enable debug

.dockerignore

@@ -6,11 +6,5 @@ Dockerfile
 .gitignore
 README.md
 *.example
-images
-.env
-env
-labels
-subscriptions.json
-
-
-
+.env.example
+.labels.example

.env

@@ -1,39 +0,0 @@
-# Flic to PWA WebPush Configuration
-
-# --- VAPID Keys (Required) ---
-# Generate using: npx web-push generate-vapid-keys
-VAPID_PUBLIC_KEY=BKfRJXjSQmAJ452gLwlK_8scGrW6qMU1mBRp39ONtcQHkSsQgmLAaODIyGbgHyRpnDEv3HfXV1oGh3SC0fHxY0E
-VAPID_PRIVATE_KEY=ErEgsDKYQi5j2KPERC_gCtrEALAD0k-dWSwrrcD0-JU
-VAPID_SUBJECT=mailto:admin@virtonline.eu
-
-# --- Server Configuration ---
-# Internal port for the Node.js app
-PORT=3000
-SUBSCRIPTIONS_FILE=subscriptions.json
-DEFAULT_BUTTON_NAME=game-button
-
-# --- Authentication (Optional) ---
-# If both USERNAME and PASSWORD are set, Basic Auth will be enabled for:
-#   - POST /subscribe
-#   - GET /webhook
-# Leave blank to disable authentication.
-BASIC_AUTH_USERNAME=player
-BASIC_AUTH_PASSWORD=SevenOfNine
-
-# --- Web Push Retry Configuration (Optional) ---
-# Number of retries on failure (e.g., DNS issues)
-NOTIFICATION_MAX_RETRIES=3    
-# First retry delay in milliseconds (minimal delay for immediate retry)
-NOTIFICATION_FIRST_RETRY_DELAY_MS=10
-# Base delay in milliseconds for subsequent retries (used for exponential backoff)
-NOTIFICATION_SUBSEQUENT_RETRY_DELAY_MS=1000
-
-# --- Network Configuration (Optional) ---
-# Timeout for DNS lookups (ms)
-DNS_TIMEOUT_MS=5000 
-# Timeout for outgoing HTTP requests (ms)
-HTTP_TIMEOUT_MS=10000 
-
-# --- Logging ---
-# Controls log verbosity: error, warn, info, debug
-LOG_LEVEL=info

.env.example

@@ -1,39 +1,43 @@
-# Flic to PWA WebPush Configuration
+# --- Application Configuration ---
 
-# --- VAPID Keys (Required) ---
-# Generate using: npx web-push generate-vapid-keys
+# --- VAPID Keys (REQUIRED for Web Push) ---
+# Generate these once using npx web-push generate-vapid-keys (or other tools)
+# Keep the private key SECRET!
 VAPID_PUBLIC_KEY=
 VAPID_PRIVATE_KEY=
-VAPID_SUBJECT=mailto:mailto:user@example.org
 
-# --- Server Configuration ---
-# Internal port for the Node.js app
-PORT=3000
-SUBSCRIPTIONS_FILE=/app/subscriptions.json 
-DEFAULT_BUTTON_NAME=game-button
+# Subject claim for VAPID. Use a 'mailto:' URI or an 'https:' URL identifying your application.
+# Example: mailto:admin@yourdomain.com or https://yourdomain.com/contact
+VAPID_SUBJECT=mailto:admin@virtonline.eu
 
-# --- Authentication (Optional) ---
-# If both USERNAME and PASSWORD are set, Basic Auth will be enabled for:
-#   - POST /subscribe
-#   - GET /webhook
-# Leave blank to disable authentication.
-BASIC_AUTH_USERNAME=user12345
-BASIC_AUTH_PASSWORD=password
+# Subscription Storage
+SUBSCRIPTIONS_FILE=subscriptions.json
 
-# --- Web Push Retry Configuration (Optional) ---
-# Number of retries on failure (e.g., DNS issues)
-NOTIFICATION_MAX_RETRIES=3    
-# First retry delay in milliseconds (minimal delay for immediate retry)
-NOTIFICATION_FIRST_RETRY_DELAY_MS=10
-# Base delay in milliseconds for subsequent retries (used for exponential backoff)
-NOTIFICATION_SUBSEQUENT_RETRY_DELAY_MS=1000
+# CORS
+ALLOWED_ORIGINS=https://game-timer.virtonline.eu
+ALLOWED_METHODS=POST,OPTIONS,GET
+ALLOWED_HEADERS=Content-Type,Authorization
 
-# --- Network Configuration (Optional) ---
-# Timeout for DNS lookups (ms)
+# Logging Configuration
+LOG_LEVEL=INFO
+
+# --- Security (Optional) ---
+# If you want to add a simple security layer between Flic and this app.
+# If set, configure Flic's HTTP request to include an "Authorization: Bearer YOUR_SECRET_VALUE" header.
+# use e.g.: openssl rand -hex 32
+FLIC_SECRET=
+
+# --- DNS and Network Configuration ---
+# These settings help with Docker DNS resolution issues (EAI_AGAIN errors)
+
+# Maximum number of retry attempts for failed DNS resolutions
+MAX_NOTIFICATION_RETRIES=3
+
+# Initial delay in milliseconds before first retry (will increase with backoff)
+INITIAL_RETRY_DELAY_MS=1000
+
+# DNS resolution timeout in milliseconds
 DNS_TIMEOUT_MS=5000
-# Timeout for outgoing HTTP requests (ms)
-HTTP_TIMEOUT_MS=10000 
 
-# --- Logging ---
-# Controls log verbosity: error, warn, info, debug
-LOG_LEVEL=info
+# HTTP request timeout in milliseconds
+HTTP_TIMEOUT_MS=10000

.gitignore

@@ -1,7 +1,6 @@
 myenv
 .vscode
 .cursor
-subscriptions.json
 
 # Node.js
 node_modules/
@@ -9,7 +8,8 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 .env
-env
+subscriptions.json
+
 # OS generated files
 .DS_Store
 .DS_Store?

