feat: VAPID web push for lock-screen rest timer notifications

Author: bndct-devops

backend/main.py

@@ -2,13 +2,14 @@
 from fastapi.responses import StreamingResponse, JSONResponse
 from sqlmodel import Session, select, text, or_
 from backend.db import engine, create_db_and_tables
-from backend.models import Exercise, Workout, SetEntry, Profile, BodyweightEntry
+from backend.models import Exercise, Workout, SetEntry, Profile, BodyweightEntry, PushSubscription
 from backend import schemas
 from backend.seed_exercises import seed as seed_exercises
 from prometheus_client import generate_latest, CONTENT_TYPE_LATEST, Counter
 from typing import List, Optional
 from datetime import datetime, timedelta
 import io, csv, re, hashlib, os as _os, time as _time, secrets as _secrets
+import asyncio, json, base64
 import uvicorn
 from backend import auth as _auth
 
@@ -17,6 +18,10 @@
 _PW_MAX_ATTEMPTS = 5
 _PW_LOCKOUT_SECS = 30
 
+# ── Web Push state ──
+_vapid_state: dict = {"private_b64url": None, "public_b64url": None}
+_push_tasks: dict = {}   # key -> asyncio.Task
+
 app = FastAPI(title="lifty API")
 
 REQUEST_COUNTER = Counter("lifty_requests_total", "Total HTTP requests", ["method", "endpoint", "status"])
@@ -110,6 +115,39 @@ def on_startup():
     # ── Seed built-in global exercises (idempotent) ──
     seed_exercises()
 
+    # ── VAPID key pair: generate once, persist in app_config ──
+    from cryptography.hazmat.primitives.asymmetric.ec import generate_private_key, SECP256R1
+    from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+    with Session(engine) as session:
+        session.exec(text("""
+            CREATE TABLE IF NOT EXISTS pushsubscription (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                profile_id INTEGER NOT NULL REFERENCES profile(id),
+                endpoint TEXT NOT NULL,
+                p256dh TEXT NOT NULL,
+                auth TEXT NOT NULL,
+                created_at DATETIME
+            )
+        """))
+        session.commit()
+
+        row = session.exec(text("SELECT value FROM app_config WHERE key='vapid_private'")).first()
+        if row:
+            _vapid_state["private_b64url"] = row[0]
+            pub_row = session.exec(text("SELECT value FROM app_config WHERE key='vapid_public'")).first()
+            _vapid_state["public_b64url"] = pub_row[0] if pub_row else None
+        else:
+            sk = generate_private_key(SECP256R1())
+            raw_priv = sk.private_numbers().private_value.to_bytes(32, 'big')
+            priv_b64 = base64.urlsafe_b64encode(raw_priv).decode().rstrip('=')
+            pub_bytes = sk.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
+            pub_b64 = base64.urlsafe_b64encode(pub_bytes).decode().rstrip('=')
+            session.execute(text("INSERT INTO app_config (key, value) VALUES (:k, :v)"), {"k": "vapid_private", "v": priv_b64})
+            session.execute(text("INSERT INTO app_config (key, value) VALUES (:k, :v)"), {"k": "vapid_public", "v": pub_b64})
+            session.commit()
+            _vapid_state["private_b64url"] = priv_b64
+            _vapid_state["public_b64url"] = pub_b64
+
 
 # ─────────────────────────────────────────────
 # Utility
@@ -161,6 +199,100 @@ async def auth_change_password(request: Request):
     return {"token": _auth.create_access_token(_auth_state["jwt_secret"])}
 
