pezza_action_push_web 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6874f14504ef40025713d4b82b955e135845182a3629899a976ab3e665fe397
-  data.tar.gz: 4b2e90aefaafd63951bc527f86c122951c8a50704d2e0f9fca010d1630c25543
+  metadata.gz: 2b38a01863916f285ea98b99ea79483767c4633bc1bf51a54c232703260e947c
+  data.tar.gz: e0cad328df4292a41a013554ff90176b8fe34baaaf77477a03e26620ae7e0075
 SHA512:
-  metadata.gz: 4b84140a676d8c9ced3c23b343bf0ff306c9a3619042a7ab23320111791011a8f20cfdc2438a51ed00be743b3eae2962d2a202db82cdd2496f3c83704534977a
-  data.tar.gz: 07df39534c92844a589e922fb017165e259f65f7d12b3ba0b21fc173de3243a36a1556a2866cedd5c9b0a1669d992fe5bf674b7c8e2cbd1d5880830c660095b7
+  metadata.gz: 1f8cc2f332367bfef4d89b06864379447337e09ae825354aa712de31c863d3b2b5ea90451cab640aca6756b4808bb013f9afe8572d258c3288b097b38d5e8418
+  data.tar.gz: 151514426c7a3218ada6b191a8fe917364d7a571577ec9d0b1174cb0d73e2b0cc3a91182dfabfa23934823879ab7d1a0dcdd409a1eb3b074b9ed85f1c7c108c5

data/README.md

@@ -26,7 +26,6 @@ The installation will create:
 - `app/views/pwa/service_worker.js`
 - mount the subscriptions controllers
 - import action_push_web.js in your application.js
-- Add `<%= action_push_web_key_tag %>` to the <head> of your application's layout if it can find it. Otherwise, you'll need to add it manually.
 
 
 `app/models/application_push_web_notification.rb`:
@@ -94,8 +93,8 @@ shared:
     # Change the subject (default: mailto:sender@example.com).
     # expiration: mailto:support@my-domain.com
 
-    # Change the urgency (default: normal). You also choose to set this at the notification level.
-    # urgency: high
+    # Change the urgency (default: high). You also choose to set this at the notification level.
+    # urgency: normal
 ```
 
 This file contains the configuration for the push notification services you want to use.

data/app/assets/javascripts/action_push_web.js

@@ -10,11 +10,6 @@ class Request extends HTMLElement {
     this.addEventListener("click", this.onClick);
   }
   #setState() {
-    if (this.isEnabled) {
-      this.removeAttribute("disabled");
-    } else {
-      this.setAttribute("disabled", true);
-    }
     this.hidden = !this.isEnabled;
   }
   disconnectedCallback() {
@@ -24,15 +19,12 @@ class Request extends HTMLElement {
     this.#setState();
   }
   get isEnabled() {
-    return navigator.serviceWorker && window.Notification && Notification.permission == "default" && this.getAttribute("href");
-  }
-  get #isDisabled() {
-    return this.hasAttribute("disabled");
+    return navigator.serviceWorker && window.Notification && Notification.permission == "default";
   }
   async onClick(event) {
     event.preventDefault();
     event.stopPropagation();
-    if (this.isEnabled && !this.isDisabled) {
+    if (this.isEnabled) {
       const permission = await Notification.requestPermission();
       if (permission === "granted") {
         document.dispatchEvent(new CustomEvent("action-push-web:granted", {}));
@@ -66,292 +58,6 @@ class Denied extends HTMLElement {
   }
 }
 
-// node_modules/@rails/request.js/src/fetch_response.js
-class FetchResponse {
-  constructor(response) {
-    this.response = response;
-  }
-  get statusCode() {
-    return this.response.status;
-  }
-  get redirected() {
-    return this.response.redirected;
-  }
-  get ok() {
-    return this.response.ok;
-  }
-  get unauthenticated() {
-    return this.statusCode === 401;
-  }
-  get unprocessableEntity() {
-    return this.statusCode === 422;
-  }
-  get authenticationURL() {
-    return this.response.headers.get("WWW-Authenticate");
-  }
-  get contentType() {
-    const contentType = this.response.headers.get("Content-Type") || "";