README.md

@@ -6,15 +6,15 @@ It's designed to be run as a Docker container and integrated with Traefik v3 for
 
 ## Features
 
-*   Receives GET requests on `/webhook`.
-*   Receives POST requests on `/subscribe` to manage button-PWA mappings.
+*   Receives GET requests on `/flic-webhook`.
 *   Uses HTTP headers `Button-Name` and `Timestamp` from the Flic request.
-*   Gets `click_type` from URL path.
+*   Gets `click_type` from query parameter.
 *   Looks up the target PWA push subscription based on the `Button-Name` header in a JSON file.
 *   Sends a Web Push notification containing the click details (action, button, timestamp) to the corresponding PWA subscription.
 *   Integrates with Traefik v3 via Docker labels.
 *   Configurable via environment variables (`.env` file).
-*   Optional Basic Authentication for securing the `/webhook` and `/subscribe` endpoints.
+*   Optional bearer token authentication for securing the Flic webhook endpoint.
+*   CORS configuration for allowing requests (needed if your PWA management interface interacts with this service, although not strictly necessary for the Flic->Backend->PWA push flow itself).
 
 ## Prerequisites
 
@@ -60,22 +60,46 @@ It's designed to be run as a Docker container and integrated with Traefik v3 for
         *   `VAPID_PRIVATE_KEY`: The private key generated in step 2. **Keep this secret!**
         *   `VAPID_SUBJECT`: A `mailto:` or `https:` URL identifying you or your application (e.g., `mailto:admin@yourdomain.com`). Used by push services to contact you.
         *   `PORT`: (Default: `3000`) The internal port the Node.js app listens on. Traefik will map to this.
-    *   `SUBSCRIPTIONS_FILE`: (Default: `subscriptions.json`) The path *inside the container* where the button-to-subscription mapping is stored.
-    *   `DEFAULT_BUTTON_NAME`: (Default: `game-button`) The default button name to use when the `Button-Name` header is not provided in the webhook request.
-    *   `BASIC_AUTH_USERNAME`: (Optional) Username for Basic Authentication. If set along with `BASIC_AUTH_PASSWORD`, authentication will be enabled for `/webhook` and `/subscribe`.
-    *   `BASIC_AUTH_PASSWORD`: (Optional) Password for Basic Authentication. If set along with `BASIC_AUTH_USERNAME`, authentication will be enabled.
-    *   `NOTIFICATION_MAX_RETRIES`: (Default: `3`) Number of retry attempts for failed push notifications. Must be a number.
-    *   `NOTIFICATION_FIRST_RETRY_DELAY_MS`: (Default: `10`) Delay in milliseconds for the first retry attempt. Setting to 0-10ms provides near-immediate first retry for transient DNS issues. Must be a number.
-    *   `NOTIFICATION_SUBSEQUENT_RETRY_DELAY_MS`: (Default: `1000`) Base delay in milliseconds for subsequent retries. Each additional retry uses this value with exponential backoff and jitter. Must be a number.
+        *   `SUBSCRIPTIONS_FILE`: (Default: `/app/subscriptions.json`) The path *inside the container* where the button-to-subscription mapping is stored.
+        *   `FLIC_SECRET`: (Optional) Set a strong, random secret string if you want to secure the webhook endpoint using Bearer token authentication. Generate with `openssl rand -hex 32` or a password manager.
+        *   `ALLOWED_ORIGINS`: Comma-separated list of domains allowed by CORS. Include your PWA's domain if it needs to interact directly (e.g., for setup). Example: `https://my-pwa.com`.
+        *   `ALLOWED_METHODS`: (Default: `POST,OPTIONS`) Standard methods needed.
+        *   `ALLOWED_HEADERS`: (Default: `Content-Type,Authorization`) Standard headers needed.
+        *   `MAX_NOTIFICATION_RETRIES`: (Default: `3`) Number of retry attempts for failed push notifications. Must be a number.
+        *   `INITIAL_RETRY_DELAY_MS`: (Default: `1000`) Initial delay in milliseconds before first retry. Must be a number.
         *   `DNS_TIMEOUT_MS`: (Default: `5000`) DNS resolution timeout in milliseconds. Must be a number.
         *   `HTTP_TIMEOUT_MS`: (Default: `10000`) HTTP request timeout in milliseconds. Must be a number.
         *   `LOG_LEVEL`: (Default: `info`) Controls verbosity of logs. Valid values are `error`, `warn`, `info`, or `debug`. Use `debug` to see detailed header information and other diagnostic messages.
+        *   `TRAEFIK_SERVICE_HOST`: Your public domain for this service (e.g., `webpush.virtonline.eu`).
+        *   `TRAEFIK_CERT_RESOLVER`: The name of your TLS certificate resolver configured in Traefik (e.g., `le`, `myresolver`).
 
