feat(coderd): add webpush package (#17091)

* Adds `codersdk.ExperimentWebPush` (`web-push`) * Adds a `coderd/webpush` package that allows sending native push notifications via `github.com/SherClockHolmes/webpush-go` * Adds database tables to store push notification subscriptions. * Adds an API endpoint that allows users to subscribe/unsubscribe, and send a test notification (404 without experiment, excluded from API docs) * Adds server CLI command to regenerate VAPID keys (note: regenerating the VAPID keypair requires deleting all existing subscriptions) --------- Co-authored-by: Kyle Carberry <kyle@carberry.com>
2025-07-30 22:19:53 +00:00 · 2025-03-27 10:03:53 +00:00
parent 006600ea3e
commit 06e5d9ef21
43 changed files with 2136 additions and 20 deletions
--- a/coderd/rbac/object_gen.go
+++ b/coderd/rbac/object_gen.go
@@ -280,6 +280,15 @@ var (
 		Type: "user",
 	}

+	// ResourceWebpushSubscription
+	// Valid Actions
+	//  - "ActionCreate" :: create webpush subscriptions
+	//  - "ActionDelete" :: delete webpush subscriptions
+	//  - "ActionRead" :: read webpush subscriptions
+	ResourceWebpushSubscription = Object{
+		Type: "webpush_subscription",
+	}
+
 	// ResourceWorkspace
 	// Valid Actions
 	//  - "ActionApplicationConnect" :: connect to workspace apps via browser
@@ -367,6 +376,7 @@ func AllResources() []Objecter {
 		ResourceTailnetCoordinator,
 		ResourceTemplate,
 		ResourceUser,
+		ResourceWebpushSubscription,
 		ResourceWorkspace,
 		ResourceWorkspaceAgentDevcontainers,
 		ResourceWorkspaceAgentResourceMonitor,
--- a/coderd/rbac/policy/policy.go
+++ b/coderd/rbac/policy/policy.go
@@ -280,6 +280,13 @@ var RBACPermissions = map[string]PermissionDefinition{
 			ActionUpdate: actDef("update notification preferences"),
 		},
 	},
+	"webpush_subscription": {
+		Actions: map[Action]ActionDefinition{
+			ActionCreate: actDef("create webpush subscriptions"),
+			ActionRead:   actDef("read webpush subscriptions"),
+			ActionDelete: actDef("delete webpush subscriptions"),
+		},
+	},
 	"inbox_notification": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate: actDef("create inbox notifications"),
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -713,6 +713,16 @@ func TestRolePermissions(t *testing.T) {
 				},
 			},
 		},
+		// All users can create, read, and delete their own webpush notification subscriptions.
+		{
+			Name:     "WebpushSubscription",
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
+			Resource: rbac.ResourceWebpushSubscription.WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true:  {owner, memberMe, orgMemberMe},
+				false: {otherOrgMember, orgAdmin, otherOrgAdmin, orgAuditor, otherOrgAuditor, templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, userAdmin, orgUserAdmin, otherOrgUserAdmin},
+			},
+		},
 		// AnyOrganization tests
 		{
 			Name:     "CreateOrgMember",