Use service workers for push notifications

[dtdesign]

The current implementation for push notifications is implemented through a period polling with increasing delays during inactivity. This does create some load on the server (although very little even for large communities) and is anything but "instant".

We should look into service workers and figure out what the data security looks like.

[TimWolla]

Possibly related to #2777.

[dtdesign]

Depends on #4295, enabling us to use the localStorage to reliably keep multiple tabs in sync.

[darsto]

Service workers only work with HTTPS [1], so even if you decide to use them there should probably be a legacy fallback. Also, I'm already using a service worker on a WCF site for cache management so I would probably end up disabling WCF's one anyway. (because there can be only one service worker per domain).

[1] From MDN: Service workers only run over HTTPS, for security reasons. Having modified network requests, wide open to man in the middle attacks would be really bad. In Firefox, Service Worker APIs are also hidden and cannot be used when the user is in private browsing mode. https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API

[cadeyrn]

Service workers only work with HTTPS [1], so even if you decide to use them there should probably be a legacy fallback.

Honestly I do not see that need. Why should any administrator run a website without HTTPS in the year 2022 (and later)? There are zero reasons. And even if an administrator decides so - push notifications are not strictly needed and it's an explicit decision to deny the use of HTTPS. So why bother with a legacy implementation for such a small number of affected installations?

[darsto]

If not intentional HTTP then testing or just internal installations come to mind. Maybe they are minor cases, I don't know. But it's exactly the case of 'why bother'. The current solution works, this one has drawbacks, imo no need to touch it.

[cadeyrn]

If not intentional HTTP then testing or just internal installations come to mind.

There is no reason why you couldn't use HTTPS in testing or for internal installations.

[Cyperghost]

• A public and private key is required as p256ecdsa
  • The public key must have a length of 65 bytes.
  • The private key must have a length of 32 bytes.
  • If these are changed, the database with all endpoints must be cleared, as they can no longer be used.
• A script that register the serviceWorker.js https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerContainer/register#examples
  • This script need our server public key
  • On success we need to store the endpoint, auth token and public key in the database https://developer.mozilla.org/en-US/docs/Web/API/PushSubscription/getKey#examples
• When sending notifications to client, through the UserNotificationHandler
  • Queue a new BackgroundJob that send this notification per endpoint
  • Payload should not exceed 3052 bytes https://stackoverflow.com/a/66222350
  • Encrypt the payload
  • Handle failed request and remove this endpoint from database

Requirements

• OpenSSL is required with prime256v1 and aes-128-gcm. The hash algorithm sha256 is also required.
• bcmath or gmp is optional, but speeds up the encryption part.

Some helpful links:

• https://github.com/web-push-libs/web-push-php/
• https://github.com/Minishlink/web-push-php-example