 
+# ─────────────────────────────────────────────
+# Web Push (VAPID)
+# ─────────────────────────────────────────────
+
+@app.get("/api/push/vapid-public-key")
+def push_vapid_key():
+    """Return the VAPID public key so the client can create a push subscription."""
+    return {"publicKey": _vapid_state.get("public_b64url")}
+
+
+@app.post("/api/push/subscribe")
+async def push_subscribe(request: Request):
+    """Store or update a push subscription for a profile."""
+    body = await request.json()
+    profile_id = body.get("profileId")
+    endpoint = body.get("endpoint")
+    p256dh = body.get("p256dh")
+    auth = body.get("auth")
+    if not all([profile_id, endpoint, p256dh, auth]):
+        return JSONResponse({"detail": "Missing fields"}, status_code=422)
+    with Session(engine) as session:
+        existing = session.exec(
+            select(PushSubscription).where(PushSubscription.profile_id == profile_id)
+        ).first()
+        if existing:
+            existing.endpoint = endpoint
+            existing.p256dh = p256dh
+            existing.auth = auth
+            session.add(existing)
+        else:
+            session.add(PushSubscription(
+                profile_id=profile_id, endpoint=endpoint, p256dh=p256dh, auth=auth
+            ))
+        session.commit()
+    return {"ok": True}
+
+
+@app.post("/api/push/schedule")
+async def push_schedule(request: Request):
+    """Schedule a Web Push notification after delay_ms milliseconds."""
+    body = await request.json()
+    profile_id = body.get("profileId")
+    delay_ms = int(body.get("delayMs", 0))
+    title = body.get("title", "lifty")
+    msg_body = body.get("body", "Rest done — time to lift!")
+
+    key = f"rest-{profile_id}"
+
+    # Cancel any previous task for this slot
+    if key in _push_tasks and not _push_tasks[key].done():
+        _push_tasks[key].cancel()
+
+    async def _send():
+        try:
+            await asyncio.sleep(delay_ms / 1000)
+            with Session(engine) as session:
+                sub = session.exec(
+                    select(PushSubscription).where(PushSubscription.profile_id == profile_id)
+                ).first()
+                if not sub:
+                    return
+            from pywebpush import webpush, WebPushException
+            webpush(
+                subscription_info={
+                    "endpoint": sub.endpoint,
+                    "keys": {"p256dh": sub.p256dh, "auth": sub.auth},
+                },
+                data=json.dumps({"title": title, "body": msg_body}),
+                vapid_private_key=_vapid_state["private_b64url"],
+                vapid_claims={"sub": "mailto:lifty@lifty.app"},
+            )
+        except asyncio.CancelledError:
+            pass
+        except Exception as exc:
+            print(f"[push] send error: {exc}")
+        finally:
+            _push_tasks.pop(key, None)
+
+    _push_tasks[key] = asyncio.create_task(_send())
+    return {"ok": True}
+
+
+@app.post("/api/push/cancel")
+async def push_cancel(request: Request):
+    """Cancel a pending push notification for a profile."""
+    body = await request.json()
+    profile_id = body.get("profileId")
+    key = f"rest-{profile_id}"
+    if key in _push_tasks and not _push_tasks[key].done():
+        _push_tasks[key].cancel()
+        _push_tasks.pop(key, None)
+    return {"ok": True}
+
+
 # ─────────────────────────────────────────────
 # Utility
 # ─────────────────────────────────────────────

backend/models.py

@@ -58,4 +58,13 @@ class BodyweightEntry(SQLModel, table=True):
     profile_id: int = Field(foreign_key="profile.id")
     weight_kg: float
     date: datetime = Field(default_factory=datetime.utcnow)
+
+
+class PushSubscription(SQLModel, table=True):
+    id: Optional[int] = Field(default=None, primary_key=True)
+    profile_id: int = Field(foreign_key="profile.id")
+    endpoint: str
+    p256dh: str
+    auth: str
+    created_at: datetime = Field(default_factory=datetime.utcnow)
     order: Optional[int] = Field(default=0)

backend/requirements.txt

@@ -4,3 +4,4 @@ sqlmodel==0.0.8
 prometheus-client==0.16.0
 python-multipart==0.0.6
 python-jose[cryptography]==3.3.0
+pywebpush==1.14.1

frontend/public/sw.js

@@ -118,6 +118,27 @@ self.addEventListener('message', e => {
   }
 })
 
+// ── Web Push: fired by the server when the screen is locked ───────────────
+self.addEventListener('push', e => {
+  let title = 'lifty'
+  let body = 'Rest done — time to lift!'
+  try {
+    const data = e.data.json()
+    if (data.title) title = data.title
+    if (data.body) body = data.body
+  } catch (_) {}
+  e.waitUntil(
+    self.registration.showNotification(title, {
+      body,
+      icon: '/apple-touch-icon.png',
+      badge: '/apple-touch-icon.png',
+      tag: 'rest-timer',
+      renotify: true,
+      silent: false,
+    })
+  )
+})
+
 // ── Notification tap → focus / open app ───────────────────────────────────
 self.addEventListener('notificationclick', e => {
   e.notification.close()

frontend/src/ActiveWorkoutView.jsx

@@ -1,7 +1,7 @@
 import React from "react"
 import { Check, CheckCircle2, Dumbbell, Flag, Lock, Timer, TrendingUp, Trophy } from "lucide-react"
 import { fmtWeight, parseWeight, playDing, IconX, MiniMarkdown } from "./utils"
-import { getExerciseLastSets, getExerciseHistory } from "./api"
+import { getExerciseLastSets, getExerciseHistory, subscribePush, schedulePush, cancelPush } from "./api"
 
 export default function ActiveWorkoutView({ workout, exercises, sessionSets, onFinish, onCancel, onExit, onAddSet, onDeleteSet, onRename, onSaveNotes, unit = 'kg', restDuration: propRestDuration = 90, dingEnabled = true, onRestDurationChange, overloadHints = true, plateCalc = true, prs = [], liquidGlass = false, animationsEnabled = true }) {
   const BODY_PARTS = ['Chest', 'Back', 'Legs', 'Shoulders', 'Arms', 'Core', 'Cardio', 'Full Body', 'Other']
@@ -72,6 +72,13 @@ export default function ActiveWorkoutView({ workout, exercises, sessionSets, onF
     typeof Notification !== 'undefined' ? Notification.permission : 'unavailable'
   )
 