-    return contentType.replace(/;.*$/, "");
-  }
-  get headers() {
-    return this.response.headers;
-  }
-  get html() {
-    if (this.contentType.match(/^(application|text)\/(html|xhtml\+xml)$/)) {
-      return this.text;
-    }
-    return Promise.reject(new Error(`Expected an HTML response but got "${this.contentType}" instead`));
-  }
-  get json() {
-    if (this.contentType.match(/^application\/.*json$/)) {
-      return this.responseJson || (this.responseJson = this.response.json());
-    }
-    return Promise.reject(new Error(`Expected a JSON response but got "${this.contentType}" instead`));
-  }
-  get text() {
-    return this.responseText || (this.responseText = this.response.text());
-  }
-  get isTurboStream() {
-    return this.contentType.match(/^text\/vnd\.turbo-stream\.html/);
-  }
-  get isScript() {
-    return this.contentType.match(/\b(?:java|ecma)script\b/);
-  }
-  async renderTurboStream() {
-    if (this.isTurboStream) {
-      if (window.Turbo) {
-        await window.Turbo.renderStreamMessage(await this.text);
-      } else {
-        console.warn("You must set `window.Turbo = Turbo` to automatically process Turbo Stream events with request.js");
-      }
-    } else {
-      return Promise.reject(new Error(`Expected a Turbo Stream response but got "${this.contentType}" instead`));
-    }
-  }
-  async activeScript() {
-    if (this.isScript) {
-      const script = document.createElement("script");
-      const metaTag = document.querySelector("meta[name=csp-nonce]");
-      if (metaTag) {
-        const nonce = metaTag.nonce === "" ? metaTag.content : metaTag.nonce;
-        if (nonce) {
-          script.setAttribute("nonce", nonce);
-        }
-      }
-      script.innerHTML = await this.text;
-      document.body.appendChild(script);
-    } else {
-      return Promise.reject(new Error(`Expected a Script response but got "${this.contentType}" instead`));
-    }
-  }
-}
-
-// node_modules/@rails/request.js/src/request_interceptor.js
-class RequestInterceptor {
-  static register(interceptor) {
-    this.interceptor = interceptor;
-  }
-  static get() {
-    return this.interceptor;
-  }
-  static reset() {
-    this.interceptor = undefined;
-  }
-}
-
-// node_modules/@rails/request.js/src/lib/utils.js
-function getCookie(name) {
-  const cookies = document.cookie ? document.cookie.split("; ") : [];
-  const prefix = `${encodeURIComponent(name)}=`;
-  const cookie = cookies.find((cookie2) => cookie2.startsWith(prefix));
-  if (cookie) {
-    const value = cookie.split("=").slice(1).join("=");
-    if (value) {
-      return decodeURIComponent(value);
-    }
-  }
-}
-function compact(object) {
-  const result = {};
-  for (const key in object) {
-    const value = object[key];
-    if (value !== undefined) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-function metaContent(name) {
-  const element = document.head.querySelector(`meta[name="${name}"]`);
-  return element && element.content;
-}
-function stringEntriesFromFormData(formData) {
-  return [...formData].reduce((entries, [name, value]) => {
-    return entries.concat(typeof value === "string" ? [[name, value]] : []);
-  }, []);
-}
-function mergeEntries(searchParams, entries) {
-  for (const [name, value] of entries) {
-    if (value instanceof window.File)
-      continue;
-    if (searchParams.has(name) && !name.includes("[]")) {
-      searchParams.delete(name);
-      searchParams.set(name, value);
-    } else {
-      searchParams.append(name, value);
-    }
-  }
-}
-
-// node_modules/@rails/request.js/src/fetch_request.js
-class FetchRequest {
-  constructor(method, url, options = {}) {
