Web Push Notifications

[sorin-davidoi]

This PR introduces the ability to send Web Push Notifications. The basic idea is to save a push subscription to the backend, which can then be used to wake up the Service Worker and display a notification when something happened, even if Mastodon is not opened. Together with #3052 this can make Mastodon pretty much indistinguishable from a native application (at least on Android).

Features to implement:

• Register Service Worker
• Generate VAPID keys in the backend
• Pass the public VAPID key to the frontend
• Register push subscription to the backend
• Delete invalid push subscriptions
• Send push notifications
  • Mentions
  • New followers
    • Follow
    • Follow request
  • Favorites
  • Boosts
• Localize messages
• Handle notification interactions
• Integrate in the UI - one should be able to control the settings for each individual subscription (e.g. for what type of events it gets triggered). This is not a per account preference, as I assume people want different settings for each device (e.g. only push for mentions on mobile, but push all notifications on desktop).
• Handle backend changing the applicationServerKey
• Handle RTL
• Display attachment
• Unregister push subscription when logging out - can not figure out how to associate a subscription with a session, such that when the user logs out the subscription is destroyed
• Set VAPID keys via configuration
• Move logic out of SettingsController - I could not figure out how to create a new endpoint for this, so I've hijacked this controller for adding and updating subscriptions.
• Add actions to the notification
  • Favourite / boost status

Browser support: Chrome and Firefox. Cannot be polyfilled.

Closes #1122, #1039.

[nolanlawson]

I was just about to ask how you managed to get Chrome to do push notifications without a GCM/FCM ID, but it looks like they've removed that requirement, which is going to make our lives a lot easier. Hooray! 🎉

[sorin-davidoi]

I think this is ready for a first review. Updated the description with stuff that still needs to be done. Tested on Firefox and Chrome on Linux (KDE Plasma) and on Android.

[akihikodaki]

I have some questions and found something suspicious, so please review them. I'm looking forward this feature.

[akihikodaki]

Does it need explicit status?

[sorin-davidoi]

Don't think so.

[akihikodaki]

I suppose you mean getPushSubscription instead of getPushSubscription()?

[sorin-davidoi]

Yes.

[akihikodaki]

Why not index?

[sorin-davidoi]

This was generated by the following command, so I cannot answer that 😄 How should it look like?

rails generate model WebPushSubscription account_id:integer endpoint:string:unique key_p256dh:string key_auth:string

[akihikodaki]

Please look at other tables. Here is an example:

t.index ["account_id"], name: "index_reports_on_account_id", using: :btree

[akihikodaki]

Spec?

[akihikodaki]

Spec this, too.

[akihikodaki]

Where WebPushNotifications comes from?

[sorin-davidoi]

Ruby magic 😄 ? Guess it is the database model?

[akihikodaki]

Ruby can sometimes do magic, but it should be in schema.rb anyway if it is a database model.

[akihikodaki]

What is it for?

[sorin-davidoi]

Will try to see tomorrow how Rails tests work and maybe add some specs if I can figure things out.

[akihikodaki]

I found an error with CI.

[akihikodaki]

This makes the spec fail.

[sorin-davidoi]

If this spec gets traction we might even be able to reply from the notification.

[Gargron]

33 files change - I'm already scared :D Is this ready for review?

[sorin-davidoi]

I still haven't figured out how to attach the subscription to the session, so that when the user logs out the subscription gets deleted. Also need to pass the VAPID keys via config files / environment (right now they are generated when the server starts).

[sorin-davidoi]

@akihikodaki I explored a bit our options for clearing the subscriptions. We have the following in doorkeeper.rb:

  # Reuse access token for the same resource owner within an application (disabled by default)
  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
  reuse_access_token

What I understand from this is that we do not keep track of each user session (we use one token for all sessions), so there is no way to associate a push subscription with the session that created it. What is the reason for this? What would be the implications of issuing a new token for each login and deleting the token when the user logs out (attaching the push subscription to this token and deleting them together).

Another approach would be to manually delete the push subscription from the front-end when the user logs out, but that would create a huge security / privacy issue.

Don't really know how to proceed with this.

[Gargron]

What is the reason for this?

The web UI uses the API like any other app would use the API, so it needs an access token. Reusing of the access token was implemented in response to #1681

[akihikodaki]

Another approach would be to manually delete the push subscription from the front-end when the user logs out, but that would create a huge security / privacy issue.

Could you tell me about your security concern?

[sorin-davidoi]

1. Call /auth/sign_out -> success
2. Call endpoint deleting the current subscription -> fail

Result: the user is logged out, but the browser keeps getting push notifications for that account. Also someone can mess with the code and skip the request to delete the subscription.

Signing out and deleting the subscription should be an atomic operation, handled by the back-end.

Ideally, there would be another model (Device or Session or something similar), with an account having multiple devices (places where the user is signed in). A device has a subscription. When the user logs out, the corresponding device gets deleted together with the attached subscription. This would also enable the user to see where they are logged in and log out remotely (kind of like Dropbox does it, see screenshot below).

[Gargron]

http://www.jonathanleighton.com/articles/2013/revocable-sessions-with-devise/

[akihikodaki]

@sorin-davidoi

the user is logged out, but the browser keeps getting push notifications for that account. Also someone can mess with the code and skip the request to delete the subscription.

Even now we have access_token, which remains valid after signing out.

[sorin-davidoi]

The tests fail because these two lines need to be executed after each call to sign_in (for all tests). Tried putting the following into spec_helper.rb but didn't help. Any pointers?