 4.  **Configure Traefik Labels:**
     *   Copy the example `labels` file:
         ```bash
         cp labels.example labels
         ```
+    *   **Important:** Edit the `labels` file. Replace `${TRAEFIK_SERVICE_HOST}`, `${TRAEFIK_CERT_RESOLVER}`, and `${PORT}` with the *actual values* from your `.env` file, as `docker run` does not substitute variables in label files.
+        *   Example replacement: `Host(\`${TRAEFIK_SERVICE_HOST}\`)` becomes `Host(`webpush.virtonline.eu`)`.
+        *   `traefik.http.routers.flic-webhook.tls.certresolver=${TRAEFIK_CERT_RESOLVER}` becomes `traefik.http.routers.flic-webhook.tls.certresolver=myresolver`.
+        *   `traefik.http.services.flic-webhook.loadbalancer.server.port=${PORT}` becomes `traefik.http.services.flic-webhook.loadbalancer.server.port=3000`.
+
+5.  **Prepare Subscription Mapping File:**
+    *   Edit the `subscriptions.json` file
+    *   Add entries mapping your Flic button's serial number (as a lowercase string key) to the PWA `PushSubscription` object.
+        ```json
+        {
+          "game": { // <-- Replace with your actual Flic Button name (lowercase recommended)
+            "endpoint": "https://your_pwa_push_endpoint...",
+            "expirationTime": null,
+            "keys": {
+              "p256dh": "YOUR_PWA_SUBSCRIPTION_P256DH_KEY",
+              "auth": "YOUR_PWA_SUBSCRIPTION_AUTH_KEY"
+            }
+          }
+          // Add more entries for other buttons if needed
+        }
+        ```
+    *   Ensure this file contains valid JSON.
 
 ## Running the Service
 
@@ -89,7 +113,7 @@ It's designed to be run as a Docker container and integrated with Traefik v3 for
     This command runs the container in detached mode (`-d`), names it, connects it to the `traefik` network, passes environment variables from the `.env` file, applies the Traefik labels from the `labels` file, and mounts the `subscriptions.json` file into the container.
 
     ```bash
-    docker run --rm -d --name flic-webhook-webpush \
+    docker run -d --name flic-webhook-webpush \
       --network traefik \
       --env-file .env \
       --label-file labels \
@@ -113,99 +137,44 @@ In your Flic app or Flic Hub SDK interface:
 1.  Select your Flic button.
 2.  Add an "Internet Request" action.
 3.  Fill in the following details:
-    *   Select the `GET` method.
-    *   Set URL with query parameter: `https://webpush.virtonline.eu/webhook/SingleClick`
-    *   **If Basic Authentication is enabled:**
-        *   Set the Headers:
-            *   Set the `Key` fields to `Authorization`.
-            *   Set the `Value` fields to `Basic <base64 encoded username:password>` (e.g., `Basic dXNlcm5hbWU6cGFzc3dvcmQ=`). Use `$(echo -n 'user:password' | base64)` to generate the base64 encoded string.
-            *   Click `ADD`.
-    *   Tap on `SAVE ACTION`.
-4.   Repeat for Double Click (i.e., `/DoubleClick`) and Hold (i.e., `/Hold`) events.  
-    The request for the Hold event should look like this:
+    *   Set `GET` method.
+    *   Set URL with query parameter: `https://webpush.virtonline.eu/flic-webhook?click_type=SingleClick`
+    *   Add headers:
+        *   Key: `Authorization`
+        *   Value: `Bearer <FLIC_SECRET>` (Replace `<FLIC_SECRET>` with the actual secret from your `.env` file).
+    *   It should look like this:
 
-<img src="images/flic-button-request.png" width="300" alt="Flic Button Request">
+    <!-- <img src="images/flic-button-request.png" width="300" alt="Flic Button Request Configuration"> // TODO: Update image -->
 
-## App Example: "HTTP Shortcuts" by waboodoo
+    *   Tap on `Save action`.
+4.   Repeat for Double Click and/or Hold events.
     
-Search the Play Store - there might be others with similar names.
+## API Endpoint
 