-    this.method = method;
-    this.options = options;
-    this.originalUrl = url.toString();
-  }
-  async perform() {
-    try {
-      const requestInterceptor = RequestInterceptor.get();
-      if (requestInterceptor) {
-        await requestInterceptor(this);
-      }
-    } catch (error) {
-      console.error(error);
-    }
-    const fetch = this.responseKind === "turbo-stream" && window.Turbo ? window.Turbo.fetch : window.fetch;
-    const response = new FetchResponse(await fetch(this.url, this.fetchOptions));
-    if (response.unauthenticated && response.authenticationURL) {
-      return Promise.reject(window.location.href = response.authenticationURL);
-    }
-    if (response.isScript) {
-      await response.activeScript();
-    }
-    const responseStatusIsTurboStreamable = response.ok || response.unprocessableEntity;
-    if (responseStatusIsTurboStreamable && response.isTurboStream) {
-      await response.renderTurboStream();
-    }
-    return response;
-  }
-  addHeader(key, value) {
-    const headers = this.additionalHeaders;
-    headers[key] = value;
-    this.options.headers = headers;
-  }
-  sameHostname() {
-    if (!this.originalUrl.startsWith("http:") && !this.originalUrl.startsWith("https:")) {
-      return true;
-    }
-    try {
-      return new URL(this.originalUrl).hostname === window.location.hostname;
-    } catch (_) {
-      return true;
-    }
-  }
-  get fetchOptions() {
-    return {
-      method: this.method.toUpperCase(),
-      headers: this.headers,
-      body: this.formattedBody,
-      signal: this.signal,
-      credentials: this.credentials,
-      redirect: this.redirect,
-      keepalive: this.keepalive
-    };
-  }
-  get headers() {
-    const baseHeaders = {
-      "X-Requested-With": "XMLHttpRequest",
-      "Content-Type": this.contentType,
-      Accept: this.accept
-    };
-    if (this.sameHostname()) {
-      baseHeaders["X-CSRF-Token"] = this.csrfToken;
-    }
-    return compact(Object.assign(baseHeaders, this.additionalHeaders));
-  }
-  get csrfToken() {
-    return getCookie(metaContent("csrf-param")) || metaContent("csrf-token");
-  }
-  get contentType() {
-    if (this.options.contentType) {
-      return this.options.contentType;
-    } else if (this.body == null || this.body instanceof window.FormData) {
-      return;
-    } else if (this.body instanceof window.File) {
-      return this.body.type;
-    }
-    return "application/json";
-  }
-  get accept() {
-    switch (this.responseKind) {
-      case "html":
-        return "text/html, application/xhtml+xml";
-      case "turbo-stream":
-        return "text/vnd.turbo-stream.html, text/html, application/xhtml+xml";
-      case "json":
-        return "application/json, application/vnd.api+json";
-      case "script":
-        return "text/javascript, application/javascript";
-      default:
-        return "*/*";
-    }
-  }
-  get body() {
-    return this.options.body;
-  }
-  get query() {
-    const originalQuery = (this.originalUrl.split("?")[1] || "").split("#")[0];
-    const params = new URLSearchParams(originalQuery);
-    let requestQuery = this.options.query;
-    if (requestQuery instanceof window.FormData) {
-      requestQuery = stringEntriesFromFormData(requestQuery);
-    } else if (requestQuery instanceof window.URLSearchParams) {
-      requestQuery = requestQuery.entries();
-    } else {
-      requestQuery = Object.entries(requestQuery || {});
-    }
-    mergeEntries(params, requestQuery);
-    const query = params.toString();
-    return query.length > 0 ? `?${query}` : "";
-  }
-  get url() {
-    return this.originalUrl.split("?")[0].split("#")[0] + this.query;
-  }
