pezza_action_push_web 0.1.0

data/app/jobs/action_push_web/notification_job.rb

@@ -0,0 +1,48 @@
+module ActionPushWeb
+  class NotificationJob < ActiveJob::Base
+    self.log_arguments = false
+
+    class_attribute :report_job_retries, default: false
+
+    discard_on ActiveJob::DeserializationError
+
+    class << self
+      def retry_options
+        Rails.version >= "8.1" ? { report: report_job_retries } : {}
+      end
+
+      # Exponential backoff starting from a minimum of 1 minute, capped at 60m as suggested by FCM:
+      # https://firebase.google.com/docs/cloud-messaging/scale-fcm#errors
+      #
+      # | Executions | Delay (rounded minutes) |
+      # |------------|-------------------------|
+      # | 1          | 1                       |
+      # | 2          | 2                       |
+      # | 3          | 4                       |
+      # | 4          | 8                       |
+      # | 5          | 16                      |
+      # | 6          | 32                      |
+      # | 7          | 60 (cap)                |
+      def exponential_backoff_delay(executions)
+        base_wait = 1.minute
+        delay = base_wait * (2**(executions - 1))
+        jitter = 0.15
+        jitter_delay = rand * delay * jitter
+
+        [ delay + jitter_delay, 60.minutes ].min
+      end
+    end
+
+    with_options retry_options do
+      retry_on PushServiceError, attempts: 20
+    end
+
+    with_options wait: ->(executions) { exponential_backoff_delay(executions) }, attempts: 6, **retry_options do
+      retry_on TooManyRequestsError, ResponseError
+    end
+
+    def perform(notification_class, notification_attributes, subscription)
+      notification_class.constantize.new(**notification_attributes).deliver_to(subscription)
+    end
+  end
+end

data/app/models/action_push_web/subscription.rb

@@ -0,0 +1,13 @@
+module ActionPushWeb
+  class Subscription < ApplicationRecord
+    include ActiveSupport::Rescuable
+
+    rescue_from(TokenError) { destroy! }
+
+    belongs_to :owner, polymorphic: true, optional: true
+
+    def push(notification)
+      ActionPushWeb.push(SubscriptionNotification.new(notification:, subscription: self))
+    end
+  end
+end

data/db/migrate/20250907213606_create_action_push_web_subscriptions.rb

@@ -0,0 +1,13 @@
+class CreateActionPushWebSubscriptions < ActiveRecord::Migration[8.0]
+  def change
+    create_table :action_push_web_subscriptions do |t|
+      t.belongs_to :owner, polymorphic: true
+      t.string :endpoint, null: false
+      t.string :auth_key, null: false
+      t.string :p256dh_key, null: false
+      t.string :user_agent
+
+      t.timestamps
+    end
+  end
+end

data/lib/action_push_web/engine.rb

@@ -0,0 +1,36 @@
+module ActionPushWeb
+  class Engine < ::Rails::Engine
+    isolate_namespace ActionPushWeb
+    config.autoload_once_paths = %W[
+      #{root}/app/helpers
+    ]
+
+    config.action_push_web = ActiveSupport::OrderedOptions.new
+
+    initializer "action_push_web.config" do |app|
+      app.paths.add "config/push", with: "config/push.yml"
+    end
+
+    initializer "action_push_web.pool" do |app|
+      at_exit { ActionPushWeb.pool.shutdown }
+    end
+
+    initializer "action_push_web.assets" do
+      if Rails.application.config.respond_to?(:assets)
+        Rails.application.config.assets.precompile += %w[action_push_web.js]
+      end
+    end
+
+    initializer "action_push_web.importmap", before: "importmap" do |app|
+      if Rails.application.respond_to?(:importmap)
+        app.config.importmap.paths << Engine.root.join("config/importmap.rb")
+      end
+    end
+
+    initializer "action_push_web.helpers", before: :load_config_initializers do
+      ActiveSupport.on_load(:action_controller_base) do
+        helper ActionPushWeb::Engine.helpers
+      end
+    end
+  end
+end

