From 2f1946e68308c9eb87683fe7b25ca83b3ede4f0a Mon Sep 17 00:00:00 2001
From: Andrei <andrei@noru1.ro>
Date: Wed, 8 Oct 2025 23:15:42 +0000
Subject: [PATCH] fix: Make VAPID public key endpoint publicly accessible
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The VAPID public key endpoint needs to be publicly accessible since
frontends need it BEFORE user authentication to set up push subscriptions.

Changes:
- Added @Public() decorator to /api/v1/push/vapid-public-key endpoint
- Imported Public decorator from auth decorators
- Kept all other endpoints protected with JwtAuthGuard:
  * POST /api/v1/push/subscriptions (requires auth)
  * GET /api/v1/push/subscriptions (requires auth)
  * DELETE /api/v1/push/subscriptions (requires auth)
  * POST /api/v1/push/test (requires auth)
  * GET /api/v1/push/statistics (requires auth)

The endpoint now returns the public VAPID key without authentication:
GET /api/v1/push/vapid-public-key
Response: {"publicKey":"BErlB..."}

This matches the Web Push API standard where VAPID public keys
are safe to expose publicly.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../src/modules/push/push.controller.ts                  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/maternal-app/maternal-app-backend/src/modules/push/push.controller.ts b/maternal-app/maternal-app-backend/src/modules/push/push.controller.ts
index e773167..02b96fa 100644
--- a/maternal-app/maternal-app-backend/src/modules/push/push.controller.ts
+++ b/maternal-app/maternal-app-backend/src/modules/push/push.controller.ts
@@ -13,15 +13,17 @@ import {
 } from '@nestjs/common';
 import { PushService, PushSubscriptionData } from './push.service';
 import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
+import { Public } from '../auth/decorators/public.decorator';
 
 @Controller('api/v1/push')
-@UseGuards(JwtAuthGuard)
 export class PushController {
   constructor(private readonly pushService: PushService) {}
 
   /**
    * Get the public VAPID key for frontend subscription
+   * This endpoint is public since it's needed for subscription setup
    */
+  @Public()
   @Get('vapid-public-key')
   @HttpCode(HttpStatus.OK)
   getPublicKey(): { publicKey: string } {
@@ -34,6 +36,7 @@ export class PushController {
    * Subscribe to push notifications
    */
   @Post('subscriptions')
+  @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.CREATED)
   async subscribe(
     @Req() req: any,
@@ -74,6 +77,7 @@ export class PushController {
    * Get user's push subscriptions
    */
   @Get('subscriptions')
+  @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.OK)
   async getSubscriptions(@Req() req: any) {
     const userId = req.user?.userId;
@@ -97,6 +101,7 @@ export class PushController {
    * Unsubscribe from push notifications
    */
   @Delete('subscriptions')
+  @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.NO_CONTENT)
   async unsubscribe(@Req() req: any, @Query('endpoint') endpoint: string) {
     const userId = req.user?.userId;
@@ -112,6 +117,7 @@ export class PushController {
    * Send a test push notification
    */
   @Post('test')
+  @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.OK)
   async sendTest(@Req() req: any) {
     const userId = req.user?.userId;
@@ -126,6 +132,7 @@ export class PushController {
    * Get push notification statistics (admin or self)
    */
   @Get('statistics')
+  @UseGuards(JwtAuthGuard)
   @HttpCode(HttpStatus.OK)
   async getStatistics(@Req() req: any) {
     const userId = req.user?.userId;