-  get responseKind() {
-    return this.options.responseKind || "html";
-  }
-  get signal() {
-    return this.options.signal;
-  }
-  get redirect() {
-    return this.options.redirect || "follow";
-  }
-  get credentials() {
-    return this.options.credentials || "same-origin";
-  }
-  get keepalive() {
-    return this.options.keepalive || false;
-  }
-  get additionalHeaders() {
-    return this.options.headers || {};
-  }
-  get formattedBody() {
-    const bodyIsAString = Object.prototype.toString.call(this.body) === "[object String]";
-    const contentTypeIsJson = this.headers["Content-Type"] === "application/json";
-    if (contentTypeIsJson && !bodyIsAString) {
-      return JSON.stringify(this.body);
-    }
-    return this.body;
-  }
-}
-
-// node_modules/@rails/request.js/src/verbs.js
-async function post(url, options) {
-  const request = new FetchRequest("post", url, options);
-  return request.perform();
-}
-
 // app/assets/javascripts/components/granted.js
 class Granted extends HTMLElement {
   constructor() {
@@ -376,22 +82,26 @@ class Granted extends HTMLElement {
     });
   }
   get #isEnabled() {
-    return !!navigator.serviceWorker && !!window.Notification && Notification.permission == "granted";
+    return !!navigator.serviceWorker && !!window.Notification && Notification.permission == "granted" && this.getAttribute("href") && this.getAttribute("public-key");
   }
   get #serviceWorkerRegistration() {
     return navigator.serviceWorker.getRegistration();
   }
   get #vapidPublicKey() {
-    const encodedVapidPublicKey = document.querySelector('meta[name="action-push-web-public-key"]').content;
-    return this.#urlBase64ToUint8Array(encodedVapidPublicKey);
+    return this.#urlBase64ToUint8Array(this.getAttribute("public-key"));
   }
   async#syncPushSubscription(subscription) {
-    const response = await post(this.getAttribute("href"), {
-      body: this.#extractJsonPayloadAsString(subscription)
+    const response = await fetch(this.getAttribute("href"), {
+      method: "POST",
+      body: this.#extractJsonPayloadAsString(subscription),
+      headers: {
+        Accept: "text/vnd.turbo-stream.html, text/html, application/xhtml+xml",
+        "Content-Type": "application/json",
+        "X-CSRF-Token": document.querySelector("meta[name=csrf-token]").content
+      }
     });
-    if (!response.ok) {
+    if (!response.ok)
       subscription.unsubscribe();
-    }
   }
   #extractJsonPayloadAsString(subscription) {
     const { endpoint, keys: { p256dh, auth } } = subscription.toJSON();

data/app/assets/javascripts/components/granted.js

@@ -1,5 +1,3 @@
-import { post } from "@rails/request.js"
-
 export default class Granted extends HTMLElement {
   constructor() {
     super();
@@ -30,7 +28,7 @@ export default class Granted extends HTMLElement {
   }
 
   get #isEnabled() {
-    return !!navigator.serviceWorker && !!window.Notification && Notification.permission == "granted"
+    return !!navigator.serviceWorker && !!window.Notification && Notification.permission == "granted" && this.getAttribute('href') && this.getAttribute('public-key')
   }
 
   get #serviceWorkerRegistration() {
@@ -38,18 +36,20 @@ export default class Granted extends HTMLElement {
   }
 
   get #vapidPublicKey() {
-    const encodedVapidPublicKey = document.querySelector('meta[name="action-push-web-public-key"]').content
-    return this.#urlBase64ToUint8Array(encodedVapidPublicKey)
+    return this.#urlBase64ToUint8Array(this.getAttribute('public-key'))
   }
 
   async #syncPushSubscription(subscription) {
-    const response = await post(this.getAttribute('href'), {
+    const response = await fetch(this.getAttribute('href'), {