data/lib/action_push_web/errors.rb

@@ -0,0 +1,8 @@
+module ActionPushWeb
+  class TokenError < StandardError; end
+  class UnauthorizedError < StandardError; end
+  class PayloadTooLargeError < StandardError; end
+  class TooManyRequestsError < StandardError; end
+  class PushServiceError < StandardError; end
+  class ResponseError < StandardError; end
+end

data/lib/action_push_web/notification.rb

@@ -0,0 +1,63 @@
+module ActionPushWeb
+  class Notification
+    extend ActiveModel::Callbacks
+
+    attr_accessor :title, :body, :path, :context, :urgency, :silent, :badge
+    attr_writer   :icon_path
+
+    define_model_callbacks :delivery
+
+    class_attribute :queue_name, default: ActiveJob::Base.default_queue_name
+    class_attribute :enabled, default: !Rails.env.test?
+    class_attribute :application
+
+    class << self
+      def queue_as(name)
+        self.queue_name = name
+      end
+    end
+
+    def initialize(title:, path: nil, body: nil, icon_path: nil, urgency: nil, badge: nil, silent: nil, **context)
+      @title = title
+      @path = path
+      @body = body.to_s
+      @icon_path = icon_path
+      @urgency = urgency
+      @silent = silent
+      @badge = badge
+      @context = context
+    end
+
+    def deliver_to(subscription)
+      if enabled
+        run_callbacks(:delivery) { subscription.push(self) }
+      end
+    end
+
+    def deliver_later_to(subscriptions)
+      Array(subscriptions).each do |subscription|
+        ApplicationPushWebNotificationJob.set(queue: queue_name).
+          perform_later(self.class.name, self.as_json, subscription)
+      end
+    end
+
+    def icon_path
+      @icon_path.presence || config.fetch(:icon_path, nil)
+    end
+
+    def urgency
+      (@urgency.presence || config.fetch(:urgency, :normal)).to_s
+    end
+
+    def as_json
+      { title:, body:, path:, icon_path:, urgency:,
+        silent:, badge:, **context }.compact
+    end
+
+    private
+
+    def config
+      @config ||= ActionPushWeb.config_for(application)
+    end
+  end
+end

data/lib/action_push_web/payload_encryption.rb

@@ -0,0 +1,86 @@
+module ActionPushWeb
+  class PayloadEncryption
+    def initialize(message:, p256dh_key:, auth_key:)
+      @message = message
+      @p256dh_key = p256dh_key
+      @auth_key = auth_key
+    end
+
+    def encrypt
+      serverkey16bn = [ server_public_key_bn.to_s(16) ].pack("H*")
+
+      rs = encrypted_payload.bytesize
+      raise ArgumentError, "encrypted payload is too big" if rs > 4096
+
+      aes128gcmheader = "#{salt}" + [ rs ].pack("N*") +
+        [ serverkey16bn.bytesize ].pack("C*") + serverkey16bn
+
+      aes128gcmheader + encrypted_payload
+    end
+
+    attr_reader :message, :p256dh_key, :auth_key
+
+    def group_name = "prime256v1"
+    def hash = "SHA256"
+
+    def salt
+      @salt ||= Random.new.bytes(16)
+    end
+
+    def server
+      @server ||= OpenSSL::PKey::EC.generate(group_name)
+    end
+
+    def server_public_key_bn = server.public_key.to_bn
+
+    def group
+      @group ||= OpenSSL::PKey::EC::Group.new(group_name)
+    end
+
+    def client_public_key_bn
+      @client_public_key_bn ||= OpenSSL::BN.new(Base64.urlsafe_decode64(p256dh_key), 2)
+    end
+
+    def client_public_key
+      @client_public_key ||= OpenSSL::PKey::EC::Point.new(group, client_public_key_bn)
+    end
+
+    def shared_secret
+      @shared_secret ||= server.dh_compute_key(client_public_key)
+    end
+
+    def prk
+      @prk ||= OpenSSL::KDF.hkdf(shared_secret,
+        salt: Base64.urlsafe_decode64(auth_key),
+        info: "WebPush: info\0" + client_public_key_bn.to_s(2) + server_public_key_bn.to_s(2),
+        hash:, length: 32)
+    end
+
+    def content_encryption_key
+      @content_encryption_key ||= OpenSSL::KDF.hkdf(
+        prk, salt:, info: "Content-Encoding: aes128gcm\0", hash:, length: 16
+      )
+    end
+
+    def nonce
+      @nonce ||= OpenSSL::KDF.hkdf(
+        prk, salt:, info: "Content-Encoding: nonce\0", hash:, length: 12
+      )
+    end
+
+    def encrypted_payload
+      @encrypted_payload ||= begin
+        cipher = OpenSSL::Cipher.new("aes-128-gcm")
+        cipher.encrypt
+        cipher.key = content_encryption_key
+        cipher.iv = nonce
+        text = cipher.update(message)
+        padding = cipher.update("\2\0")
+        e_text = text + padding + cipher.final
+        e_tag = cipher.auth_tag
+
+        e_text + e_tag
+      end
+    end
+  end
+end