-1.  Install the App: Download and install "HTTP Shortcuts" or a similar app from the Google Play Store.
-2.  Create a New Shortcut within the App:
-    *   Open the app and usually tap a '+' or 'Add' button.
-    *   Give your shortcut a Name (e.g., "Turn on Office Light", "Log Water Intake").
-    *   Choose an Icon.
-    *   Enter the URL you want the request sent to (your webhook URL, IFTTT URL, Home Assistant webhook trigger, etc.).
-    *   Select the HTTP Method (GET, POST, PUT, DELETE, etc. - often GET or POST for simple triggers).
-    *   For POST/PUT: You'll likely need to configure the Request Body (e.g., JSON data) and Content Type (e.g., application/json).
-    *   Authentication: Configure Basic Auth, Bearer Tokens, or custom Headers if your endpoint requires authentication.
-    *   Other Options: Explore settings for response handling (show message on success/failure), timeouts, etc.
-    *   Save the shortcut configuration within the app.
-3.  Add the Widget/Shortcut to your Home Screen:
-    *   Go to your Android Home Screen.
-    *   Long-press on an empty space.
-    *   Select "Widgets".
-    *   Scroll through the list to find the "HTTP Shortcuts" app (or the app you installed).
-    *   Drag the app's widget or shortcut option onto your home screen.
-    *   The app will likely ask you to choose which specific shortcut (the one you just created) this widget should trigger. Select it.
-4.  Test: Tap the newly created button on your home screen. It should trigger the internet request you configured.
-
-## API Endpoints
-
-*   **`POST /subscribe`**
-    *   **Description:** Adds or updates the Web Push subscription associated with a specific Flic button ID.
-    *   **Authentication:** Optional Basic Authentication via `Authorization` header if `BASIC_AUTH_USERNAME` and `BASIC_AUTH_PASSWORD` are configured.
-    *   **Request Body:** JSON object containing:
-        *   `button_id` (string, optional): The unique identifier for the Flic button (lowercase recommended, e.g., "game-button", "lights-button"). If not provided, the value of `DEFAULT_BUTTON_NAME` environment variable will be used as a fallback.
-        *   `subscription` (object, required): The [PushSubscription object](https://developer.mozilla.org/en-US/docs/Web/API/PushSubscription) obtained from the browser's Push API.
-        ```json
-        {
-          "button_id": "game-button",
-          "subscription": {
-            "endpoint": "https://your_pwa_push_endpoint...",
-            "expirationTime": null,
-            "keys": {
-              "p256dh": "YOUR_PWA_SUBSCRIPTION_P256DH_KEY",
-              "auth": "YOUR_PWA_SUBSCRIPTION_AUTH_KEY"
-            }
-          }
-        }
-        ```
-    *   **Responses:**
-        *   `201 Created`: Subscription saved successfully.
-        *   `400 Bad Request`: Missing or invalid `subscription` object in the request body.
-        *   `401 Unauthorized`: Missing or invalid Basic Authentication credentials (if authentication is enabled).
-        *   `500 Internal Server Error`: Failed to save the subscription to the file.
-
-*   **`GET /webhook/:click_type`**
+*   **`GET /flic-webhook`**
     *   **Description:** Receives Flic button events.
-    *   **Authentication:** Optional Basic Authentication via `Authorization` header if `BASIC_AUTH_USERNAME` and `BASIC_AUTH_PASSWORD` are configured.
-    *   **URL Parameters:**
-        *   `click_type` (required): The type of button press (e.g., `SingleClick`, `DoubleClick`, or `Hold`).
-    *   **Optional Headers:**
-        *   `Button-Name`: The identifier of the Flic button (sent by the Flic system). If not provided, the value of `DEFAULT_BUTTON_NAME` environment variable will be used as a fallback.
-        *   `Timestamp`: Timestamp of the button event (sent by the Flic system).
-        *   `Button-Battery-Level`: The battery level percentage of the button (sent by the Flic system).
+    *   **Authentication:** Optional Bearer token via `Authorization` header if `FLIC_SECRET` is configured.
+    *   **Query Parameters:**
+        *   `click_type`: The type of button press (SingleClick, DoubleClick, or Hold)
     *   **Responses:**
         *   `200 OK`: Webhook received, push notification sent successfully.
-        *   `400 Bad Request`: Missing `Button-Name` header or `click_type` URL parameter.
-        *   `401 Unauthorized`: Missing or invalid Basic Authentication credentials (if authentication is enabled).
+        *   `400 Bad Request`: Missing `Button-Name` header or `click_type` query parameter.
+        *   `401 Unauthorized`: Missing or invalid Bearer token (if `FLIC_SECRET` is enabled).
         *   `404 Not Found`: No subscription found in `subscriptions.json` for the given `Button-Name`.
         *   `410 Gone`: The push subscription associated with the button was rejected by the push service (likely expired or revoked).
         *   `500 Internal Server Error`: Failed to send the push notification for other reasons.
 
 ## Testing the Webhook
 
-Once your service is up and running, you can test the webhook endpoint using curl or any API testing tool. This example assumes Basic Authentication is enabled.
+Once your service is up and running, you can test the webhook endpoint using curl or any API testing tool:
 
-**Note:** Replace `<username>`, `<password>` with your actual values. The `Button-Name` header is optional and will default to the value of `DEFAULT_BUTTON_NAME` if not provided.
+**Note:** In the command below, replace `a74181969a613c545d66c1e436e75c1e4a6` with your actual FLIC_SECRET value from your .env file.
 
 ```bash
-curl -X GET "https://webpush.virtonline.eu/webhook/SingleClick"   \
-  -H "Authorization: Basic $(echo -n 'user:password' | base64)"   \
-  -H "Button-Name: game-button"   \
-  -H "Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)"   \
-  -H "Button-Battery-Level: 100"
+curl -X GET "https://webpush.virtonline.eu/flic-webhook?click_type=SingleClick" \
+  -H "Authorization: Bearer a74181969a613c545d66c1e436e75c1e4a6" \
+  -H "Button-Name: Game" \
+  -H "Timestamp: 2025-03-26T01:10:20Z"
 ```
 
 The expected response should be:
@@ -215,7 +184,7 @@ The expected response should be:
 
 If successful, the above response indicates that:
 1. Your webhook endpoint is properly configured
-2. The button name was found in your subscriptions.json file
+2. The button ID was found in your subscriptions.json file
 3. The web push notification was successfully sent to the registered PUSH API endpoint (e.g. https://jmt17.google.com/fcm/send/cf907M...)
 
