actionwebpush 0.1.0

data/app/models/actionwebpush/subscription.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+module ActionWebPush
+  class Subscription < ActiveRecord::Base
+    include ActionWebPush::Logging
+    include ActionWebPush::Authorization
+
+    self.table_name = "action_web_push_subscriptions"
+
+    belongs_to :user
+
+    validates :endpoint, presence: true
+    validates :p256dh_key, presence: true
+    validates :auth_key, presence: true
+    validates :endpoint, uniqueness: { scope: [:p256dh_key, :auth_key] }
+
+    # Lifecycle callbacks
+    before_create :log_subscription_creation
+    before_destroy :log_subscription_destruction
+    after_touch :log_subscription_activity
+
+    scope :for_user, ->(user) { where(user: user) }
+    scope :active, -> { where("updated_at > ?", 30.days.ago) }
+    scope :stale, -> { where("updated_at <= ?", 30.days.ago) }
+    scope :created_since, ->(date) { where("created_at >= ?", date) }
+    scope :by_user_agent, ->(agent) {
+      return none if agent.blank?
+      escaped_agent = sanitize_sql_like(agent.to_s)
+      where("user_agent ILIKE ?", "%#{escaped_agent}%")
+    }
+
+    def build_notification(title:, body:, data: {}, **options)
+      ActionWebPush::Notification.new(
+        title: title,
+        body: body,
+        data: data,
+        endpoint: endpoint,
+        p256dh_key: p256dh_key,
+        auth_key: auth_key,
+        **options
+      )
+    end
+
+    def self.find_or_create_subscription(user:, endpoint:, p256dh_key:, auth_key:, current_user: nil, **attributes)
+      # Authorization check
+      current_user ||= ActionWebPush::Authorization::Utils.current_user_context
+      authorize_subscription_creation!(user: user, current_user: current_user, **attributes)
+
+      subscription = find_by(
+        user: user,
+        endpoint: endpoint,
+        p256dh_key: p256dh_key,
+        auth_key: auth_key
+      )
+
+      if subscription
+        # Check if current user can access this existing subscription
+        if current_user && !ActionWebPush::Authorization::Utils.authorization_bypassed?
+          authorize_subscription_management!(current_user: current_user, subscription: subscription)
+        end
+        subscription.touch
+        subscription
+      else
+        create!(
+          user: user,
+          endpoint: endpoint,
+          p256dh_key: p256dh_key,
+          auth_key: auth_key,
+          **attributes
+        )
+      end
+    end
+
+    def self.cleanup_stale_subscriptions!(dry_run: false)
+      stale_subscriptions = stale
+      count = stale_subscriptions.count
+
+      if dry_run
+        ActionWebPush.logger.info "ActionWebPush would cleanup #{count} stale subscriptions (dry run)"
+        return count
+      end
+
+      stale_subscriptions.delete_all
+      ActionWebPush.logger.info "ActionWebPush cleaned up #{count} stale subscriptions"
+      count
+    end
+
+    def self.bulk_destroy_for_user(user, endpoints = nil, current_user: nil)
+      # Authorization check
+      current_user ||= ActionWebPush::Authorization::Utils.current_user_context
+      if current_user && !ActionWebPush::Authorization::Utils.authorization_bypassed?
+        unless can_create_subscription_for_user?(current_user, user)
+          raise ActionWebPush::Authorization::ForbiddenError,
+                "User #{current_user.id} is not authorized to manage subscriptions for user #{user.id}"
+        end
+      end
+
+      scope = for_user(user)
+      scope = scope.where(endpoint: endpoints) if endpoints
+      scope.delete_all
+    end
+
+    def active?
+      updated_at > 30.days.ago
+    end
+
+    def stale?
+      !active?
+    end
+
+    def test_delivery!(title: "Test Notification", body: "This is a test push notification")
+      notification = build_notification(title: title, body: body)
+      notification.deliver_now
+      touch # Update last activity
+      true
+    rescue ActionWebPush::Error => e
+      logger.warn "Test delivery failed for subscription #{id}: #{e.message}"
+      false
+    end
+
+    def mark_as_expired!
