KI-AGENT: Zentralen Push-Server Stack ergänzen

push-server/apps/api/src/routes/admin.ts

@@ -0,0 +1,174 @@
+import type { FastifyInstance } from "fastify";
+import { and, desc, eq, sql } from "drizzle-orm";
+import { z } from "zod";
+import { auditLogs, deliveryJobs, pushDevices, pushInstances } from "@fedeo/push-db";
+import { db } from "../db/client.js";
+import { requireAdmin } from "../lib/auth.js";
+import { encryptSecret } from "../lib/crypto.js";
+import { createClientSecret, createPublicId, previewSecret } from "../lib/ids.js";
+
+const createInstanceSchema = z.object({
+  name: z.string().min(2),
+  baseUrl: z.string().url(),
+  capabilities: z.array(z.string()).default(["ios_push", "minimal_payload"]),
+  rateLimitPerMinute: z.number().int().positive().default(120),
+  dailyQuota: z.number().int().positive().default(10000),
+  mode: z.enum(["minimal", "rich"]).default("minimal"),
+  notes: z.string().optional(),
+});
+
+const updateInstanceSchema = createInstanceSchema.partial().extend({
+  status: z.enum(["active", "blocked", "disabled"]).optional(),
+});
+
+export async function adminRoutes(app: FastifyInstance): Promise<void> {
+  app.addHook("preHandler", requireAdmin);
+
+  app.get("/admin/summary", async () => {
+    const [instances] = await db.select({ count: sql<number>`count(*)::int` }).from(pushInstances);
+    const [devices] = await db.select({ count: sql<number>`count(*)::int` }).from(pushDevices);
+    const [jobs] = await db.select({ count: sql<number>`count(*)::int` }).from(deliveryJobs);
+    const [failedJobs] = await db.select({ count: sql<number>`count(*)::int` }).from(deliveryJobs).where(eq(deliveryJobs.status, "failed"));
+    return {
+      instances: instances?.count || 0,
+      devices: devices?.count || 0,
+      jobs: jobs?.count || 0,
+      failedJobs: failedJobs?.count || 0,
+    };
+  });
+
+  app.get("/admin/instances", async () => {
+    const rows = await db.select().from(pushInstances).orderBy(desc(pushInstances.createdAt));
+    return rows.map(publicInstance);
+  });
+
+  app.post("/admin/instances", async (request, reply) => {
+    const body = createInstanceSchema.parse(request.body);
+    const secret = createClientSecret();
+    const [created] = await db.insert(pushInstances).values({
+      instanceId: createPublicId("inst"),
+      name: body.name,
+      baseUrl: body.baseUrl,
+      capabilities: body.capabilities,
+      rateLimitPerMinute: body.rateLimitPerMinute,
+      dailyQuota: body.dailyQuota,
+      mode: body.mode,
+      notes: body.notes,
+      currentSecretEncrypted: encryptSecret(secret),
+      currentSecretPreview: previewSecret(secret),
+    }).returning();
+
+    await audit("admin", "instance.created", created.id, { instanceId: created.instanceId });
+    return reply.code(201).send({ ...publicInstance(created), clientSecret: secret });
+  });
+
+  app.get("/admin/instances/:id", async (request, reply) => {
+    const params = z.object({ id: z.string().uuid() }).parse(request.params);
+    const [instance] = await db.select().from(pushInstances).where(eq(pushInstances.id, params.id)).limit(1);
+    if (!instance) return reply.code(404).send({ error: "instance_not_found" });
+
+    const [deviceCount] = await db.select({ count: sql<number>`count(*)::int` }).from(pushDevices).where(eq(pushDevices.instanceId, instance.id));
+    const [jobCount] = await db.select({ count: sql<number>`count(*)::int` }).from(deliveryJobs).where(eq(deliveryJobs.instanceId, instance.id));
+    return { ...publicInstance(instance), deviceCount: deviceCount?.count || 0, jobCount: jobCount?.count || 0 };
+  });
+
+  app.patch("/admin/instances/:id", async (request, reply) => {
+    const params = z.object({ id: z.string().uuid() }).parse(request.params);
+    const body = updateInstanceSchema.parse(request.body);
+    const [updated] = await db.update(pushInstances).set({ ...body, updatedAt: new Date() }).where(eq(pushInstances.id, params.id)).returning();