+      method: "POST",
       body: this.#extractJsonPayloadAsString(subscription),
+      headers: {
+        Accept: "text/vnd.turbo-stream.html, text/html, application/xhtml+xml",
+        "Content-Type": "application/json",
+        "X-CSRF-Token": document.querySelector("meta[name=csrf-token]").content
+      }
     })
-
-    if (!response.ok) {
-      subscription.unsubscribe()
-    }
+    if (!response.ok) subscription.unsubscribe()
   }
 
   #extractJsonPayloadAsString(subscription) {

data/app/assets/javascripts/components/request.js

@@ -13,12 +13,6 @@ export default class Request extends HTMLElement {
   }
 
   #setState() {
-    if (this.isEnabled) {
-      this.removeAttribute('disabled')
-    } else {
-      this.setAttribute('disabled', true)
-    }
-
     this.hidden = !this.isEnabled;
   }
 
@@ -31,18 +25,14 @@ export default class Request extends HTMLElement {
   }
 
   get isEnabled() {
-    return navigator.serviceWorker && window.Notification && Notification.permission == "default" && this.getAttribute('href')
-  }
-
-  get #isDisabled() {
-    return this.hasAttribute('disabled')
+    return navigator.serviceWorker && window.Notification && Notification.permission == "default"
   }
 
   async onClick(event) {
     event.preventDefault();
     event.stopPropagation();
 
-    if (this.isEnabled && !this.isDisabled) {
+    if (this.isEnabled) {
       const permission = await Notification.requestPermission()
       if (permission === "granted") {
         document.dispatchEvent(new CustomEvent('action-push-web:granted', {}))

data/app/controllers/action_push_web/subscriptions_controller.rb

@@ -1,11 +1,8 @@
 module ActionPushWeb
   class SubscriptionsController < ApplicationController
     def create
-      if subscription = ApplicationPushSubscription.find_by(push_subscription_params)
-        subscription.touch
-      else
-        ApplicationPushSubscription.create! push_subscription_params.merge(user_agent: request.user_agent)
-      end
+      ApplicationPushSubscription.create_with(user_agent: request.user_agent).
+        create_or_find_by!(push_subscription_params)
 
       head :ok
     end

data/app/helpers/action_push_web/application_helper.rb

@@ -1,18 +1,14 @@
 module ActionPushWeb
   module ApplicationHelper
-    def action_push_web_key_tag(application: nil)
-      tag.meta name: "action-push-web-public-key",
-        content: ActionPushWeb.config_for(application)[:public_key]
-    end
-
     def when_web_notifications_disabled(**attrs, &block)
       content_tag("action-push-web-denied", capture(&block), **attrs)
     end
 
     def when_web_notifications_allowed(href: action_push_web.subscriptions_path,
-      service_worker_url: pwa_service_worker_path(format: :js), **attrs, &block)
+      service_worker_url: pwa_service_worker_path(format: :js), application: nil, **attrs, &block)
       content_tag("action-push-web-granted", capture(&block),
-        href:, service_worker_url:, **attrs)
+        href:, "service-worker-url" => service_worker_url,
+        "public-key" => ActionPushWeb.config_for(application)[:public_key], **attrs)
     end
 
     def ask_for_web_notifications(**attrs, &block)

data/app/models/action_push_web/ssrf_protection.rb

@@ -0,0 +1,52 @@
+module ActionPushWeb
+  module SsrfProtection
+    extend self
+
+    DNS_RESOLUTION_TIMEOUT = 2
+
+    DNS_NAMESERVERS = %w[
+      1.1.1.1
+      8.8.8.8
+    ]
+
+    DISALLOWED_IP_RANGES = [
+      IPAddr.new("0.0.0.0/8"),     # "This" network (RFC1700)
+      IPAddr.new("100.64.0.0/10"), # Carrier-grade NAT (RFC6598)
+      IPAddr.new("198.18.0.0/15")  # Benchmark testing (RFC2544)
+    ].freeze