+      logger.info "Marking subscription #{id} as expired"
+      destroy
+    end
+
+    def refresh_activity!
+      touch
+      logger.debug "Refreshed activity for subscription #{id}"
+    end
+
+    def endpoint_domain
+      URI.parse(endpoint).host
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    def days_since_last_activity
+      (((Time.respond_to?(:current) ? Time.current : Time.now) - updated_at) / 1.day).round
+    end
+
+    def self.stats
+      {
+        total: count,
+        active: active.count,
+        stale: stale.count,
+        by_domain: group("SUBSTRING(endpoint FROM 'https?://([^/]+)')").count
+      }
+    end
+
+    private
+
+    def log_subscription_creation
+      logger.info "Creating push subscription for user #{user_id} on #{endpoint_domain}"
+    end
+
+    def log_subscription_destruction
+      logger.info "Destroying push subscription #{id} for user #{user_id}"
+    end
+
+    def log_subscription_activity
+      logger.debug "Push subscription #{id} activity updated"
+    end
+  end
+end

data/config/routes.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+ActionWebPush::Engine.routes.draw do
+  resources :subscriptions, only: [:index, :show, :create, :destroy]
+end

data/db/migrate/001_create_action_web_push_subscriptions.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class CreateActionWebPushSubscriptions < ActiveRecord::Migration[7.0]
+  def change
+    create_table :action_web_push_subscriptions do |t|
+      t.references :user, null: false, foreign_key: true
+      t.string :endpoint, null: false
+      t.string :p256dh_key, null: false
+      t.string :auth_key, null: false
+      t.string :user_agent
+      t.timestamps null: false
+
+      t.index [:user_id]
+      t.index [:endpoint, :p256dh_key, :auth_key], name: "idx_action_web_push_subscription_keys"
+    end
+  end
+end

data/lib/actionwebpush/analytics.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+module ActionWebPush
+  class Analytics
+    class Report
+      attr_reader :start_date, :end_date, :data
+
+      def initialize(start_date, end_date, data = {})
+        @start_date = start_date
+        @end_date = end_date
+        @data = data
+      end
+
+      def to_h
+        {
+          period: {
+            start_date: start_date.iso8601,
+            end_date: end_date.iso8601,
+            duration_days: (end_date - start_date).to_i
+          },
+          summary: summary_stats,
+          details: data
+        }
+      end
+
+      def to_json(*args)
+        JSON.generate(to_h, *args)
+      end
+
+      private
+
+      def summary_stats
+        {
+          total_notifications: data[:notifications]&.values&.sum || 0,
+          total_subscriptions: data[:subscriptions]&.values&.sum || 0,
+          success_rate: calculate_success_rate,
+          avg_delivery_time: data[:avg_delivery_time] || 0
+        }
+      end
+
+      def calculate_success_rate
+        delivered = data[:delivered_count] || 0
+        attempted = data[:attempted_count] || 0
+        return 0.0 if attempted.zero?