 If you receive a different response, refer to the Troubleshooting section below.
@@ -228,11 +197,5 @@ If you receive a different response, refer to the Troubleshooting section below.
 *   **Verify `.env`:** Ensure all required variables are set correctly, especially VAPID keys and Traefik settings.
 *   **Verify `labels`:** Double-check that variables were correctly substituted manually and match your `.env` and Traefik setup.
 *   **Verify `subscriptions.json`:** Ensure it's valid JSON and the button serial number (key) matches exactly what Flic sends (check backend logs for "Received webhook: Button=..."). Check if the subscription details are correct. Case sensitivity matters for the JSON keys (button serials).
-*   **Check Flic Configuration:** Ensure the URL, Method, `click_type` parameter, and authentication details (Username/Password if enabled) are correct in the Flic action setup. Use `curl` or Postman to test the endpoint manually first.
+*   **Check Flic Configuration:** Ensure the URL, Method, Body, and Headers (especially `Content-Type` and `Authorization` if used) are correct in the Flic action setup. Use `curl` or Postman to test the endpoint manually first.
 *   **PWA Service Worker:** Remember that the PWA needs a correctly registered Service Worker to receive and handle the incoming push messages. Ensure the PWA subscribes using the *same* `VAPID_PUBLIC_KEY` configured in the backend's `.env`.
-*   **Push Notification Retry Mechanism:** The service includes an optimized retry mechanism for handling temporary DNS resolution issues:
-    * First retry happens immediately or with minimal delay (controlled by `NOTIFICATION_FIRST_RETRY_DELAY_MS`, default 10ms)
-    * Subsequent retries use exponential backoff with jitter (starting from `NOTIFICATION_SUBSEQUENT_RETRY_DELAY_MS`, default 1000ms)
-    * Maximum number of retries is controlled by `NOTIFICATION_MAX_RETRIES` (default 3)
-    * This approach minimizes latency for transient DNS issues while preventing excessive requests for persistent problems
-    * Adjust these values in your `.env` file based on your network conditions and reliability requirements

labels

@@ -17,16 +17,16 @@ traefik.http.routers.flic-webhook-webpush.service=flic-webhook-webpush
 traefik.http.services.flic-webhook-webpush.loadbalancer.server.port=3000
 
 # Middleware CORS
-traefik.http.middlewares.cors-headers.headers.accesscontrolallowmethods=POST,GET
+traefik.http.middlewares.cors-headers.headers.accesscontrolallowmethods=POST,GET,OPTIONS
 traefik.http.middlewares.cors-headers.headers.accesscontrolalloworiginlist=https://game-timer.virtonline.eu
-traefik.http.middlewares.cors-headers.headers.accesscontrolallowheaders=Content-Type,Authorization,button-name,button-battery-level,timestamp
-traefik.http.middlewares.cors-headers.headers.accesscontrolallowcredentials=true
+traefik.http.middlewares.cors-headers.headers.accesscontrolallowheaders=Content-Type,Authorization
 traefik.http.middlewares.cors-headers.headers.accesscontrolmaxage=600
 traefik.http.middlewares.cors-headers.headers.addvaryheader=true
+# Apply the middleware to the router
+traefik.http.routers.flic-webhook-webpush.middlewares=cors-headers 
 
 # Middleware Rate Limiting
 traefik.http.middlewares.flic-ratelimit.ratelimit.average=10
 traefik.http.middlewares.flic-ratelimit.ratelimit.burst=20
-
-# Apply both middlewares to the router (comma-separated list)
-traefik.http.routers.flic-webhook-webpush.middlewares=cors-headers,flic-ratelimit
+# Apply the middleware to the router
+traefik.http.routers.flic-webhook-webpush.middlewares=flic-ratelimit

package-lock.json

@@ -9,6 +9,7 @@
             "version": "1.0.0",
             "license": "MIT",
             "dependencies": {
+                "cors": "^2.8.5",
                 "dotenv": "^16.4.5",
                 "express": "^4.19.2",
                 "web-push": "^3.6.7"
@@ -150,6 +151,18 @@
             "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
             "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
         },
+        "node_modules/cors": {
+            "version": "2.8.5",
+            "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz",
+            "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==",
+            "dependencies": {
+                "object-assign": "^4",
+                "vary": "^1"
+            },
+            "engines": {
+                "node": ">= 0.10"
+            }
+        },
         "node_modules/debug": {
             "version": "2.6.9",
             "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
@@ -601,6 +614,14 @@
                 "node": ">= 0.6"
             }
         },
+        "node_modules/object-assign": {
+            "version": "4.1.1",
+            "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+            "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+            "engines": {
+                "node": ">=0.10.0"
+            }
+        },
         "node_modules/object-inspect": {
             "version": "1.13.4",
             "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",

package.json

@@ -17,6 +17,7 @@
     "author": "Your Name",
     "license": "MIT",
     "dependencies": {
+      "cors": "^2.8.5",
       "dotenv": "^16.4.5",
       "express": "^4.19.2",
       "web-push": "^3.6.7"