data/lib/action_push_web/pool.rb

@@ -0,0 +1,46 @@
+module ActionPushWeb
+  class Pool
+    attr_reader :delivery_pool, :invalidation_pool, :connection
+
+    def initialize(delivery_pool: Concurrent::ThreadPoolExecutor.new(max_threads: 50, queue_size: 10000),
+                   invalidation_pool: Concurrent::FixedThreadPool.new(1))
+      @delivery_pool = delivery_pool
+      @invalidation_pool = invalidation_pool
+      @connection = Net::HTTP::Persistent.new(name: "action_push_web", pool_size: 150)
+    end
+
+    def enqueue(notification, config:)
+      delivery_pool.post do
+        deliver(notification, config)
+      end
+    rescue Concurrent::RejectedExecutionError
+    end
+
+    def shutdown
+      connection.shutdown
+      shutdown_pool(delivery_pool)
+      shutdown_pool(invalidation_pool)
+    end
+
+    private
+
+      def deliver(notification, config)
+        Pusher.new(config, notification).push(connection:)
+      rescue TokenError => error
+        invalidate_subscription_later(notification.subscription, error)
+      end
+
+      def invalidate_subscription_later(subscription, error)
+        invalidation_pool.post do
+         subscription.rescue_with_handler(error)
+        rescue Exception => e
+          Rails.logger.error "Error in ActionPushWeb::Pool.invalidate_subscription_later: #{e.class} #{e.message}"
+        end
+      end
+
+      def shutdown_pool(pool)
+        pool.shutdown
+        pool.kill unless pool.wait_for_termination(1)
+      end
+  end
+end

