Merge pull request #87 from markrai/fix/vapid-docker-discovery

fix: expose pushConfigured on auth status and wire VAPID env through docker

Author: markrai

.gitignore

@@ -41,7 +41,7 @@ coverage.out
 *.test
 
 # Development related
-/docs/draft/*
+/docs/draft/
 f.bat
 a.bat
 *.pem

API.md

@@ -252,7 +252,7 @@ When the server is configured with OIDC environment variables (`SCRUMBOY_OIDC_IS
 
 These are browser-redirect endpoints, not JSON APIs. After successful OIDC login, the user receives a standard `scrumboy_session` cookie. MCP and REST access work identically to password-based sessions.
 
-`GET /api/auth/status` includes `oidcEnabled` (bool) and `localAuthEnabled` (bool) when OIDC is configured.
+`GET /api/auth/status` includes `oidcEnabled` (bool) and `localAuthEnabled` (bool) when OIDC is configured, plus `pushConfigured` (bool) to indicate whether Web Push VAPID is fully configured on the server.
 
 ### API access tokens (REST)
 

CHANGELOG.md

@@ -2,6 +2,27 @@
 
 > **Upgrades:** No breaking changes in **3.7.x** / **3.8.x** / **3.9.x** / **3.10.x** / **3.11.x** / **3.12.x** / **3.13.x** / **3.14.x** / **3.15.x** / **3.16.x** / **3.17.x** unless noted below.
 
+## [3.17.1] - 2026-05-28
+
+### Fixed
+
+- **Web Push / VAPID discovery** - Exposes **`pushConfigured`** on **`GET /api/auth/status`** so the SPA can gate auto-subscribe and Settings without probing **`/api/push/vapid-public-key`**. Push is enabled only in full mode with both VAPID keys set; partial or anonymous-mode key pairs are ignored.
+
+- **Docker deployments** - **`docker-compose.yml`** forwards **`SCRUMBOY_VAPID_*`** and **`SCRUMBOY_DEBUG_PUSH`** into the container environment.
+
+### Improvements
+
+- **Startup logging** - Server logs whether Web Push is enabled, disabled, partially configured, or blocked by anonymous mode.
+
+### Tests
+
+- **Auth status / push config** - Coverage for **`pushConfigured`** across full, partial, and anonymous VAPID setups.
+- **Router / Settings** - Auto-subscribe gating and Settings push UI use auth status instead of live VAPID endpoint probes.
+
+### Documentation
+
+- **`docs/pwa.md`**, **`README.md`**, **`API.md`**, and **`scrumboy.env.example`** - Docker verification steps and VAPID env wiring.
+
 ## [3.17.0] - 2026-05-28
 
 ### Features

FAQ.md

@@ -137,12 +137,14 @@ Do not confuse them: turning on desktop notifications does **not** replace VAPID
 - `SCRUMBOY_VAPID_PUBLIC_KEY`
 - `SCRUMBOY_VAPID_PRIVATE_KEY`
 
-(URL-safe base64 from a VAPID generator; see [`docs/pwa.md`](docs/pwa.md).) When both are set, signed-in clients may try to subscribe automatically; each user must still **allow notifications** in the browser. **Settings → Customization → Web Push** can turn push off or back on per device.
+(URL-safe base64 from a VAPID generator.) When both are set in **full mode**, signed-in clients may try to subscribe automatically; each user must still **allow notifications** in the browser. **Settings → Customization → Web Push** can turn push off or back on per device.
 
 Optional: `SCRUMBOY_VAPID_SUBSCRIBER` is a **contact hint for push providers** (plain email or `mailto:` / `https:` URL). It does **not** control who can sign in and does not need to match OIDC or user emails.
 
 **Not telemetry:** VAPID identifies **your** Scrumboy server to the push network so assignment events can be delivered. It is not product analytics and does not send board data to Scrumboy’s project maintainers.
 
+For what VAPID is, how it fits this project, key generation, and verification, see [`docs/vapid.md`](docs/vapid.md). For PWA install, Docker wiring, and auto-subscribe behavior, see [`docs/pwa.md`](docs/pwa.md).
+
 # Auditing
 
 ## How does auditing work, and where can I see it?

README.md

@@ -1,7 +1,7 @@
 <p align="center">
   <img width="372" src="internal/httpapi/web/githublogo.png" alt="scrumboy logo" />
   <br />
-  <img src="https://img.shields.io/badge/version-v3.17.0-blue" alt="version" />
+  <img src="https://img.shields.io/badge/version-v3.17.1-blue" alt="version" />
   <a href="LICENSE">
     <img src="https://img.shields.io/badge/license-AGPL--v3-orange" alt="license" />
   </a>
@@ -133,7 +133,7 @@ See [`docs/oidc.md`](docs/oidc.md) for full setup details, constraints, and trou
 
