chore: release v0.1.0.104

Account deletion, key enrollment, and credential management use a separate 30/15min limiter so they are not left at 300/min while login and sync routes stay independent.

Co-authored-by: Cursor <cursoragent@cursor.com>

.env.example

@@ -13,8 +13,8 @@ RP_ID=localhost
 # Must match the frontend URL exactly (Vite dev: http://localhost:5173; Docker: http://localhost)
 ORIGIN=http://localhost:5173
 
-# Behind Nginx Proxy Manager — see docs/deployment/npm-security.md
-# TRUST_PROXY=172.16.10.10
+# Behind reverse proxy — see docs/deployment/npm-security.md
+# Docker Compose (NPM → frontend nginx → backend): TRUST_PROXY=1
 # TRUST_PROXY=1
 
 # Docker Compose database (required for production deploy)

VERSION

@@ -1 +1 @@
-0.1.0.92
+0.1.0.105

client/nginx.conf

@@ -43,6 +43,9 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
         proxy_cache_bypass $http_upgrade;
     }
 }

client/src/App.css

@@ -148,7 +148,8 @@ select.input-text {
   width: 100%;
 }
 
-.time-input-24h__select {
+.time-input-24h__select,
+.time-input-24h__native {
   flex: 1 1 0;
   min-width: 0;
   padding-left: 12px;
@@ -157,6 +158,11 @@ select.input-text {
   font-variant-numeric: tabular-nums;
 }
 
+input[type='time'].time-input-24h__native {
+  color-scheme: inherit;
+  cursor: pointer;
+}
+
 .time-input-24h__sep {
   flex-shrink: 0;
   font-size: 18px;
@@ -2647,27 +2653,13 @@ html.scheme-dark .themed-select-option.is-selected {
 .events-scroll-container {
   width: 100%;
   overflow-x: auto;
+  -webkit-overflow-scrolling: touch;
   background: rgba(11, 12, 16, 0.4);
   border: 1px solid rgba(255, 255, 255, 0.06);
   border-radius: 12px;
   box-sizing: border-box;
 }
 
-/* Custom Scrollbar for events container */
-.events-scroll-container::-webkit-scrollbar {
-  height: 6px;
-}
-.events-scroll-container::-webkit-scrollbar-track {
-  background: rgba(11, 12, 16, 0.2);
-}
-.events-scroll-container::-webkit-scrollbar-thumb {
-  background: rgba(255, 255, 255, 0.1);
-  border-radius: 3px;
-}
-.events-scroll-container::-webkit-scrollbar-thumb:hover {
-  background: rgba(255, 255, 255, 0.2);
-}
-
 .events-table {
   width: 100%;
   border-collapse: collapse;

client/src/components/EventTimeInput24h.tsx

@@ -1,5 +1,6 @@
 import { useId, useMemo } from 'react'
 import { joinTimeHHMM, splitTimeHHMM } from '../utils/logEntryPayload.js'
+import { preferNativeCameraPicker } from '../utils/captureVideoFrame.js'
 
 const HOURS = Array.from({ length: 24 }, (_, i) => String(i).padStart(2, '0'))
 const MINUTES = Array.from({ length: 60 }, (_, i) => String(i).padStart(2, '0'))
@@ -18,7 +19,29 @@ export default function EventTimeInput24h({
   'aria-label': ariaLabel
 }: EventTimeInput24hProps) {
   const baseId = useId()
+  const useNativePicker = preferNativeCameraPicker()
   const { hours, minutes } = useMemo(() => splitTimeHHMM(value), [value])
+  const timeValue = useMemo(() => joinTimeHHMM(hours, minutes), [hours, minutes])
+
+  if (useNativePicker) {
+    return (
+      <div className="time-input-24h">
+        <input
+          id={baseId}
+          type="time"
+          step={60}
+          className="input-text time-input-24h__native"
+          value={timeValue}
+          onChange={(e) => {
+            const next = e.target.value
+            if (next) onChange(next.slice(0, 5))
+          }}
+          disabled={disabled}
+          aria-label={ariaLabel}
+        />
+      </div>
+    )
+  }
 