+  // Subscribe to web push if permission already granted (handles app updates)
+  React.useEffect(() => {
+    if (typeof Notification !== 'undefined' && Notification.permission === 'granted') {
+      subscribePush(workout?.profile_id).catch(() => {})
+    }
+  }, [workout?.profile_id])
+
   async function openHistory(exId, exName) {
     setHistorySheet({ exId, name: exName, data: null })
     setHistoryLoading(true)
@@ -106,11 +113,20 @@ export default function ActiveWorkoutView({ workout, exercises, sessionSets, onF
     setRestLeft(dur)
     setRestRunning(true)
     if (typeof Notification !== 'undefined' && Notification.permission === 'default') {
-      Notification.requestPermission().then(p => setNotifPerm(p)).catch(() => {})
+      Notification.requestPermission().then(p => {
+        setNotifPerm(p)
+        if (p === 'granted') subscribePush(workout?.profile_id).catch(() => {})
+      }).catch(() => {})
     }
     scheduleSwNotif(dur * 1000)
+    schedulePush(workout?.profile_id, dur * 1000, 'lifty', 'Rest done — time to lift!')
+  }
+  function stopRestTimer() {
+    setRestLeft(null)
+    setRestRunning(false)
+    cancelSwNotif()
+    cancelPush(workout?.profile_id)
   }
-  function stopRestTimer() { setRestLeft(null); setRestRunning(false); cancelSwNotif() }
 
   const exerciseIds = [...new Set(sessionSets.map(s => s.exercise_id))]
   if (selectedExId && !exerciseIds.includes(selectedExId)) exerciseIds.push(selectedExId)
@@ -156,15 +172,13 @@ export default function ActiveWorkoutView({ workout, exercises, sessionSets, onF
     if (!restRunning || !restEndRef.current) return
 
     function finish() {
-      // Stop the timer display immediately — don't gate on async audio
+      // Page is alive so cancel both server push and SW timeout — ding handles it
+      cancelPush(workout?.profile_id)
+      cancelSwNotif()
       setRestLeft(null)
       setRestRunning(false)
       if (navigator.vibrate) navigator.vibrate([300, 100, 300])
-      // Play audio async; only cancel SW notification if page audio succeeds
-      // (otherwise the SW notification fires as fallback alarm)
-      if (dingEnabled) {
-        playDing().then(played => { if (played) cancelSwNotif() }).catch(() => {})
-      }
+      if (dingEnabled) playDing().catch(() => {})
     }
 
     // Tick every 250ms — recomputes from absolute end time, handles finish itself

frontend/src/api.js

@@ -266,3 +266,63 @@ export async function getExerciseHistory(exerciseId, profileId, limit = 30) {
   const res = await authFetch(base + `/api/exercises/${exerciseId}/history?${q}`)
   return res.json()
 }
+
+// ── Web Push ──
+
+export async function getPushVapidKey() {
+  const res = await authFetch(base + '/api/push/vapid-public-key')
+  const data = await res.json()
+  return data.publicKey
+}
+
+export async function subscribePush(profileId) {
+  if (!('PushManager' in window) || !navigator.serviceWorker) return false
+  try {
+    const publicKey = await getPushVapidKey()
+    if (!publicKey) return false
+    const reg = await navigator.serviceWorker.ready
+    // Convert base64url to Uint8Array for applicationServerKey
+    const padding = '='.repeat((4 - publicKey.length % 4) % 4)
+    const base64 = (publicKey + padding).replace(/-/g, '+').replace(/_/g, '/')
+    const rawKey = Uint8Array.from(atob(base64), c => c.charCodeAt(0))
+    const sub = await reg.pushManager.subscribe({
+      userVisibleOnly: true,
+      applicationServerKey: rawKey,
+    })
+    const json = sub.toJSON()
+    await authFetch(base + '/api/push/subscribe', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        profileId,
+        endpoint: json.endpoint,
+        p256dh: json.keys.p256dh,
+        auth: json.keys.auth,
+      }),
+    })
+    return true
+  } catch (e) {
+    console.warn('[push] subscribe failed', e)
+    return false
+  }
+}
+
+export async function schedulePush(profileId, delayMs, title, body) {
+  try {
+    await authFetch(base + '/api/push/schedule', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ profileId, delayMs, title, body }),
+    })
+  } catch (_) {}
+}
+
+export async function cancelPush(profileId) {
+  try {
+    await authFetch(base + '/api/push/cancel', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ profileId }),
+    })
+  } catch (_) {}
+}