data/lib/action_push_web/pusher.rb

@@ -0,0 +1,85 @@
+module ActionPushWeb
+  class Pusher
+    def initialize(config, notification)
+      @config = config
+      @notification = notification
+    end
+
+    def push(connection:)
+      request = Net::HTTP::Post.new(uri.request_uri, headers).tap do
+        it.body = payload
+      end
+
+      connection.request(uri, request).tap { handle_response(it) }
+    rescue OpenSSL::OpenSSLError
+      raise TokenError.new
+    end
+
+    private
+
+    attr_reader :config, :notification
+
+    delegate :title, :body, :icon_path, :path, :silent, :badge, :endpoint, :p256dh_key,
+      :auth_key, to: :notification
+
+    def message
+      JSON.generate title:, options: { body:, icon: icon_path, silent:, badge:, data: { path: } }
+    end
+
+    def payload
+      @payload ||= PayloadEncryption.new(message:, p256dh_key:, auth_key:).encrypt
+    end
+
+    def vapid_identification
+      config.slice(:public_key, :private_key).compact
+    end
+
+    def uri
+      @uri ||= URI.parse(endpoint)
+    end
+
+    def headers
+      headers = {}
+      headers["Content-Type"]     = "application/octet-stream"
+      headers["Urgency"]          = notification.urgency
+      headers["Ttl"]              = config.fetch(:ttl, 60 * 60 * 24 * 7 * 4).to_s
+      headers["Content-Encoding"] = "aes128gcm"
+      headers["Content-Length"]   = payload.length.to_s
+      headers["Authorization"]    = vapid_authorization
+
+      headers
+    end
+
+    def vapid_authorization
+      vapid_key = VapidKey.new(config[:public_key], config[:private_key])
+
+      jwt = JWT.encode(jwt_payload, vapid_key.ec_key,
+        "ES256", { "typ": "JWT", "alg": "ES256" })
+
+      "vapid t=#{jwt},k=#{vapid_key.public_key_for_push_header}"
+    end
+
+    def jwt_payload
+      { aud: uri.scheme + "://" + uri.host,
+        exp: Time.now.to_i + config.fetch(:expiration, 12 * 60 * 60),
+        sub: config.fetch(:subject, "mailto:sender@example.com") }
+    end
+
+    def handle_response(response)
+      if response.is_a?(Net::HTTPGone) || response.is_a?(Net::HTTPNotFound) # 410 || 404
+        raise TokenError.new
+      elsif response.is_a?(Net::HTTPUnauthorized) || response.is_a?(Net::HTTPForbidden) || # 401, 403
+            response.is_a?(Net::HTTPBadRequest) && response.message == "UnauthorizedRegistration" # 400, Google FCM
+        raise UnauthorizedError.new
+      elsif response.is_a?(Net::HTTPRequestEntityTooLarge) # 413
+        raise PayloadTooLargeError.new
+      elsif response.is_a?(Net::HTTPTooManyRequests) # 429, try again later!
+        raise TooManyRequestsError.new
+      elsif response.is_a?(Net::HTTPServerError) # 5xx
+        raise PushServiceError.new
+      elsif !response.is_a?(Net::HTTPSuccess) # unknown/unhandled response error
+        raise ResponseError.new
+      end
+    end
+  end
+end

data/lib/action_push_web/subscription_notification.rb

@@ -0,0 +1,13 @@
+module ActionPushWeb
+  class SubscriptionNotification
+    def initialize(notification:, subscription:)
+      @notification = notification
+      @subscription = subscription
+    end
+
+    attr_reader :notification, :subscription
+
+    delegate_missing_to :notification
+    delegate :endpoint, :p256dh_key, :auth_key, to: :subscription
+  end
+end

data/lib/action_push_web/vapid_key.rb

@@ -0,0 +1,38 @@
+module ActionPushWeb
+  class VapidKey
+    attr_reader :public_key, :private_key
+
+    def initialize(public_key, private_key)
+      @public_key = public_key
+      @private_key = private_key
+    end
+
+    # For request header (unpadded)
+    def public_key_for_push_header
+      public_key.delete("=")
+    end
+
+    def ec_key
+      @ec_key ||= begin
+        group      = OpenSSL::PKey::EC::Group.new("prime256v1")
+        public_point  = OpenSSL::PKey::EC::Point.new(group, decode_base64url_to_big_number(public_key))
+        priv_bn    = decode_base64url_to_big_number(private_key)
+
+        asn1 = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(1),
+          OpenSSL::ASN1::OctetString(priv_bn.to_s(2)),
+          OpenSSL::ASN1::ObjectId("prime256v1", 0, :EXPLICIT),
+          OpenSSL::ASN1::BitString(public_point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+        ])
+
+        OpenSSL::PKey::EC.new(asn1.to_der)
+      end
+    end
+
+    private
+
+    def decode_base64url_to_big_number(str)
+      OpenSSL::BN.new(Base64.urlsafe_decode64(str), 2)
+    end
+  end
+end