   return (
     <div className="time-input-24h">

client/src/components/PushNotificationSettings.tsx

@@ -6,7 +6,8 @@ import {
   enableCollaboratorChangePush,
   fetchPushPrefs,
   getNotificationPermission,
-  isPushSupported
+  isPushSupported,
+  preloadPushService
 } from '../services/pushNotifications.js'
 import { isIosDevice, isRunningStandalone } from '../hooks/usePwaInstall.js'
 import { PlausibleEvents, trackPlausibleEvent } from '../services/analytics.js'
@@ -28,6 +29,7 @@ export default function PushNotificationSettings() {
       setLoading(false)
       return
     }
+    void preloadPushService()
     try {
       const prefs = await fetchPushPrefs()
       setEnabled(prefs.collaboratorChangesEnabled)
@@ -56,7 +58,8 @@ export default function PushNotificationSettings() {
         trackPlausibleEvent(PlausibleEvents.PUSH_DISABLED)
       }
     } catch (err: unknown) {
-      const message = err instanceof Error ? err.message : t('profile.push_error')
+      console.error('Failed to toggle push notifications:', err)
+      const message = err instanceof Error ? `${err.name}: ${err.message}` : String(err)
       showAlert(message)
       void loadPrefs()
     } finally {

client/src/components/SettingsForm.tsx

@@ -10,7 +10,8 @@ import { apiFetch } from '../services/api.js'
 import {
   enableCollaboratorChangePush,
   isCollaboratorPushActive,
-  isPushSupported
+  isPushSupported,
+  preloadPushService
 } from '../services/pushNotifications.js'
 import { isIosDevice, isRunningStandalone } from '../hooks/usePwaInstall.js'
 
@@ -55,6 +56,7 @@ export default function SettingsForm({ logbookId, onLogbookRestored }: SettingsF
       loadCollaborators()
       loadShareLink()
     }
+    void preloadPushService()
   }, [logbookId])
 
   const loadShareLink = async () => {
@@ -191,7 +193,8 @@ export default function SettingsForm({ logbookId, onLogbookRestored }: SettingsF
       trackPlausibleEvent(PlausibleEvents.PUSH_ENABLED)
     } catch (err: unknown) {
       console.error('Failed to enable push after invite:', err)
-      await showAlert(err instanceof Error ? err.message : t('profile.push_error'))
+      const message = err instanceof Error ? `${err.name}: ${err.message}` : String(err)
+      await showAlert(message)
     }
   }
 

client/src/hooks/usePwaUpdate.ts

@@ -42,12 +42,14 @@ function scheduleUpdateChecks(
 
   const onVisibilityChange = () => {
     if (document.visibilityState === 'visible') {
-      checkForUpdate()
+      // Delay check on wake-up to allow the mobile network stack to stabilize
+      setTimeout(checkForUpdate, 2000)
     }
   }
 
   const onOnline = () => {
-    checkForUpdate()
+    // Small delay to ensure connection is fully established
+    setTimeout(checkForUpdate, 500)
   }
 
   document.addEventListener('visibilitychange', onVisibilityChange)

