fix: harden web push subscription flow

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: bndct-devops

backend/tests/test_api.py

@@ -346,10 +346,39 @@ def test_auth_allows_access_with_valid_token(auth_client):
 
 
 def test_auth_unprotected_paths_always_accessible(auth_client):
-    """/health and /api/auth/status are always accessible without a token."""
+    """/health, auth status, and the VAPID public key stay public."""
     client, _ = auth_client
     assert client.get("/health").status_code == 200
     assert client.get("/api/auth/status").status_code == 200
+    vapid_res = client.get("/api/push/vapid-public-key")
+    assert vapid_res.status_code == 200
+    assert isinstance(vapid_res.json()["publicKey"], str)
+    assert len(vapid_res.json()["publicKey"]) > 20
+
+
+def test_push_mutation_endpoints_require_auth(auth_client):
+    """Push subscribe/schedule/cancel stay protected when instance auth is enabled."""
+    client, _ = auth_client
+
+    subscribe_res = client.post(
+        "/api/push/subscribe",
+        json={
+            "profileId": 1,
+            "endpoint": "https://push.example.test/subscription",
+            "p256dh": "test-p256dh",
+            "auth": "test-auth",
+        },
+    )
+    assert subscribe_res.status_code == 401
+
+    schedule_res = client.post(
+        "/api/push/schedule",
+        json={"profileId": 1, "delayMs": 1000, "title": "Rest done", "body": "Time to lift"},
+    )
+    assert schedule_res.status_code == 401
+
+    cancel_res = client.post("/api/push/cancel", json={"profileId": 1})
+    assert cancel_res.status_code == 401
 
 
 def test_auth_change_password(auth_client):

frontend/src/ActiveWorkoutView.jsx

@@ -75,12 +75,27 @@ export default function ActiveWorkoutView({ workout, exercises, sessionSets, onF
     typeof Notification !== 'undefined' ? Notification.permission : 'unavailable'
   )
 
-  // Subscribe to web push if permission already granted (handles app updates)
+  const ensurePushSubscription = React.useCallback(async (requestPermission = false) => {
+    if (typeof Notification === 'undefined') return false
+    let permission = Notification.permission
+    if (permission === 'default' && requestPermission) {
+      try {
+        permission = await Notification.requestPermission()
+      } catch {
+        permission = 'default'
+      }
+    }
+    setNotifPerm(permission)
+    if (permission !== 'granted') return false
+    return subscribePush(workout?.profile_id)
+  }, [workout?.profile_id])
+
+  // Subscribe to web push if permission is already granted (handles app updates)
   React.useEffect(() => {
     if (typeof Notification !== 'undefined' && Notification.permission === 'granted') {
-      subscribePush(workout?.profile_id).catch(() => {})
+      ensurePushSubscription(false).catch(() => {})
     }
-  }, [workout?.profile_id])
+  }, [ensurePushSubscription])
 
   async function openHistory(exId, exName) {
     setHistorySheet({ exId, name: exName, data: null })
@@ -110,19 +125,16 @@ export default function ActiveWorkoutView({ workout, exercises, sessionSets, onF
     }
   }
 
-  function startRestTimer(dur) {
+  async function startRestTimer(dur) {
     navigator.vibrate?.(20)
     restEndRef.current = Date.now() + dur * 1000
     setRestLeft(dur)
     setRestRunning(true)
-    if (typeof Notification !== 'undefined' && Notification.permission === 'default') {
-      Notification.requestPermission().then(p => {
-        setNotifPerm(p)
-        if (p === 'granted') subscribePush(workout?.profile_id).catch(() => {})
-      }).catch(() => {})
-    }
     scheduleSwNotif(dur * 1000)
-    schedulePush(workout?.profile_id, dur * 1000, 'lifty', 'Rest done — time to lift!')
+    const pushReady = await ensurePushSubscription(true)
+    if (pushReady) {
+      schedulePush(workout?.profile_id, dur * 1000, 'lifty', 'Rest done — time to lift!')
+    }
   }
   function stopRestTimer() {
     setRestLeft(null)
@@ -406,7 +418,7 @@ export default function ActiveWorkoutView({ workout, exercises, sessionSets, onF
           </div>
           {/* Notification permission status */}
           {notifPerm === 'default' && (
-            <div onClick={() => Notification.requestPermission().then(p => setNotifPerm(p)).catch(() => {})}
+            <div onClick={() => ensurePushSubscription(true).catch(() => {})}
               style={{ marginTop: 10, fontSize: '0.72rem', opacity: 0.85, cursor: 'pointer', textDecoration: 'underline' }}>
               Tap to enable alarm notification
             </div>

frontend/src/api.js

@@ -280,6 +280,10 @@ export async function getExerciseHistory(exerciseId, profileId, limit = 30) {
 
 export async function getPushVapidKey() {
   const res = await authFetch(base + '/api/push/vapid-public-key')
+  if (!res.ok) {
+    console.warn('[push] failed to fetch VAPID public key', res.status)
+    return null
+  }
   const data = await res.json()
   return data.publicKey
 }
@@ -294,12 +298,13 @@ export async function subscribePush(profileId) {
     const padding = '='.repeat((4 - publicKey.length % 4) % 4)
     const base64 = (publicKey + padding).replace(/-/g, '+').replace(/_/g, '/')
     const rawKey = Uint8Array.from(atob(base64), c => c.charCodeAt(0))
-    const sub = await reg.pushManager.subscribe({
+    const existing = await reg.pushManager.getSubscription()
+    const sub = existing || await reg.pushManager.subscribe({
       userVisibleOnly: true,
       applicationServerKey: rawKey,
     })
     const json = sub.toJSON()
-    await authFetch(base + '/api/push/subscribe', {
+    const res = await authFetch(base + '/api/push/subscribe', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
@@ -309,6 +314,10 @@ export async function subscribePush(profileId) {
         auth: json.keys.auth,
       }),
     })
+    if (!res.ok) {
+      console.warn('[push] failed to store subscription', res.status)
+      return false
+    }
     return true
   } catch (e) {
     console.warn('[push] subscribe failed', e)
@@ -318,20 +327,26 @@ export async function subscribePush(profileId) {
 
 export async function schedulePush(profileId, delayMs, title, body) {
   try {
-    await authFetch(base + '/api/push/schedule', {
+    const res = await authFetch(base + '/api/push/schedule', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ profileId, delayMs, title, body }),
     })
-  } catch (_) {}
+    if (!res.ok) console.warn('[push] schedule failed', res.status)
+  } catch (e) {
+    console.warn('[push] schedule failed', e)
+  }
 }
 
 export async function cancelPush(profileId) {
   try {
-    await authFetch(base + '/api/push/cancel', {
+    const res = await authFetch(base + '/api/push/cancel', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ profileId }),
     })
-  } catch (_) {}
+    if (!res.ok) console.warn('[push] cancel failed', res.status)
+  } catch (e) {
+    console.warn('[push] cancel failed', e)
+  }
 }