+
+    def resolve_public_ip(hostname)
+      ip_addresses = resolve_dns(hostname)
+      public_ips = ip_addresses.reject { |ip| blocked_address?(ip) }
+      public_ips.sort_by { |ipaddr| ipaddr.ipv4? ? 0 : 1 }.first&.to_s
+    end
+
+    def blocked_address?(ip)
+      ip = IPAddr.new(ip.to_s) unless ip.is_a?(IPAddr)
+
+      ip.private? ||
+        ip.loopback? ||
+        ip.link_local? ||
+        ip.ipv4_mapped? ||
+        ip.ipv4_compat? ||
+        in_disallowed_range?(ip)
+    end
+
+    private
+      def resolve_dns(hostname)
+        ip_addresses = []
+
+        Resolv::DNS.open(nameserver: DNS_NAMESERVERS, timeouts: DNS_RESOLUTION_TIMEOUT) do |dns|
+          dns.each_address(hostname) do |ip_address|
+            ip_addresses << IPAddr.new(ip_address.to_s)
+          end
+        end
+
+        ip_addresses
+      end
+
+      def in_disallowed_range?(ip)
+        DISALLOWED_IP_RANGES.any? { |range| range.include?(ip) }
+      end
+  end
+end

data/app/models/action_push_web/subscription.rb

@@ -2,12 +2,53 @@ module ActionPushWeb
   class Subscription < ApplicationRecord
     include ActiveSupport::Rescuable
 
+    PERMITTED_ENDPOINT_HOSTS = %w[
+      jmt17.google.com
+      fcm.googleapis.com
+      updates.push.services.mozilla.com
+      web.push.apple.com
+      notify.windows.com
+    ].freeze
+
     rescue_from(TokenError) { destroy! }
 
     belongs_to :owner, polymorphic: true, optional: true
 
+    validates :endpoint, presence: true
+    validate :validate_endpoint_url
+
     def push(notification)
       ActionPushWeb.push(SubscriptionNotification.new(notification:, subscription: self))
     end
+
+    def resolved_endpoint_ip
+      return @resolved_endpoint_ip if defined?(@resolved_endpoint_ip)
+      @resolved_endpoint_ip = SsrfProtection.resolve_public_ip(endpoint_uri&.host)
+    end
+
+    private
+
+      def endpoint_uri
+        @endpoint_uri ||= URI.parse(endpoint) if endpoint.present?
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      def validate_endpoint_url
+        if endpoint_uri.nil?
+          errors.add(:endpoint, "is not a valid URL")
+        elsif endpoint_uri.scheme != "https"
+          errors.add(:endpoint, "must use HTTPS")
+        elsif !permitted_endpoint_host?
+          errors.add(:endpoint, "is not a permitted push service")
+        elsif resolved_endpoint_ip.nil?
+          errors.add(:endpoint, "resolves to a private or invalid IP address")
+        end
+      end
+
+      def permitted_endpoint_host?
+        host = endpoint_uri&.host&.downcase
+        PERMITTED_ENDPOINT_HOSTS.any? { |permitted| host&.end_with?(permitted) }
+      end
   end
 end

data/db/migrate/20251209235643_add_unique_index.rb

@@ -0,0 +1,6 @@
+class AddUniqueIndex < ActiveRecord::Migration[8.1]
+  def change
+    add_index :action_push_web_subscriptions,
+      [ :owner_type, :owner_id, :endpoint ], unique: true
+  end
+end

data/db/migrate/20260517003340_add_unique_index_for_null_owner.rb

@@ -0,0 +1,6 @@
+class AddUniqueIndexForNullOwner < ActiveRecord::Migration[8.1]
+  def change
+    add_index :action_push_web_subscriptions, :endpoint, unique: true,
+      where: "owner_id IS NULL AND owner_type IS NULL"
+  end
+end

data/lib/action_push_web/notification.rb

@@ -46,7 +46,7 @@ module ActionPushWeb
     end
 
     def urgency
-      (@urgency.presence || config.fetch(:urgency, :normal)).to_s
+      (@urgency.presence || config.fetch(:urgency, :high)).to_s
     end
 
     def as_json

data/lib/action_push_web/pusher.rb

@@ -10,7 +10,11 @@ module ActionPushWeb
         it.body = payload
       end
 
-      connection.request(uri, request).tap { handle_response(it) }