 ### PWA / Web Push (optional)
 
-Install the app from the browser for a standalone window and better mobile UX. **Background assignment alerts** use the **Web Push API** with **VAPID** keys on the server. When both keys are set, signed-in clients attempt to subscribe automatically (browser permission may be prompted). Details and subscriber contact semantics: **[`docs/pwa.md`](docs/pwa.md)**.
+Install the app from the browser for a standalone window and better mobile UX. **Background assignment alerts** use the **Web Push API** with **VAPID** keys on the server. When both keys are set, signed-in clients attempt to subscribe automatically (browser permission may be prompted). Docker users must pass the VAPID variables into the container environment and recreate the container after changes. Details, Docker verification steps, and subscriber contact semantics: **[`docs/pwa.md`](docs/pwa.md)**.
 
 ### Frontend build note
 

cmd/scrumboy/main.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -88,6 +89,7 @@ func main() {
 		})
 		logger.Printf("OIDC enabled (issuer: %s)", cfg.OIDCIssuerCanonical)
 	}
+	logWebPushConfiguration(logger, cfg.ScrumboyMode, cfg.VAPIDPublicKey, cfg.VAPIDPrivateKey)
 
 	maxB := cfg.MaxRequestBodyBytes
 	if maxB <= 0 {
@@ -223,3 +225,18 @@ func main() {
 	}
 	srv.Close()
 }
+
+func logWebPushConfiguration(logger *log.Logger, mode, publicKey, privateKey string) {
+	pub := strings.TrimSpace(publicKey)
+	priv := strings.TrimSpace(privateKey)
+	switch {
+	case httpapi.PushConfigured(mode, publicKey, privateKey):
+		logger.Printf("web push: enabled")
+	case strings.TrimSpace(mode) == "anonymous" && pub != "" && priv != "":
+		logger.Printf("web push: disabled (anonymous mode)")
+	case pub != "" || priv != "":
+		logger.Printf("web push: partial config ignored")
+	default:
+		logger.Printf("web push: disabled (set SCRUMBOY_VAPID_PUBLIC_KEY and SCRUMBOY_VAPID_PRIVATE_KEY)")
+	}
+}

cmd/scrumboy/main_test.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"bytes"
+	"log"
+	"strings"
+	"testing"
+)
+
+func TestLogWebPushConfiguration(t *testing.T) {
+	cases := []struct {
+		name string
+		mode string
+		pub  string
+		priv string
+		want string
+	}{
+		{name: "enabled", mode: "full", pub: "pub", priv: "priv", want: "web push: enabled"},
+		{name: "disabled", mode: "full", pub: "", priv: "", want: "web push: disabled (set SCRUMBOY_VAPID_PUBLIC_KEY and SCRUMBOY_VAPID_PRIVATE_KEY)"},
+		{name: "partial public only", mode: "full", pub: "pub", priv: "", want: "web push: partial config ignored"},
+		{name: "partial private only", mode: "full", pub: "", priv: "priv", want: "web push: partial config ignored"},
+		{name: "trimmed disabled", mode: "full", pub: "   ", priv: "\t", want: "web push: disabled (set SCRUMBOY_VAPID_PUBLIC_KEY and SCRUMBOY_VAPID_PRIVATE_KEY)"},
+		{name: "anonymous with keys", mode: "anonymous", pub: "pub", priv: "priv", want: "web push: disabled (anonymous mode)"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			var buf bytes.Buffer
+			logger := log.New(&buf, "", 0)
+			logWebPushConfiguration(logger, tc.mode, tc.pub, tc.priv)
+			if got := strings.TrimSpace(buf.String()); got != tc.want {
+				t.Fatalf("log output = %q, want %q", got, tc.want)
+			}
+		})
+	}
+}

docker-compose.yml

@@ -13,6 +13,10 @@ services:
       - SQLITE_JOURNAL_MODE=WAL
       - SQLITE_SYNCHRONOUS=FULL
       - MAX_REQUEST_BODY_BYTES=1048576
+      - SCRUMBOY_VAPID_PUBLIC_KEY=${SCRUMBOY_VAPID_PUBLIC_KEY:-}
+      - SCRUMBOY_VAPID_PRIVATE_KEY=${SCRUMBOY_VAPID_PRIVATE_KEY:-}
+      - SCRUMBOY_VAPID_SUBSCRIBER=${SCRUMBOY_VAPID_SUBSCRIBER:-}
+      - SCRUMBOY_DEBUG_PUSH=${SCRUMBOY_DEBUG_PUSH:-}
     volumes:
       - ./data:/data
     restart: unless-stopped