+    if (!updated) return reply.code(404).send({ error: "instance_not_found" });
+    await audit("admin", "instance.updated", updated.id, { fields: Object.keys(body) });
+    return publicInstance(updated);
+  });
+
+  app.post("/admin/instances/:id/rotate-secret", async (request, reply) => {
+    const params = z.object({ id: z.string().uuid() }).parse(request.params);
+    const body = z.object({ promote: z.boolean().optional().default(false) }).parse(request.body || {});
+    const [instance] = await db.select().from(pushInstances).where(eq(pushInstances.id, params.id)).limit(1);
+    if (!instance) return reply.code(404).send({ error: "instance_not_found" });
+
+    if (body.promote) {
+      if (!instance.nextSecretEncrypted || !instance.nextSecretPreview) {
+        return reply.code(400).send({ error: "next_secret_missing", message: "Es ist kein nächster Schlüssel hinterlegt." });
+      }
+      const [updated] = await db.update(pushInstances).set({
+        currentSecretEncrypted: instance.nextSecretEncrypted,
+        currentSecretPreview: instance.nextSecretPreview,
+        nextSecretEncrypted: null,
+        nextSecretPreview: null,
+        updatedAt: new Date(),
+      }).where(eq(pushInstances.id, instance.id)).returning();
+      await audit("admin", "instance.secret.promoted", instance.id);
+      return publicInstance(updated);
+    }
+
+    const nextSecret = createClientSecret();
+    const [updated] = await db.update(pushInstances).set({
+      nextSecretEncrypted: encryptSecret(nextSecret),
+      nextSecretPreview: previewSecret(nextSecret),
+      updatedAt: new Date(),
+    }).where(eq(pushInstances.id, instance.id)).returning();
+    await audit("admin", "instance.secret.rotated", instance.id);
+    return { ...publicInstance(updated), nextClientSecret: nextSecret };
+  });
+
+  app.get("/admin/instances/:id/devices", async (request) => {
+    const params = z.object({ id: z.string().uuid() }).parse(request.params);
+    return await db.select().from(pushDevices).where(eq(pushDevices.instanceId, params.id)).orderBy(desc(pushDevices.createdAt));
+  });
+
+  app.get("/admin/instances/:id/jobs", async (request) => {
+    const params = z.object({ id: z.string().uuid() }).parse(request.params);
+    return await db.select().from(deliveryJobs).where(eq(deliveryJobs.instanceId, params.id)).orderBy(desc(deliveryJobs.createdAt)).limit(100);
+  });
+
+  app.get("/admin/jobs", async () => {
+    return await db.select({
+      id: deliveryJobs.id,
+      deliveryJobId: deliveryJobs.deliveryJobId,
+      instanceId: deliveryJobs.instanceId,
+      status: deliveryJobs.status,
+      acceptedCount: deliveryJobs.acceptedCount,
+      sentCount: deliveryJobs.sentCount,
+      failedCount: deliveryJobs.failedCount,
+      lastErrorCode: deliveryJobs.lastErrorCode,
+      createdAt: deliveryJobs.createdAt,
+    }).from(deliveryJobs).orderBy(desc(deliveryJobs.createdAt)).limit(100);
+  });
+
+  app.get("/admin/audit-logs", async (request) => {
+    const query = z.object({ instanceId: z.string().uuid().optional() }).parse(request.query);
+    return await db
+      .select()
+      .from(auditLogs)
+      .where(query.instanceId ? eq(auditLogs.instanceId, query.instanceId) : undefined)
+      .orderBy(desc(auditLogs.createdAt))
+      .limit(100);
+  });
+}
+
+function publicInstance(instance: typeof pushInstances.$inferSelect) {
+  return {
+    id: instance.id,
+    instanceId: instance.instanceId,
+    name: instance.name,
+    baseUrl: instance.baseUrl,
+    status: instance.status,
+    mode: instance.mode,
+    capabilities: instance.capabilities,
+    rateLimitPerMinute: instance.rateLimitPerMinute,
+    dailyQuota: instance.dailyQuota,
+    currentSecretPreview: instance.currentSecretPreview,
+    nextSecretPreview: instance.nextSecretPreview,
+    notes: instance.notes,
+    lastHeartbeatAt: instance.lastHeartbeatAt,
