mirror of
https://github.com/coder/coder.git
synced 2026-06-03 04:58:23 +00:00
Cian Johnston
d787b3cada
## Summary
`deleteUserWebpushSubscription` in `coderd/webpush.go` had incorrect
error handling that masked database errors as 404 responses.
## Bug
`GetWebpushSubscriptionsByUserID` is a `:many` query — it returns `([],
nil)` when no rows match, never `sql.ErrNoRows`. The previous `if/else
if` chain:
```go
if existing, err := api.Database.GetWebpushSubscriptionsByUserID(ctx, user.ID); err != nil && errors.Is(err, sql.ErrNoRows) {
// dead code — :many queries never return sql.ErrNoRows
} else if idx := slices.IndexFunc(existing, ...); idx == -1 {
// real DB errors fall through here, existing is nil, idx is -1 → 404
}
```
Any real database error (connection failure, timeout, authorization
error) fell through to the `else if` branch where `slices.IndexFunc(nil,
...)` returns `-1`, returning 404 "subscription not found" instead of
500.
## Fix
Split into two separate checks so database errors properly return 500:
```go
existing, err := api.Database.GetWebpushSubscriptionsByUserID(ctx, user.ID)
if err != nil {
// 500
}
if idx := slices.IndexFunc(existing, ...); idx == -1 {
// 404
}
```
## Testing
Added `TestDeleteWebpushSubscription/database_error_returns_500` which
wraps the DB store to inject an error into
`GetWebpushSubscriptionsByUserID` and asserts the handler returns 500
(not 404).
164 lines
4.8 KiB
Go
164 lines
4.8 KiB
Go
package coderd
|
|
|
|
import (
|
|
"database/sql"
|
|
"errors"
|
|
"net/http"
|
|
"slices"
|
|
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
"github.com/coder/coder/v2/coderd/database/dbtime"
|
|
"github.com/coder/coder/v2/coderd/httpapi"
|
|
"github.com/coder/coder/v2/coderd/httpmw"
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
"github.com/coder/coder/v2/coderd/rbac/policy"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
)
|
|
|
|
// @Summary Create user webpush subscription
|
|
// @ID create-user-webpush-subscription
|
|
// @Security CoderSessionToken
|
|
// @Accept json
|
|
// @Tags Notifications
|
|
// @Param request body codersdk.WebpushSubscription true "Webpush subscription"
|
|
// @Param user path string true "User ID, name, or me"
|
|
// @Router /users/{user}/webpush/subscription [post]
|
|
// @Success 204
|
|
// @x-apidocgen {"skip": true}
|
|
func (api *API) postUserWebpushSubscription(rw http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
user := httpmw.UserParam(r)
|
|
if !api.Experiments.Enabled(codersdk.ExperimentWebPush) {
|
|
httpapi.ResourceNotFound(rw)
|
|
return
|
|
}
|
|
|
|
var req codersdk.WebpushSubscription
|
|
if !httpapi.Read(ctx, rw, r, &req) {
|
|
return
|
|
}
|
|
|
|
if err := api.WebpushDispatcher.Test(ctx, req); err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
Message: "Failed to test webpush subscription",
|
|
Detail: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
|
|
if _, err := api.Database.InsertWebpushSubscription(ctx, database.InsertWebpushSubscriptionParams{
|
|
CreatedAt: dbtime.Now(),
|
|
UserID: user.ID,
|
|
Endpoint: req.Endpoint,
|
|
EndpointAuthKey: req.AuthKey,
|
|
EndpointP256dhKey: req.P256DHKey,
|
|
}); err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
Message: "Failed to insert push notification subscription.",
|
|
Detail: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
|
|
rw.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
// @Summary Delete user webpush subscription
|
|
// @ID delete-user-webpush-subscription
|
|
// @Security CoderSessionToken
|
|
// @Accept json
|
|
// @Tags Notifications
|
|
// @Param request body codersdk.DeleteWebpushSubscription true "Webpush subscription"
|
|
// @Param user path string true "User ID, name, or me"
|
|
// @Router /users/{user}/webpush/subscription [delete]
|
|
// @Success 204
|
|
// @x-apidocgen {"skip": true}
|
|
func (api *API) deleteUserWebpushSubscription(rw http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
user := httpmw.UserParam(r)
|
|
|
|
if !api.Experiments.Enabled(codersdk.ExperimentWebPush) {
|
|
httpapi.ResourceNotFound(rw)
|
|
return
|
|
}
|
|
|
|
var req codersdk.DeleteWebpushSubscription
|
|
if !httpapi.Read(ctx, rw, r, &req) {
|
|
return
|
|
}
|
|
|
|
// Return NotFound if the subscription does not exist.
|
|
existing, err := api.Database.GetWebpushSubscriptionsByUserID(ctx, user.ID)
|
|
if err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
Message: "Failed to get webpush subscriptions.",
|
|
Detail: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
if idx := slices.IndexFunc(existing, func(s database.WebpushSubscription) bool {
|
|
return s.Endpoint == req.Endpoint
|
|
}); idx == -1 {
|
|
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
|
|
Message: "Webpush subscription not found.",
|
|
})
|
|
return
|
|
}
|
|
|
|
if err := api.Database.DeleteWebpushSubscriptionByUserIDAndEndpoint(ctx, database.DeleteWebpushSubscriptionByUserIDAndEndpointParams{
|
|
UserID: user.ID,
|
|
Endpoint: req.Endpoint,
|
|
}); err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
|
|
Message: "Webpush subscription not found.",
|
|
})
|
|
return
|
|
}
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
Message: "Failed to delete push notification subscription.",
|
|
Detail: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
|
|
rw.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
// @Summary Send a test push notification
|
|
// @ID send-a-test-push-notification
|
|
// @Security CoderSessionToken
|
|
// @Tags Notifications
|
|
// @Param user path string true "User ID, name, or me"
|
|
// @Success 204
|
|
// @Router /users/{user}/webpush/test [post]
|
|
// @x-apidocgen {"skip": true}
|
|
func (api *API) postUserPushNotificationTest(rw http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
user := httpmw.UserParam(r)
|
|
|
|
if !api.Experiments.Enabled(codersdk.ExperimentWebPush) {
|
|
httpapi.ResourceNotFound(rw)
|
|
return
|
|
}
|
|
|
|
// We need to authorize the user to send a push notification to themselves.
|
|
if !api.Authorize(r, policy.ActionCreate, rbac.ResourceNotificationMessage.WithOwner(user.ID.String())) {
|
|
httpapi.Forbidden(rw)
|
|
return
|
|
}
|
|
|
|
if err := api.WebpushDispatcher.Dispatch(ctx, user.ID, codersdk.WebpushMessage{
|
|
Title: "It's working!",
|
|
Body: "You've subscribed to push notifications.",
|
|
}); err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
Message: "Failed to send test notification",
|
|
Detail: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
|
|
rw.WriteHeader(http.StatusNoContent)
|
|
}
|