount(t, s, "test-topic", 0)`
			`requireSubscriptionCount(t, s, "test-topic-abc", 0)`
			`}`

Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`func payloadForTopics(t *testing.T, topics []string) string {`
			`topicsJson, err := json.Marshal(topics)`
			`require.Nil(t, err)`

			return fmt.Sprintf(`{
			`"topics": %s,`
			`"browser_subscription":{`
			`"endpoint": "https://example.com/webpush",`
			`"keys": {`
			`"p256dh": "p256dh-key",`
			`"auth": "auth-key"`
			`}`
			`}`
			}`, topicsJson)
			`}`

Add web push tests 2023-05-30 03:57:21 +12:00			`func addSubscription(t testing.T, s Server, topic string, url string) {`
Simplify web push UX and updates - Use a single endpoint - Use a declarative web push sync hook. This thus handles all edge cases that had to be manually handled before: logout, login, account sync, etc. - Simplify UX: browser notifications are always enabled (unless denied), web push toggle only shows up if permissions are already granted. 2023-06-02 23:22:54 +12:00			`err := s.webPush.AddSubscription(topic, "", webpush.Subscription{`
			`Endpoint: url,`
			`Keys: webpush.Keys{`
			`// connected to a local test VAPID key, not a leak!`
			`Auth: "kSC3T8aN1JCQxxPdrFLrZg",`
			`P256dh: "BMKKbxdUU_xLS7G1Wh5AN8PvWOjCzkCuKZYb8apcqYrDxjOF_2piggBnoJLQYx9IeSD70fNuwawI3e9Y8m3S3PE",`
Add web push tests 2023-05-30 03:57:21 +12:00			`},`
			`})`
Replace if err-nil-Fatal check with require.Nil 2023-06-01 04:02:04 +12:00			`require.Nil(t, err)`
Add web push tests 2023-05-30 03:57:21 +12:00			`}`

			`func requireSubscriptionCount(t testing.T, s Server, topic string, expectedLength int) {`
Random tiny changes 2023-05-31 06:23:03 +12:00			`subs, err := s.webPush.SubscriptionsForTopic("test-topic")`
Replace if err-nil-Fatal check with require.Nil 2023-06-01 04:02:04 +12:00			`require.Nil(t, err)`
Add web push tests 2023-05-30 03:57:21 +12:00
			`require.Len(t, subs, expectedLength)`
			`}`