data/lib/action_push_web/vapid_key_generator.rb

@@ -0,0 +1,19 @@
+module ActionPushWeb
+  class VapidKeyGenerator
+    def initialize
+      @ec_key = OpenSSL::PKey::EC.generate("prime256v1")
+    end
+
+    def private_key
+      Base64.urlsafe_encode64(ec_key.private_key.to_s(2))
+    end
+
+    def public_key
+      Base64.urlsafe_encode64(ec_key.public_key.to_bn.to_s(2))
+    end
+
+    private
+
+    attr_reader :ec_key
+  end
+end

data/lib/action_push_web/version.rb

@@ -0,0 +1,3 @@
+module ActionPushWeb
+  VERSION = "0.1.0"
+end

data/lib/action_push_web.rb

@@ -0,0 +1,37 @@
+require "zeitwerk"
+require "action_push_web/engine"
+require "action_push_web/errors"
+require "net/http"
+require "net/http/persistent"
+require "jwt"
+
+loader= Zeitwerk::Loader.for_gem(warn_on_extra_files: false)
+loader.ignore("#{__dir__}/generators")
+loader.ignore("#{__dir__}/action_push_web/errors.rb")
+loader.setup
+
+module ActionPushWeb
+  def self.pool
+    @pool ||= Pool.new
+  end
+
+  def self.pool=(pool)
+    @pool = pool
+  end
+
+  def self.config_for(application)
+    platform_config = Rails.application.config_for(:push)[:web]
+    raise "ActionPushWeb: 'web' platform is not configured" unless platform_config.present?
+
+    if application.present?
+      notification_config = platform_config.fetch(application.to_sym, {})
+      platform_config.fetch(:application, {}).merge(notification_config)
+    else
+      platform_config
+    end
+  end
+
+  def self.push(notification)
+    pool.enqueue(notification, config: self.config_for(notification.application))
+  end
+end

data/lib/generators/action_push_web/install/install_generator.rb

@@ -0,0 +1,51 @@
+class ActionPushWeb::InstallGenerator < Rails::Generators::Base
+  source_root File.expand_path("templates", __dir__)
+
+  APPLICATION_LAYOUT_PATH = Rails.root.join("app/views/layouts/application.html.erb")
+
+  def copy_files
+    template "app/models/application_push_subscription.rb"
+    template "app/models/application_push_web_notification.rb"
+    template "app/jobs/application_push_web_notification_job.rb"
+    template "app/views/pwa/service-worker.js"
+    route "mount ActionPushWeb::Engine => \"/action_push_web\""
+
+    if Rails.root.join("config/push.yml").exist?
+      append_to_file "config/push.yml", File.read("#{self.class.source_root}/config/push.yml.tt").split("\n")[1..].join("\n").prepend("\n")
+    else
+      template "config/push.yml"
+    end
+
+    if Rails.root.join("app/javascript/application.js").exist?
+      append_to_file "app/javascript/application.js", %(import "action_push_web"\n)
+    end
+
+    if Rails.root.join("package.json").exist? && Rails.root.join("bun.config.js").exist?
+      # run "bun add action_push_web"
+    elsif Rails.root.join("package.json").exist?
+      # run "yarn add action_push_web"
+    end
+
+    if APPLICATION_LAYOUT_PATH.exist?
+      say "Add action push web meta tag in application layout"
+      insert_into_file APPLICATION_LAYOUT_PATH.to_s, "\n    <%= action_push_web_key_tag %>", before: /\s*<\/head>/
+    else
+      say "Default application.html.erb is missing!", :red
+      say "        Add <%= action_push_web_key_tag %> within the <head> tag in your custom layout."
+    end
+
+    rails_command "railties:install:migrations FROM=action_push_web",
+      inline: true
+
+    vapid_key = ActionPushWeb::VapidKeyGenerator.new
+
+    puts "\n"
+    puts <<~MSG
+      Add this entry to the credentials of the target environment:#{' '}
+
+      action_push_web:
+        public_key: #{vapid_key.public_key}
+        private_key: #{vapid_key.private_key}
+    MSG
+  end
+end

data/lib/generators/action_push_web/install/templates/app/jobs/application_push_web_notification_job.rb.tt