+    lastHeartbeatVersion: instance.lastHeartbeatVersion,
+    lastHeartbeatIp: instance.lastHeartbeatIp,
+    createdAt: instance.createdAt,
+    updatedAt: instance.updatedAt,
+  };
+}
+
+async function audit(actor: string, action: string, instanceId: string | null, meta: Record<string, unknown> = {}) {
+  await db.insert(auditLogs).values({ actor, action, instanceId, meta });
+}

push-server/apps/api/src/routes/instance.ts

@@ -0,0 +1,181 @@
+import type { FastifyInstance } from "fastify";
+import { and, eq } from "drizzle-orm";
+import { z } from "zod";
+import { deliveryJobs, pushDevices, pushInstances } from "@fedeo/push-db";
+import { db } from "../db/client.js";
+import { requireInstance } from "../lib/auth.js";
+import { encryptSecret } from "../lib/crypto.js";
+import { createPublicId } from "../lib/ids.js";
+import { deliverJob } from "../services/delivery.js";
+
+const heartbeatSchema = z.object({
+  fedeoVersion: z.string().optional(),
+  baseUrl: z.string().url().optional(),
+  capabilities: z.array(z.string()).optional(),
+});
+
+const deviceSchema = z.object({
+  localDeviceId: z.string().min(1),
+  platform: z.enum(["web", "ios", "android"]),
+  providerToken: z.string().optional(),
+  subscription: z.record(z.string(), z.unknown()).optional(),
+  meta: z.record(z.string(), z.unknown()).optional().default({}),
+});
+
+const pushSchema = z.object({
+  idempotencyKey: z.string().min(1).max(200),
+  devices: z.array(z.string().min(1)).min(1).max(500),
+  priority: z.enum(["normal", "high"]).default("normal"),
+  ttlSeconds: z.number().int().positive().max(2_419_200).default(3600),
+  collapseKey: z.string().max(64).optional(),
+  notification: z.object({
+    title: z.string().max(120).optional(),
+    body: z.string().max(240).optional(),
+  }).optional(),
+  data: z.record(z.string(), z.unknown()).optional().default({}),
+});
+
+export async function instanceRoutes(app: FastifyInstance): Promise<void> {
+  app.addHook("preHandler", requireInstance);
+
+  app.post("/v1/instances/heartbeat", async (request) => {
+    const instance = request.pushInstance!;
+    const body = heartbeatSchema.parse(request.body);
+    const [updated] = await db.update(pushInstances).set({
+      baseUrl: body.baseUrl || instance.baseUrl,
+      capabilities: body.capabilities || instance.capabilities,
+      lastHeartbeatAt: new Date(),
+      lastHeartbeatVersion: body.fedeoVersion || null,
+      lastHeartbeatIp: request.ip,
+      updatedAt: new Date(),
+    }).where(eq(pushInstances.id, instance.id)).returning();
+    return {
+      status: updated.status,
+      instanceId: updated.instanceId,
+      payloadMode: updated.mode,
+      capabilities: updated.capabilities,
+    };
+  });
+
+  app.post("/v1/devices", async (request) => {
+    const instance = request.pushInstance!;
+    const body = deviceSchema.parse(request.body);
+    const existing = await db
+      .select()
+      .from(pushDevices)
+      .where(and(eq(pushDevices.instanceId, instance.id), eq(pushDevices.localDeviceId, body.localDeviceId)))
+      .limit(1);
+
+    const values = {
+      platform: body.platform,
+      status: "active" as const,
+      providerTokenEncrypted: body.providerToken ? encryptSecret(body.providerToken) : null,
+      webPushSubscription: body.subscription || null,
+      meta: body.meta,
+      lastSeenAt: new Date(),
+      disabledAt: null,
+      updatedAt: new Date(),
+    };
+
+    if (existing[0]) {
+      const [updated] = await db.update(pushDevices).set(values).where(eq(pushDevices.id, existing[0].id)).returning();
+      return { centralDeviceId: updated.centralDeviceId, status: updated.status };
+    }
+
+    const [created] = await db.insert(pushDevices).values({
+      ...values,
+      centralDeviceId: createPublicId("dev"),
+      instanceId: instance.id,
+      localDeviceId: body.localDeviceId,
+    }).returning();
+    return { centralDeviceId: created.centralDeviceId, status: created.status };