client/src/index.css

@@ -18,3 +18,62 @@ body {
   flex-direction: column;
   align-items: center;
 }
+
+/* Scrollbars — auf Touch-Geräten breiter und besser sichtbar */
+:root {
+  --app-scrollbar-size: 10px;
+}
+
+@media (hover: none), (pointer: coarse), (max-width: 768px) {
+  :root {
+    --app-scrollbar-size: 14px;
+  }
+}
+
+html {
+  scrollbar-width: auto;
+  scrollbar-color: var(--app-accent-light) var(--app-surface-inset);
+  -webkit-overflow-scrolling: touch;
+}
+
+html::-webkit-scrollbar,
+body::-webkit-scrollbar,
+*::-webkit-scrollbar {
+  width: var(--app-scrollbar-size);
+  height: var(--app-scrollbar-size);
+}
+
+html::-webkit-scrollbar-track,
+body::-webkit-scrollbar-track,
+*::-webkit-scrollbar-track {
+  background: var(--app-surface-inset);
+  border-radius: calc(var(--app-scrollbar-size) / 2);
+}
+
+html::-webkit-scrollbar-thumb,
+body::-webkit-scrollbar-thumb,
+*::-webkit-scrollbar-thumb {
+  background: color-mix(in srgb, var(--app-accent-light) 55%, transparent);
+  border-radius: calc(var(--app-scrollbar-size) / 2);
+  min-height: 48px;
+}
+
+html::-webkit-scrollbar-thumb:hover,
+body::-webkit-scrollbar-thumb:hover,
+*::-webkit-scrollbar-thumb:hover {
+  background: color-mix(in srgb, var(--app-accent-light) 80%, transparent);
+}
+
+@media (hover: none), (pointer: coarse), (max-width: 768px) {
+  html::-webkit-scrollbar-thumb,
+  body::-webkit-scrollbar-thumb,
+  *::-webkit-scrollbar-thumb {
+    background: color-mix(in srgb, var(--app-accent-light) 70%, transparent);
+  }
+
+  html::-webkit-scrollbar-thumb:active,
+  body::-webkit-scrollbar-thumb:active,
+  *::-webkit-scrollbar-thumb:active {
+    background: var(--app-accent-light);
+  }
+}

client/src/main.tsx

@@ -73,6 +73,17 @@ async function bootstrap(): Promise<void> {
     return
   }
 
+  if ('serviceWorker' in navigator && !import.meta.env.DEV) {
+    navigator.serviceWorker
+      .register('/sw.js', { scope: '/' })
+      .then((reg) => {
+        console.log('Service Worker registered successfully with scope:', reg.scope)
+      })
+      .catch((err) => {
+        console.error('Service Worker registration failed:', err)
+      })
+  }
+
   const rootEl = document.getElementById('root')
   if (!rootEl) {
     throw new Error('Missing #root element')

client/src/services/pushNotifications.ts

@@ -27,17 +27,62 @@ export function getNotificationPermission(): NotificationPermission | 'unsupport
   return Notification.permission
 }
 
+let cachedVapidKey: string | null = null
+let cachedRegistration: ServiceWorkerRegistration | null = null
+
+async function getRegistrationCompat(timeoutMs = 8000): Promise<ServiceWorkerRegistration> {
+  if (!('serviceWorker' in navigator)) {
+    throw new Error('Service Worker is not supported by your browser')
+  }
+
+  try {
+    const reg = await navigator.serviceWorker.getRegistration()
+    if (reg) return reg
+  } catch (e) {
+    console.warn('Failed to get service worker registration directly:', e)
+  }
+
+  // Fallback to waiting for ready state with a timeout
+  const readyPromise = navigator.serviceWorker.ready
+  const timeoutPromise = new Promise<never>((_, reject) =>
+    setTimeout(() => reject(new Error('Timeout waiting for Service Worker ready state')), timeoutMs)
+  )
+
+  return Promise.race([readyPromise, timeoutPromise])
+}
+
+export async function preloadPushService(): Promise<void> {
+  if (!isPushSupported()) return
+  try {
+    if (!cachedVapidKey) {
+      await fetchVapidPublicKey()
+    }
+    if (!cachedRegistration) {
+      cachedRegistration = await getRegistrationCompat()
+    }
+  } catch (err) {
+    console.warn('Failed to preload push service:', err)
+  }
+}
+
 async function fetchVapidPublicKey(): Promise<string | null> {
+  if (cachedVapidKey) return cachedVapidKey
+
   const envKey = import.meta.env.VITE_VAPID_PUBLIC_KEY
   if (typeof envKey === 'string' && envKey.trim()) {
-    return envKey.trim()
+    cachedVapidKey = envKey.trim()
+    return cachedVapidKey
   }
 
   try {
     const res = await fetch(`${API_BASE}/vapid-public-key`)
     if (!res.ok) return null
     const data = await res.json()
-    return typeof data.publicKey === 'string' ? data.publicKey : null
+    if (typeof data.publicKey === 'string') {
+      cachedVapidKey = data.publicKey.trim()
+      return cachedVapidKey
+    }
+    return null
   } catch {
     return null
   }
@@ -72,11 +117,61 @@ export async function savePushPrefs(collaboratorChangesEnabled: boolean): Promis
   })
 }
 