Devise.setup do |config|
  Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
    ActiveSession.deactivate warden.raw_session['auth_id']
    warden.raw_session['auth_id'] = user.activate_session
  end
end

[akihikodaki]

I think it is because Devise::Test::ControllerHelpers does not support configuration by Devise.setup.
https://github.com/plataformatec/devise/blob/9fe7040db90be1acb499d2534b077266dbf3b209/lib/devise/test/controller_helpers.rb#L63

Devise::Test::ControllerHelpers is included in rails_helper. You may hook sign_in there. (it's is a bit hacky, but it cannot be helped, I think.)
https://github.com/tootsuite/mastodon/blob/fd66f7cdc0931a67a2e24d887fb79f44fc42e2bc/spec/rails_helper.rb#L26

[Gargron]

I suggest extracting Devise modifications into a separate PR to make reviewing easier

[akihikodaki]

I think it is because Devise::Test::ControllerHelpers does not support configuration by Devise.setup.
https://github.com/plataformatec/devise/blob/9fe7040db90be1acb499d2534b077266dbf3b209/lib/devise/test/controller_helpers.rb#L63

Devise::Test::ControllerHelpers is included in rails_helper. You may hook sign_in there. (it's is a bit hacky, but it cannot be helped, I think.)
https://github.com/tootsuite/mastodon/blob/fd66f7cdc0931a67a2e24d887fb79f44fc42e2bc/spec/rails_helper.rb#L26

[sorin-davidoi]

Will continue work once #3616 is merged.

[sorin-davidoi]

@Gargron Do you have some insights into this? If I call axios.put('/api/web/push_subscriptions/2' I get this in the logs:

Started PUT "/api/web/push_subscriptions/2" for 127.0.0.1 at 2017-06-24 16:34:57 +0200
Processing by ApplicationController#raise_not_found as HTML

axios.put('/api/web/push_subscriptions') works fine though.

Cannot seem to figure it out.

[Gargron]

"resource" means there's no index, show with no ID (e.g. there is always one item)

"resources" is what gives you both index and show with ID

[sorin-davidoi]

Added actions when you are mentioned:

[sorin-davidoi]

I think this is ready for review. The service worker is configured not to cache anything. The offline-plugin configuration is mostly copied from #3052 and is only active during in the production build. All the lint errors are logging statements that I've left in to aid testing / debugging.

For testing, after you see the "Subscription registered" notification, go to the settings notifications and:

• disable desktop notifications
• enable push notification

This will make it less confusing which type of notifications you are receiving. Would be nice if you could take a look at Chrome and Firefox on Android.

[beatrix-bitrot]

I, Beatrix Bitrot, being of sound mind and of my own volition APPROVE THESE CHANGES

[nightpool]

@sorin-davidoi it's hard to see how user-side logging is really going to help in this case (it's difficult enough to get users to tell us when something goes wrong, much less get them to have the dev console open at the right time) but if you think it's important to keep it, I defer to your judgement

[beatrix-bitrot]

ah, about the console log statements? i'm indifferent

for most users i don't think they be any use but on bleeding edge instances they may come in handy

maybe leave them in master for a bit and remove before the next tagged release? idk

another option is to leave them in here, then make another PR that removes them so that if anyone needs to enable them for testing all they need to do is revert the commit that removes them

idk

[akihikodaki]

I have added many comments, but they are trivial and the logic itself looks fine. I hope they will be addressed soon and the change will be merged.

[akihikodaki]

Why not params.require?

[akihikodaki]

Use create!.

[sorin-davidoi]

Hm, does not seem to work, as this is called from an endpoint.

[nightpool]

what's the problem with calling create from an endpoint?

[sorin-davidoi]

Ah, think I misunderstood the comment. I took it as to change the name of the method from create to create!. Will update it after I fix the conflicts 🙄

[akihikodaki]

Use update!.

[sorin-davidoi]

Same comment as create!.

[akihikodaki]

The following statement would be enough. A promise as resolved value will be evaluated and expanded.

resolve(makeRequest(event.notification, action)
  .then(() => removeActionFromNotification(event.notification, action)));

[akihikodaki]

Returned values does not really matter for promises.

[akihikodaki]

I think you are aware of, but here I note you should be consistent, whether you use eslint-disable-next-line or not. If you use, apply for all other console. If you do not, remove this.

[sorin-davidoi]

Will remove the other logs.

[akihikodaki]

I guess the following columns cannot not be null, can they?

[akihikodaki]

Failing to send push notifications should not result in Internal Server Error

Yes, but that is controllers' business. If it is just to eliminate Internal Server Error, rescue in controllers.

[sorin-davidoi]

Not really sure where to move the rescues then (this is called from a ton of places, all of them services - should each of them duplicate the rescues?).

[nightpool]

Are we sending notifications synchronously? that seems really bad.

If it's from sidekiq, then we can just let the error propagate so we retry the job.

[sorin-davidoi]

To be honest I don't really know - don't have a strong grasp on the whole sidekiq thing.

[akihikodaki]

I think let is fine for these cases.

[akihikodaki]

Use Faker gem.

[akihikodaki]

All problems I have requested are addressed, but I found a few other suspicious things.

[akihikodaki]

Why don't you minify?

[akihikodaki]

Web::PushSubscription does not have account_id column.

Seems to be addressed. There are some code style issues (from a human PoV, not code climate) that I intend to refactor in the future, but I think overall this is fine

[sorin-davidoi]

For things that were left unaddressed here see #4200.