+
+        (delivered.to_f / attempted * 100).round(2)
+      end
+    end
+
+    class << self
+      def subscription_report(start_date, end_date, tenant_id: nil)
+        base_scope = ActionWebPush::Subscription
+        base_scope = base_scope.for_tenant(tenant_id) if tenant_id
+
+        data = {
+          total_subscriptions: base_scope.count,
+          active_subscriptions: base_scope.active.count,
+          new_subscriptions: base_scope.created_since(start_date).count,
+          subscriptions_by_day: subscriptions_by_day(base_scope, start_date, end_date),
+          subscriptions_by_user_agent: subscriptions_by_user_agent(base_scope),
+          subscription_retention: calculate_retention(base_scope, start_date, end_date)
+        }
+
+        Report.new(start_date, end_date, data)
+      end
+
+      def delivery_report(start_date, end_date, tenant_id: nil)
+        metrics = ActionWebPush::Metrics.to_h
+
+        data = {
+          attempted_count: metrics[:deliveries_attempted],
+          delivered_count: metrics[:deliveries_succeeded],
+          failed_count: metrics[:deliveries_failed],
+          expired_subscriptions: metrics[:expired_subscriptions],
+          success_rate: ActionWebPush::Metrics.success_rate,
+          failure_rate: ActionWebPush::Metrics.failure_rate,
+          avg_delivery_time: calculate_avg_delivery_time(start_date, end_date)
+        }
+
+        Report.new(start_date, end_date, data)
+      end
+
+      def performance_report(start_date, end_date, tenant_id: nil)
+        data = {
+          queue_performance: analyze_queue_performance,
+          thread_pool_usage: analyze_thread_pool_usage,
+          memory_usage: analyze_memory_usage,
+          error_distribution: analyze_error_distribution(start_date, end_date),
+          peak_hours: analyze_peak_hours(start_date, end_date)
+        }
+
+        Report.new(start_date, end_date, data)
+      end
+
+      def comprehensive_report(start_date, end_date, tenant_id: nil)
+        subscription_data = subscription_report(start_date, end_date, tenant_id: tenant_id)
+        delivery_data = delivery_report(start_date, end_date, tenant_id: tenant_id)
+        performance_data = performance_report(start_date, end_date, tenant_id: tenant_id)
+
+        combined_data = subscription_data.data
+                                        .merge(delivery_data.data)
+                                        .merge(performance_data.data)
+
+        Report.new(start_date, end_date, combined_data)
+      end
+
+      private
+
+      def subscriptions_by_day(scope, start_date, end_date)
+        scope.where(created_at: start_date..end_date)
+             .group("DATE(created_at)")
+             .count
+             .transform_keys(&:to_s)
+      end
+
+      def subscriptions_by_user_agent(scope)
+        scope.where.not(user_agent: nil)
+             .group("SUBSTRING(user_agent, 1, 50)")
+             .count
+             .transform_keys { |ua| ua&.truncate(30) || "Unknown" }
+      end
+
+      def calculate_retention(scope, start_date, end_date)
+        cohort_start = start_date - 30.days
+        cohort_users = scope.where(created_at: cohort_start..start_date).pluck(:user_id).uniq
+
+        return 0.0 if cohort_users.empty?
+
+        retained_users = scope.where(
+          user_id: cohort_users,
+          updated_at: start_date..end_date
+        ).pluck(:user_id).uniq
+
+        (retained_users.size.to_f / cohort_users.size * 100).round(2)
+      end
+
+      def calculate_avg_delivery_time(start_date, end_date)
+        # This would need to be implemented based on your logging/timing infrastructure
+        # For now, return a placeholder
+        50.0 # milliseconds
+      end
+
+      def analyze_queue_performance
+        if defined?(Rails) && Rails.configuration.x.action_web_push_pool
+          pool = Rails.configuration.x.action_web_push_pool
+          {
+            queue_length: pool.delivery_pool.queue_length,
+            active_threads: pool.delivery_pool.length,
+            max_threads: pool.delivery_pool.max_length,
+            utilization: (pool.delivery_pool.length.to_f / pool.delivery_pool.max_length * 100).round(2)
+          }
+        else
+          { error: "Pool not available" }
+        end
+      end
+
+      def analyze_thread_pool_usage
+        # Implementation depends on monitoring setup
+        {
+          peak_concurrent_deliveries: 45,
+          avg_concurrent_deliveries: 12,
+          pool_saturation_events: 2
+        }
+      end
+
+      def analyze_memory_usage
+        # Implementation depends on monitoring setup
+        {
+          peak_memory_mb: 128,
+          avg_memory_mb: 64,
+          memory_growth_rate: 2.1
+        }
+      end
+
+      def analyze_error_distribution(start_date, end_date)
+        # This would analyze error logs or stored error metrics
+        {
+          "ActionWebPush::ExpiredSubscriptionError" => 45,
+          "ActionWebPush::DeliveryError" => 12,
+          "Net::TimeoutError" => 8,
+          "Other" => 5
+        }
+      end
+
+      def analyze_peak_hours(start_date, end_date)
+        # This would analyze delivery patterns by hour
+        (0..23).map do |hour|
+          {
+            hour: hour,
+            delivery_count: rand(100..500),
+            avg_response_time: rand(20..200)
+          }
+        end
+      end
+    end
+  end
+end

data/lib/actionwebpush/authorization.rb

@@ -0,0 +1,236 @@
+# frozen_string_literal: true
+
+module ActionWebPush
+  module Authorization
+    class AuthorizationError < ActionWebPush::Error; end
+    class UnauthorizedError < AuthorizationError; end
+    class ForbiddenError < AuthorizationError; end
+
+    module ClassMethods
+      def authorize_subscription_creation!(user:, current_user: nil, **attributes)
+        # Basic authorization - user must be present and not nil
+        raise UnauthorizedError, "User must be present for subscription creation" if user.nil?