+  });
+
+  app.delete("/v1/devices/:centralDeviceId", async (request, reply) => {
+    const instance = request.pushInstance!;
+    const params = z.object({ centralDeviceId: z.string().min(1) }).parse(request.params);
+    const [updated] = await db.update(pushDevices).set({
+      status: "disabled",
+      disabledAt: new Date(),
+      updatedAt: new Date(),
+    }).where(and(eq(pushDevices.instanceId, instance.id), eq(pushDevices.centralDeviceId, params.centralDeviceId))).returning();
+    if (!updated) return reply.code(404).send({ error: "device_not_found" });
+    return { centralDeviceId: updated.centralDeviceId, status: updated.status };
+  });
+
+  app.post("/v1/push", async (request, reply) => {
+    const instance = request.pushInstance!;
+    const body = pushSchema.parse(request.body);
+    const existing = await db
+      .select()
+      .from(deliveryJobs)
+      .where(and(eq(deliveryJobs.instanceId, instance.id), eq(deliveryJobs.idempotencyKey, body.idempotencyKey)))
+      .limit(1);
+
+    if (existing[0]) {
+      return {
+        accepted: existing[0].acceptedCount,
+        rejected: existing[0].rejectedCount,
+        deliveryJobId: existing[0].deliveryJobId,
+        status: existing[0].status,
+        idempotent: true,
+      };
+    }
+
+    const devices = await db
+      .select()
+      .from(pushDevices)
+      .where(and(eq(pushDevices.instanceId, instance.id), eq(pushDevices.status, "active")));
+    const allowed = new Set(devices.map((device) => device.centralDeviceId));
+    const acceptedDevices = body.devices.filter((deviceId) => allowed.has(deviceId));
+    const rejected = body.devices.length - acceptedDevices.length;
+
+    const [job] = await db.insert(deliveryJobs).values({
+      deliveryJobId: createPublicId("job"),
+      instanceId: instance.id,
+      idempotencyKey: body.idempotencyKey,
+      priority: body.priority,
+      ttlSeconds: body.ttlSeconds,
+      collapseKey: body.collapseKey,
+      acceptedCount: acceptedDevices.length,
+      rejectedCount: rejected,
+      status: "processing",
+    }).returning();
+
+    await deliverJob(job, acceptedDevices, {
+      priority: body.priority,
+      ttlSeconds: body.ttlSeconds,
+      collapseKey: body.collapseKey,
+      notification: body.notification,
+      data: body.data,
+    });
+
+    return reply.code(202).send({
+      accepted: acceptedDevices.length,
+      rejected,
+      deliveryJobId: job.deliveryJobId,
+    });
+  });
+
+  app.get("/v1/push/:deliveryJobId", async (request, reply) => {
+    const instance = request.pushInstance!;
+    const params = z.object({ deliveryJobId: z.string().min(1) }).parse(request.params);
+    const [job] = await db
+      .select()
+      .from(deliveryJobs)
+      .where(and(eq(deliveryJobs.instanceId, instance.id), eq(deliveryJobs.deliveryJobId, params.deliveryJobId)))
+      .limit(1);
+    if (!job) return reply.code(404).send({ error: "job_not_found" });
+    return {
+      deliveryJobId: job.deliveryJobId,
+      status: job.status,
+      accepted: job.acceptedCount,
+      rejected: job.rejectedCount,
+      sent: job.sentCount,
+      failed: job.failedCount,
+      lastErrorCode: job.lastErrorCode,
+      lastErrorMessage: job.lastErrorMessage,
+      completedAt: job.completedAt,
+    };
+  });
+}

push-server/apps/api/src/routes/public.ts

@@ -0,0 +1,16 @@
+import type { FastifyInstance } from "fastify";
+import { env } from "../config/env.js";
+
+export async function publicRoutes(app: FastifyInstance): Promise<void> {
+  app.get("/health", async () => ({
+    status: "ok",
+    service: "fedeo-push-api",
+  }));
+
+  app.get("/v1/public-config", async () => ({
+    webPushPublicKey: env.WEB_PUSH_PUBLIC_KEY || null,
+    iosBundleId: env.IOS_BUNDLE_ID,
+    androidSenderId: env.ANDROID_SENDER_ID || null,
+    capabilities: ["ios_push", "minimal_payload", "instance_hmac"],
+  }));
+}