+      if resolved_endpoint_ip
+        pinned_connection.request(request)
+      else
+        connection.request(uri, request)
+      end.tap { handle_response(it) }
     rescue OpenSSL::OpenSSLError
       raise TokenError.new
     end
@@ -20,7 +24,7 @@ module ActionPushWeb
     attr_reader :config, :notification
 
     delegate :title, :body, :icon_path, :path, :silent, :badge, :endpoint, :p256dh_key,
-      :auth_key, to: :notification
+      :auth_key, :resolved_endpoint_ip, to: :notification
 
     def message
       JSON.generate title:, options: { body:, icon: icon_path, silent:, badge:, data: { path: } }
@@ -38,6 +42,13 @@ module ActionPushWeb
       @uri ||= URI.parse(endpoint)
     end
 
+    def pinned_connection
+      Net::HTTP.new(uri.host, uri.port).tap do |http|
+        http.ipaddr = resolved_endpoint_ip
+        http.use_ssl = true
+      end
+    end
+
     def headers
       headers = {}
       headers["Content-Type"]     = "application/octet-stream"

data/lib/action_push_web/subscription_notification.rb

@@ -8,6 +8,6 @@ module ActionPushWeb
     attr_reader :notification, :subscription
 
     delegate_missing_to :notification
-    delegate :endpoint, :p256dh_key, :auth_key, to: :subscription
+    delegate :endpoint, :p256dh_key, :auth_key, :resolved_endpoint_ip, to: :subscription
   end
 end

data/lib/action_push_web/version.rb

@@ -1,3 +1,3 @@
 module ActionPushWeb
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/generators/action_push_web/install/install_generator.rb

@@ -26,14 +26,6 @@ class ActionPushWeb::InstallGenerator < Rails::Generators::Base
       # run "yarn add action_push_web"
     end
 
-    if APPLICATION_LAYOUT_PATH.exist?
-      say "Add action push web meta tag in application layout"
-      insert_into_file APPLICATION_LAYOUT_PATH.to_s, "\n    <%= action_push_web_key_tag %>", before: /\s*<\/head>/
-    else
-      say "Default application.html.erb is missing!", :red
-      say "        Add <%= action_push_web_key_tag %> within the <head> tag in your custom layout."
-    end
-
     rails_command "railties:install:migrations FROM=action_push_web",
       inline: true
 

data/lib/generators/action_push_web/install/templates/config/push.yml.tt

@@ -15,8 +15,8 @@ shared:
     # Change the subject (default: mailto:sender@example.com).
     # subject: mailto:support@my-domain.com
 
-    # Change the urgency (default: normal). You also choose to set this at the notification level.
-    # urgency: high
+    # Change the urgency (default: high). You also choose to set this at the notification level.
+    # urgency: normal
 
     # Change the icon path (default: nil). You also choose to set this at the notification level.
     # icon_path: https://example.com/icon.png

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pezza_action_push_web
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Nick Pezza
@@ -112,10 +112,13 @@ files:
 - app/controllers/action_push_web/subscriptions_controller.rb
 - app/helpers/action_push_web/application_helper.rb
 - app/jobs/action_push_web/notification_job.rb
+- app/models/action_push_web/ssrf_protection.rb
 - app/models/action_push_web/subscription.rb
 - config/importmap.rb
 - config/routes.rb
 - db/migrate/20250907213606_create_action_push_web_subscriptions.rb
+- db/migrate/20251209235643_add_unique_index.rb
+- db/migrate/20260517003340_add_unique_index_for_null_owner.rb
 - lib/action_push_web.rb
 - lib/action_push_web/engine.rb
 - lib/action_push_web/errors.rb
@@ -156,7 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.1
+rubygems_version: 4.0.11
 specification_version: 4
 summary: Send push notifications to web apps
 test_files: []