server.js

@@ -1,5 +1,6 @@
 const express = require('express');
 const webpush = require('web-push');
+const cors = require('cors');
 const fs = require('fs');
 const path = require('path');
 const dns = require('dns'); // Add DNS module
@@ -12,17 +13,16 @@ const port = process.env.PORT || 3000;
 const vapidPublicKey = process.env.VAPID_PUBLIC_KEY;
 const vapidPrivateKey = process.env.VAPID_PRIVATE_KEY;
 const vapidSubject = process.env.VAPID_SUBJECT; // mailto: or https:
-const subscriptionsFilePath = process.env.SUBSCRIPTIONS_FILE || path.join(__dirname, '/app/subscriptions.json');
-const defaultButtonName = process.env.DEFAULT_BUTTON_NAME || 'game-button';
-// Basic Authentication Credentials
-const basicAuthUsername = process.env.BASIC_AUTH_USERNAME;
-const basicAuthPassword = process.env.BASIC_AUTH_PASSWORD;
+const subscriptionsFilePath = process.env.SUBSCRIPTIONS_FILE || path.join(__dirname, 'subscriptions.json');
+const flicSecret = process.env.FLIC_SECRET; // Optional Bearer token secret for Flic webhook
 // Note: We are NOT adding specific authentication for the /subscribe endpoint in this version.
 // Consider adding API key or other auth if exposing this publicly.
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || "").split(',').map(origin => origin.trim()).filter(origin => origin);
+const allowedMethods = (process.env.ALLOWED_METHODS || "POST,OPTIONS,GET").split(',').map(method => method.trim()).filter(method => method);
+const allowedHeaders = (process.env.ALLOWED_HEADERS || "Content-Type,Authorization").split(',').map(header => header.trim()).filter(header => header);
 // Retry configuration for DNS resolution issues
-const maxRetries = parseInt(process.env.NOTIFICATION_MAX_RETRIES || 3, 10);
-const subsequentRetryDelay = parseInt(process.env.NOTIFICATION_SUBSEQUENT_RETRY_DELAY_MS || 1000, 10); // 1 second base delay for subsequent retries
-const firstRetryDelay = parseInt(process.env.NOTIFICATION_FIRST_RETRY_DELAY_MS || 10, 10); // 10 milliseconds - minimal delay for first retry
+const maxRetries = parseInt(process.env.MAX_NOTIFICATION_RETRIES || 3, 10);
+const initialRetryDelay = parseInt(process.env.INITIAL_RETRY_DELAY_MS || 1000, 10); // 1 second
 // HTTP request timeout configuration
 const httpTimeout = parseInt(process.env.HTTP_TIMEOUT_MS || 10000, 10); // 10 seconds
 // Logging level configuration
@@ -95,7 +95,7 @@ dns.setServers(dns.getServers()); // Reset DNS servers (can help in some Docker
 // Example: dns.setServers(['8.8.8.8', '1.1.1.1']);
 
 // --- Utility function for retrying web push notifications with exponential backoff ---
-async function sendWebPushWithRetry(subscription, payload, retryCount = 0, delay = subsequentRetryDelay) {
+async function sendWebPushWithRetry(subscription, payload, retryCount = 0, delay = initialRetryDelay) {
   try {
     return await webpush.sendNotification(subscription, payload);
   } catch (error) {
@@ -105,25 +105,13 @@ async function sendWebPushWithRetry(subscription, payload, retryCount = 0, delay
                        error.code === 'ETIMEDOUT';
     
     if (isDnsError && retryCount < maxRetries) {
-      // For first retry (retryCount = 0), use minimal delay or no delay
-      const actualDelay = retryCount === 0 ? firstRetryDelay : delay;
+      console.log(`DNS resolution failed (${error.code}). Retrying notification in ${delay}ms (attempt ${retryCount + 1}/${maxRetries})...`);
       
-      if (retryCount === 0) {
-        logger.info(`DNS resolution failed (${error.code}). Retrying notification immediately or with minimal delay of ${firstRetryDelay}ms (attempt ${retryCount + 1}/${maxRetries})...`);
-      } else {
-        logger.info(`DNS resolution failed (${error.code}). Retrying notification in ${actualDelay}ms (attempt ${retryCount + 1}/${maxRetries})...`);
-      }
+      // Wait for the delay
+      await new Promise(resolve => setTimeout(resolve, delay));
       
-      // Wait for the delay (minimal or none for first retry)
-      if (actualDelay > 0) {
-        await new Promise(resolve => setTimeout(resolve, actualDelay));
-      }
-
-      // Calculate next delay with exponential backoff + jitter
-      // First retry uses subsequentRetryDelay, subsequent retries use exponential increase
-      const nextDelay = retryCount === 0 ?
-                       subsequentRetryDelay :
-                       delay * (1.5 + Math.random() * 0.5);
+      // Exponential backoff with jitter
+      const nextDelay = delay * (1.5 + Math.random() * 0.5);
       
       // Retry recursively with increased count and delay
       return sendWebPushWithRetry(subscription, payload, retryCount + 1, nextDelay);
@@ -178,71 +166,67 @@ loadSubscriptions();
 // --- Express App Setup ---
 const app = express();
 
+// --- CORS Middleware ---
+const corsOptions = {
+  origin: (origin, callback) => {
+    if (!origin || allowedOrigins.length === 0 || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      console.warn(`CORS: Blocked origin: ${origin}`);
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  methods: allowedMethods,
+  allowedHeaders: allowedHeaders,
+  optionsSuccessStatus: 204 // For pre-flight requests
+};
+app.use(cors(corsOptions));
+// Enable pre-flight requests for all relevant routes
+app.options('/flic-webhook', cors(corsOptions));
+app.options('/subscribe', cors(corsOptions));
+
+
 // --- Body Parsing Middleware ---
 app.use(express.json());
 