@@ -0,0 +1,7 @@
+class ApplicationPushWebNotificationJob < ActionPushWeb::NotificationJob
+  # Enable logging job arguments (default: false)
+  # self.log_arguments = true
+
+  # Report job retries via the `Rails.error` reporter (default: false)
+  # self.report_job_retries = true
+end

data/lib/generators/action_push_web/install/templates/app/models/application_push_subscription.rb.tt

@@ -0,0 +1,4 @@
+class ApplicationPushSubscription < ActionPushWeb::Subscription
+  # Customize TokenError handling (default: destroy!)
+  # rescue_from (ActionPushWeb::TokenError) { Rails.logger.error("Subscription #{id} token is invalid") }
+end

data/lib/generators/action_push_web/install/templates/app/models/application_push_web_notification.rb.tt

@@ -0,0 +1,12 @@
+class ApplicationPushWebNotification < ActionPushWeb::Notification
+  # Set a custom job queue_name
+  # queue_as :realtime
+
+  # Controls whether push notifications are enabled (default: !Rails.env.test?)
+  # self.enabled = Rails.env.production?
+
+  # Define a custom callback to modify or abort the notification before it is sent
+  # before_delivery do |notification|
+  #   throw :abort if Notification.find(notification.context[:notification_id]).expired?
+  # end
+end

data/lib/generators/action_push_web/install/templates/app/views/pwa/service-worker.js

@@ -0,0 +1,30 @@
+self.addEventListener("push", async (event) => {
+  const data = await event.data.json()
+  event.waitUntil(Promise.all([ showNotification(data), updateBadgeCount(data.options) ]))
+})
+
+async function showNotification({ title, options }) {
+  return self.registration.showNotification(title, options)
+}
+
+async function updateBadgeCount({ data: { badge } }) {
+  return self.navigator.setAppBadge?.(badge || 0)
+}
+
+self.addEventListener("notificationclick", (event) => {
+  event.notification.close()
+
+  const url = new URL(event.notification.data.path, self.location.origin).href
+  event.waitUntil(openURL(url))
+})
+
+async function openURL(url) {
+  const clients = await self.clients.matchAll({ type: "window" })
+  const focused = clients.find((client) => client.focused)
+
+  if (focused) {
+    await focused.navigate(url)
+  } else {
+    await self.clients.openWindow(url)
+  }
+}

data/lib/generators/action_push_web/install/templates/config/push.yml.tt

@@ -0,0 +1,22 @@
+shared:
+  web:
+    public_key: <%%= Rails.application.credentials.action_push_web.public_key %>
+    private_key: <%%= Rails.application.credentials.action_push_web.private_key %>
+
+    # Change the request timeout (default: 30).
+    # request_timeout: 60
+
+    # Change the ttl (default: 2419200).
+    # ttl: 60
+
+    # Change the expiration (default: 43200).
+    # expiration: 60
+
+    # Change the subject (default: mailto:sender@example.com).
+    # subject: mailto:support@my-domain.com
+
+    # Change the urgency (default: normal). You also choose to set this at the notification level.
+    # urgency: high
+
+    # Change the icon path (default: nil). You also choose to set this at the notification level.
+    # icon_path: https://example.com/icon.png

data/lib/pezza_action_push_web.rb

@@ -0,0 +1,4 @@
+require "action_push_web"
+
+module PezzaActionPushWeb
+end

data/lib/tasks/action_push_web_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :action_push_web do
+#   # Task goes here
+# end