+async function requestNotificationPermission(): Promise<NotificationPermission> {
+  if (typeof Notification === 'undefined') return 'denied'
+  
+  // Try promise-based signature first
+  try {
+    const result = Notification.requestPermission()
+    if (result !== undefined) {
+      return await result
+    }
+  } catch {
+    // Ignore and fall back to callback
+  }
+
+  // Callback-based fallback
+  return new Promise<NotificationPermission>((resolve) => {
+    Notification.requestPermission((permission) => {
+      resolve(permission)
+    })
+  })
+}
+
 async function saveSubscriptionToServer(subscription: PushSubscription): Promise<void> {
   if (!localStorage.getItem('active_userid')) throw new Error('Not authenticated')
 
+  const endpoint = subscription.endpoint
   const json = subscription.toJSON()
-  if (!json.endpoint || !json.keys?.p256dh || !json.keys?.auth) {
+  let p256dh = json.keys?.p256dh
+  let auth = json.keys?.auth
+
+  // Fallback for browsers (like Safari) that might not serialize keys in toJSON()
+  if (!p256dh && typeof subscription.getKey === 'function') {
+    try {
+      const rawKey = subscription.getKey('p256dh')
+      if (rawKey) {
+        p256dh = btoa(String.fromCharCode(...new Uint8Array(rawKey)))
+          .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+      }
+    } catch (e) {
+      console.warn('Failed to extract p256dh key manually:', e)
+    }
+  }
+
+  if (!auth && typeof subscription.getKey === 'function') {
+    try {
+      const rawAuth = subscription.getKey('auth')
+      if (rawAuth) {
+        auth = btoa(String.fromCharCode(...new Uint8Array(rawAuth)))
+          .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+      }
+    } catch (e) {
+      console.warn('Failed to extract auth key manually:', e)
+    }
+  }
+
+  if (!endpoint || !p256dh || !auth) {
     throw new Error('Invalid push subscription')
   }
 
@@ -85,8 +180,8 @@ async function saveSubscriptionToServer(subscription: PushSubscription): Promise
   await apiJson(`${API_BASE}/subscription`, {
     method: 'PUT',
     body: JSON.stringify({
-      endpoint: json.endpoint,
-      keys: json.keys,
+      endpoint,
+      keys: { p256dh, auth },
       locale,
       userAgent: navigator.userAgent
     })
@@ -98,35 +193,48 @@ export async function subscribeToPush(): Promise<void> {
     throw new Error('Push notifications are not supported on this device')
   }
 
-  const permission = await Notification.requestPermission()
-  if (permission !== 'granted') {
-    throw new Error('Notification permission denied')
+  // Pre-resolve registration using getRegistrationCompat to prevent ready state hangs
+  let registration = cachedRegistration
+  if (!registration) {
+    registration = await getRegistrationCompat()
+    cachedRegistration = registration
   }
 
-  const publicKey = await fetchVapidPublicKey()
+  const publicKey = cachedVapidKey || await fetchVapidPublicKey()
   if (!publicKey) {
     throw new Error('Push notifications are not configured on this server')
   }
 
-  const registration = await navigator.serviceWorker.ready
-  let subscription = await registration.pushManager.getSubscription()
-
-  if (!subscription) {
-    const keyBytes = urlBase64ToUint8Array(publicKey)
-    const applicationServerKey = new Uint8Array(keyBytes)
-    subscription = await registration.pushManager.subscribe({
-      userVisibleOnly: true,
-      applicationServerKey
-    })
+  const permission = await requestNotificationPermission()
+  if (permission !== 'granted') {
+    throw new Error('Notification permission denied')
   }
 
