7 Commits

Author SHA1 Message Date
Rosa Gutierrez fc0e477141 Include path in web push payload for backwards compatibility
Old service workers cached in browsers still read `data.path` from the
push notification payload. Include it alongside `data.url` so notification
clicks keep working until those service workers update.

Currently we only register the service worker in the notification
settings screen, so this won't happen very often. Once we introduce
offline mode, we'll register the service worker in more places, so we
should be able to remove this.
2026-02-25 20:17:16 +01:00
Fernando Olivares 7e0470a692 Send the URL instead of path in notifications 2026-02-25 19:31:13 +01:00
Jeremy Daer 496851b255 Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts

Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)

Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
2025-12-04 21:35:55 -08:00
Jason Zimdars 0f28ded99e Send email from support@fizzy.do 2025-11-11 10:47:30 -06:00
Jason Zimdars 83f7bd4346 Use icon with background included 2025-07-15 21:40:04 -05:00
Jason Zimdars 7dbb9c7a9e Fix icon path 2025-07-15 18:47:44 -05:00
Jason Zimdars e59a994a0c Add db table and models 2025-07-14 19:57:30 -05:00