+
+        # If current_user is provided, ensure they can create subscriptions for the target user
+        if current_user && !ActionWebPush::Authorization::Utils.authorization_bypassed?
+          unless can_create_subscription_for_user?(current_user, user)
+            raise ForbiddenError,
+                  "User #{current_user.id} is not authorized to create subscriptions for user #{user.id}"
+          end
+        end
+
+        # Additional custom authorization hooks
+        if defined?(Rails) && Rails.application.respond_to?(:action_web_push_authorization)
+          Rails.application.action_web_push_authorization.call(:create_subscription, current_user || user, attributes)
+        end
+
+        true
+      end
+
+      def authorize_notification_sending!(current_user:, subscriptions:)
+        return true if subscriptions.blank?
+
+        # Ensure current_user is authenticated
+        raise UnauthorizedError, "User must be authenticated to send notifications" if current_user.nil?
+
+        # Check that current_user owns all target subscriptions or has permission
+        unauthorized_subscriptions = Array(subscriptions).reject do |subscription|
+          authorize_subscription_access?(current_user, subscription)
+        end
+
+        if unauthorized_subscriptions.any?
+          raise ForbiddenError,
+                "User #{current_user.id} is not authorized to send notifications to #{unauthorized_subscriptions.size} subscription(s)"
+        end
+
+        # Rate limit check for user
+        if defined?(ActionWebPush::RateLimiter)
+          rate_limiter = ActionWebPush::RateLimiter.new
+          rate_limiter.check_rate_limit!(:user, current_user.id)
+        end
+
+        # Additional custom authorization hooks
+        if defined?(Rails) && Rails.application.respond_to?(:action_web_push_authorization)
+          Rails.application.action_web_push_authorization.call(:send_notification, current_user, subscriptions)
+        end
+
+        true
+      end
+
+      def authorize_subscription_management!(current_user:, subscription:)
+        raise UnauthorizedError, "User must be authenticated" if current_user.nil?
+        raise UnauthorizedError, "Subscription must be present" if subscription.nil?
+
+        unless authorize_subscription_access?(current_user, subscription)
+          raise ForbiddenError,
+                "User #{current_user.id} is not authorized to manage subscription #{subscription.id}"
+        end
+
+        true
+      end
+
+      def authorize_batch_operation!(current_user:, subscriptions:)
+        return true if subscriptions.blank?
+
+        raise UnauthorizedError, "User must be authenticated for batch operations" if current_user.nil?
+
+        # Check authorization for all subscriptions
+        unauthorized_count = Array(subscriptions).count do |subscription|
+          !authorize_subscription_access?(current_user, subscription)
+        end
+
+        if unauthorized_count > 0
+          raise ForbiddenError,
+                "User #{current_user.id} is not authorized for #{unauthorized_count} subscription(s) in batch"
+        end
+
+        # Rate limit check for batch operations
+        if defined?(ActionWebPush::RateLimiter)
+          rate_limiter = ActionWebPush::RateLimiter.new
+          rate_limiter.check_rate_limit!(:user, current_user.id)
+          rate_limiter.check_rate_limit!(:global, "batch_operation")
+        end
+
+        true
+      end
+
+      private
+
+      def can_create_subscription_for_user?(current_user, target_user)
+        # Users can always create subscriptions for themselves
+        return true if current_user.id == target_user.id
+
+        # Admin users can create subscriptions for any user
+        return true if current_user.respond_to?(:admin?) && current_user.admin?