-// --- Basic Authentication Middleware ---
-const authenticateBasic = (req, res, next) => {
-  // Skip authentication for OPTIONS requests (CORS preflight - Traefik might still forward them or handle them)
-  // It's safe to keep this check.
-  if (req.method === 'OPTIONS') {
-    logger.debug('Auth: Skipping auth for OPTIONS request.');
-    // Traefik should ideally respond to OPTIONS, but if it forwards, we just proceed without auth check.
-    // We don't need to send CORS headers here anymore.
-    return res.sendStatus(204); // Standard practice for preflight response if it reaches the backend
-  }
-
-  // Skip authentication if username or password are not set in environment
-  if (!basicAuthUsername || !basicAuthPassword) {
-    logger.warn('Auth: Basic Auth username or password not configured. Skipping authentication.');
+// --- Authentication Middleware (For Flic Webhook Only) ---
+const authenticateFlicRequest = (req, res, next) => {
+  // Only apply auth if flicSecret is configured
+  if (!flicSecret) {
     return next();
   }
 
   const authHeader = req.headers.authorization;
-
-  if (!authHeader || !authHeader.startsWith('Basic ')) {
-    logger.warn('Auth: Missing or malformed Basic Authorization header');
-    res.setHeader('WWW-Authenticate', 'Basic realm="Restricted Area"');
-    return res.status(401).json({ message: 'Unauthorized: Basic Authentication required' });
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    logger.warn('Auth (Flic): Missing or malformed Authorization header');
+    return res.status(401).json({ message: 'Unauthorized: Missing or malformed Bearer token' });
   }
 
-  const credentials = authHeader.split(' ')[1];
-  const decodedCredentials = Buffer.from(credentials, 'base64').toString('utf8');
-  const [username, password] = decodedCredentials.split(':');
-
-  // Note: Use constant-time comparison for production environments if possible,
-  // but for this scope, direct comparison is acceptable.
-  if (username === basicAuthUsername && password === basicAuthPassword) {
-    logger.debug('Auth: Basic Authentication successful.');
-    return next();
-  } else {
-    logger.warn('Auth: Invalid Basic Authentication credentials received.');
-    res.setHeader('WWW-Authenticate', 'Basic realm="Restricted Area"');
-    return res.status(401).json({ message: 'Unauthorized: Invalid credentials' });
+  const token = authHeader.split(' ')[1];
+  if (token !== flicSecret) {
+    logger.warn('Auth (Flic): Invalid Bearer token received');
+    return res.status(401).json({ message: 'Unauthorized: Invalid token' });
   }
+
+  logger.debug('Auth (Flic): Request authenticated successfully.');
+  next();
 };
 
-// --- Routes ---
+app.post('/subscribe', async (req, res) => {
+    const { button_id, subscription } = req.body;
     
-// Subscribe endpoint: Add a new button->subscription mapping
-// Apply Basic Authentication
-app.post('/subscribe', authenticateBasic, async (req, res) => {
-    let { button_id, subscription } = req.body;
-
-    logger.debug('All headers received on /subscribe:');
+    logger.debug('All headers received:');
     Object.keys(req.headers).forEach(headerName => {
       logger.debug(`  ${headerName}: ${req.headers[headerName]}`);
     });
 
-    // If button_id is not provided, use defaultButtonName from environment variable
-    if (!button_id || typeof button_id !== 'string' || button_id.trim() === '') {
-        button_id = defaultButtonName;
-        logger.info(`No button_id provided, using default button name: ${button_id}`);
-    }
-
     logger.info(`Received subscription request for button: ${button_id}`);
 
-    // Basic Validation - now we only validate subscription since button_id will use default if not provided
+    // Basic Validation
+    if (!button_id || typeof button_id !== 'string' || button_id.trim() === '') {
+        logger.warn('Subscription Error: Missing or invalid button_id');
+        return res.status(400).json({ message: 'Bad Request: Missing or invalid button_id' });
+    }
     if (!subscription || typeof subscription !== 'object' || !subscription.endpoint || !subscription.keys || !subscription.keys.p256dh || !subscription.keys.auth) {
         logger.warn('Subscription Error: Missing or invalid subscription object structure');
         return res.status(400).json({ message: 'Bad Request: Missing or invalid subscription object' });
@@ -266,30 +250,26 @@ app.post('/subscribe', authenticateBasic, async (req, res) => {
 });
 
 // --- Flic Webhook Endpoint (GET only) ---
-// Apply Basic Authentication
-app.get('/webhook/:click_type', authenticateBasic, async (req, res) => {
+// Apply Flic-specific authentication to this route
+app.get('/flic-webhook', authenticateFlicRequest, async (req, res) => {
   // Get buttonName from Header 'Button-Name' and timestamp from Header 'Timestamp'
-  const buttonName = req.headers['button-name'] || defaultButtonName;
+  const buttonName = req.headers['button-name'];
   const timestamp = req.headers['timestamp'];
-  // Get click_type from URL path
-  const click_type = req.params.click_type;
-  // Get battery level from Header 'Button-Battery-Level'
-  const batteryLevelHeader = req.headers['button-battery-level'];
-  // Use 'N/A' if header is missing or empty, otherwise parse as integer (or keep as string if parsing fails)
-  const batteryLevel = batteryLevelHeader ? parseInt(batteryLevelHeader, 10) || batteryLevelHeader : 'N/A';
+  // Get click_type from query parameter instead of request body
+  const click_type = req.query.click_type;
 