+
+        # Organization-based access
+        if current_user.respond_to?(:organization_id) && target_user.respond_to?(:organization_id)
+          return true if current_user.organization_id == target_user.organization_id
+        end
+
+        # Team-based access
+        if current_user.respond_to?(:team_ids) && target_user.respond_to?(:team_id)
+          return true if current_user.team_ids.include?(target_user.team_id)
+        end
+
+        false
+      end
+
+      def authorize_subscription_access?(current_user, subscription)
+        case subscription
+        when ActionWebPush::Subscription
+          # Direct ownership check
+          return true if subscription.user_id == current_user.id
+
+          # Admin users can access any subscription (if admin method exists)
+          return true if current_user.respond_to?(:admin?) && current_user.admin?
+
+          # Organization-based access (if user has organizations)
+          if current_user.respond_to?(:organization_id) && subscription.respond_to?(:organization_id)
+            return true if current_user.organization_id == subscription.organization_id
+          end
+
+          # Team-based access (if user has teams)
+          if current_user.respond_to?(:team_ids) && subscription.respond_to?(:team_id)
+            return true if current_user.team_ids.include?(subscription.team_id)
+          end
+
+          false
+        when Hash
+          # For subscription parameters (during creation)
+          true # Basic creation is allowed, but user association will be enforced
+        else
+          false
+        end
+      end
+    end
+
+    module InstanceMethods
+      def authorize_access!(current_user)
+        self.class.authorize_subscription_management!(
+          current_user: current_user,
+          subscription: self
+        )
+      end
+
+      def authorized_for?(current_user)
+        self.class.authorize_subscription_access?(current_user, self)
+      rescue ActionWebPush::AuthorizationError
+        false
+      end
+
+      def authorize_notification_sending!(current_user)
+        self.class.authorize_notification_sending!(
+          current_user: current_user,
+          subscriptions: [self]
+        )
+      end
+    end
+
+    def self.included(base)
+      base.extend(ClassMethods)
+      base.include(InstanceMethods)
+    end
+
+    # Utility methods for common authorization patterns
+    module Utils
+      def self.current_user_context
+        # Try to get current user from various sources
+        if defined?(Current) && Current.respond_to?(:user)
+          Current.user
+        elsif defined?(RequestStore) && RequestStore.exist?(:current_user)
+          RequestStore.read(:current_user)
+        elsif Thread.current[:current_user]
+          Thread.current[:current_user]
+        else
+          nil
+        end
+      end
+
+      def self.with_authorization_context(user, &block)
+        previous_user = Thread.current[:current_user]
+        Thread.current[:current_user] = user
+        yield
+      ensure
+        Thread.current[:current_user] = previous_user
+      end
+
+      def self.bypass_authorization(&block)
+        previous_value = Thread.current[:action_web_push_bypass_auth]
+        Thread.current[:action_web_push_bypass_auth] = true
+        yield
+      ensure
+        Thread.current[:action_web_push_bypass_auth] = previous_value
+      end
+
+      def self.authorization_bypassed?
+        Thread.current[:action_web_push_bypass_auth] == true
+      end
+    end
+
+    # Configuration for authorization behavior
+    class Configuration
+      attr_accessor :enforce_user_ownership,
+                    :allow_admin_override,
+                    :allow_organization_access,
+                    :allow_team_access,
+                    :custom_authorization_proc
+
+      def initialize
+        @enforce_user_ownership = true
+        @allow_admin_override = true
+        @allow_organization_access = false
+        @allow_team_access = false
+        @custom_authorization_proc = nil
+      end
+    end
+
+    def self.configuration
+      @configuration ||= Configuration.new
+    end
+
+    def self.configure
+      yield(configuration) if block_given?
+    end
+  end
+end