   // Log all headers received from Flic
-  logger.debug('All headers received on /webhook:');
+  logger.debug('All headers received:');
   Object.keys(req.headers).forEach(headerName => {
     logger.debug(`  ${headerName}: ${req.headers[headerName]}`);
   });
 
-  logger.info(`Received GET webhook: Button=${buttonName}, Type=${click_type}, Battery=${batteryLevel}%, Timestamp=${timestamp || 'N/A'}`);
+  logger.info(`Received GET webhook: Button=${buttonName}, Type=${click_type}, Timestamp=${timestamp || 'N/A'}`);
 
   // Basic validation
-  if (!click_type) {
-    logger.warn(`Webhook Error: Missing click_type query parameter`);
-    return res.status(400).json({ message: 'Bad Request: Missing click_type query parameter' });
+  if (!buttonName || !click_type) {
+    logger.warn(`Webhook Error: Missing Button-Name header or click_type query parameter`);
+    return res.status(400).json({ message: 'Bad Request: Missing Button-Name header or click_type query parameter' });
   }
 
   const normalizedButtonName = buttonName.toLowerCase(); // Use lowercase for lookup consistency
@@ -309,8 +289,7 @@ app.get('/webhook/:click_type', authenticateBasic, async (req, res) => {
     data: {
         action: click_type,
         button: normalizedButtonName, // Send normalized button name
-        timestamp: timestamp || new Date().toISOString(),
-        batteryLevel: batteryLevel // Use the extracted value
+        timestamp: timestamp || new Date().toISOString()
     }
     // icon: '/path/to/icon.png'
   });
@@ -342,17 +321,13 @@ const server = http.createServer(app);
 
 server.listen(port, () => {
   logger.info(`Flic Webhook to WebPush server listening on port ${port}`);
-  logger.info('CORS: Handled by Traefik');
-  // Log Basic Auth status instead of Flic Secret
-  if (basicAuthUsername && basicAuthPassword) {
-    logger.info('Authentication: Basic Auth Enabled');
-  } else {
-    logger.info('Authentication: Basic Auth Disabled (username/password not set)');
-  }
-  logger.info(`Subscription Endpoint Auth: ${basicAuthUsername && basicAuthPassword ? 'Enabled (Basic)' : 'Disabled'}`);
-  logger.info(`Webhook Endpoint Auth: ${basicAuthUsername && basicAuthPassword ? 'Enabled (Basic)' : 'Disabled'}`);
+  logger.info(`Allowed Origins: ${allowedOrigins.length > 0 ? allowedOrigins.join(', ') : '(Any)'}`);
+  logger.info(`Allowed Methods: ${allowedMethods.join(', ')}`);
+  logger.info(`Allowed Headers: ${allowedHeaders.join(', ')}`);
+  logger.info(`Flic Webhook Auth: ${flicSecret ? 'Enabled (Bearer Token)' : 'Disabled'}`);
+  logger.info(`Subscription Endpoint Auth: Disabled`);
   logger.info(`Subscriptions File: ${subscriptionsFilePath}`);
-  logger.info(`Push Notification Retry Config: ${maxRetries} retries, first retry: ${firstRetryDelay}ms, subsequent retries: ${subsequentRetryDelay}ms base delay`);
+  logger.info(`Push Notification Retry Config: ${maxRetries} retries, ${initialRetryDelay}ms initial delay`);
   logger.info(`DNS Config: IPv4 first, timeout ${dnsTimeout}ms`);
   logger.info(`HTTP Timeout: ${httpTimeout}ms`);
   logger.info(`Log Level: ${LOG_LEVEL.toUpperCase()}`);

virt-flic-webhook-webpush.service.example

@@ -1,32 +0,0 @@
-[Unit]
-Description=flic-webhook-webpush (virt-flic-webhook-webpush)
-Requires=docker.service
-After=docker.service
-DefaultDependencies=no
-
-[Service]
-Type=simple
-Environment="HOME=/root"
-ExecStartPre=-/usr/bin/env sh -c '/usr/bin/env docker kill virt-flic-webhook-webpush 2>/dev/null || true'
-ExecStartPre=-/usr/bin/env sh -c '/usr/bin/env docker rm virt-flic-webhook-webpush 2>/dev/null || true'
-ExecStartPre=/usr/bin/env sh -c 'touch /virt/flic-webhook-webpush/subscriptions.json'
-
-ExecStart=/usr/bin/env docker run \
-                        --rm \
-                        --name=virt-flic-webhook-webpush \
-			--log-driver=none \
-                        --network=traefik \
-                        --env-file=/virt/flic-webhook-webpush/env \
-			--label-file=/virt/flic-webhook-webpush/labels \
-                        --mount type=bind,src=/virt/flic-webhook-webpush/subscriptions.json,dst=/app/subscriptions.json \
-                                flic-webhook-webpush
-
-ExecStop=-/usr/bin/env sh -c '/usr/bin/env docker kill virt-flic-webhook-webpush 2>/dev/null || true'
-ExecStop=-/usr/bin/env sh -c '/usr/bin/env docker rm virt-flic-webhook-webpush 2>/dev/null || true'
-
-Restart=always
-RestartSec=30
-SyslogIdentifier=virt-flic-webhook-webpush
-
-[Install]
-WantedBy=multi-user.target