+  const keyBytes = urlBase64ToUint8Array(publicKey)
+  const applicationServerKey = new Uint8Array(keyBytes)
+  
+  // Always call subscribe with timeout to prevent silent hangs on push network errors
+  const subscribePromise = registration.pushManager.subscribe({
+    userVisibleOnly: true,
+    applicationServerKey
+  })
+  const subscribeTimeout = new Promise<never>((_, reject) =>
+    setTimeout(() => reject(new Error('Timeout establishing subscription with push service (FCM/APNs)')), 12000)
+  )
+  const subscription = await Promise.race([subscribePromise, subscribeTimeout])
+
   await saveSubscriptionToServer(subscription)
 }
 
 export async function unsubscribeFromPush(): Promise<void> {
   if (!isPushSupported()) return
 
-  const registration = await navigator.serviceWorker.ready
+  let registration = cachedRegistration
+  if (!registration) {
+    registration = await getRegistrationCompat()
+    cachedRegistration = registration
+  }
+
   const subscription = await registration.pushManager.getSubscription()
   if (!subscription) return
 
@@ -164,3 +272,7 @@ export async function disableCollaboratorChangePush(): Promise<void> {
   await savePushPrefs(false)
   await unsubscribeFromPush()
 }
+
+if (isPushSupported()) {
+  void preloadPushService()
+}

client/src/sw.ts

@@ -6,6 +6,10 @@ import { NetworkFirst, NetworkOnly } from 'workbox-strategies'
 
 declare let self: ServiceWorkerGlobalScope
 
+precacheAndRoute(self.__WB_MANIFEST)
+cleanupOutdatedCaches()
+clientsClaim()
+
 const appShellFallback = createHandlerBoundToURL('/index.html')
 const navigationStrategy = new NetworkFirst({
   cacheName: 'app-shell',
@@ -20,10 +24,6 @@ registerRoute(({ request }) => request.mode === 'navigate', async (context) => {
   }
 })
 
-precacheAndRoute(self.__WB_MANIFEST)
-cleanupOutdatedCaches()
-clientsClaim()
-
 // Always fetch the live deploy version, even under an older precache.
 registerRoute(({ url }) => url.pathname === '/version.json', new NetworkOnly())
 

docs/deployment/npm-security.md

@@ -30,8 +30,9 @@ proxy_set_header X-Real-IP $remote_addr;
 ORIGIN=https://kapteins-daagbok.eu
 RP_ID=kapteins-daagbok.eu
 SESSION_SECRET=<min. 32 Zeichen, openssl rand -base64 48>
-TRUST_PROXY=172.16.10.10
-# oder TRUST_PROXY=1 für genau einen Proxy-Hop
+# Docker Compose: Frontend-Nginx ist der direkte Proxy zum Backend → 1 Hop
+TRUST_PROXY=1
+# Nur bei direktem Backend-Zugriff ohne Frontend-Nginx: NPM-IP, z. B. TRUST_PROXY=172.16.10.10
 ```
 
 `ORIGIN` muss **exakt** der Browser-URL entsprechen (ohne trailing slash).

scripts/server-patch-env-sprint1.sh

@@ -34,7 +34,7 @@ if ! grep -q "^POSTGRES_PASSWORD=" "$ENV_FILE" || grep -q "^POSTGRES_PASSWORD=$"
 else
   echo "  keep  POSTGRES_PASSWORD (already set)"
 fi
-# NPM on 172.16.10.10 → app on this host
-ensure_var TRUST_PROXY "172.16.10.10"
+# Frontend-Nginx → Backend (one hop); NPM is in front of Nginx, not Backend directly
+ensure_var TRUST_PROXY "1"
 
 echo "Done. Verify with: docker exec daagbox-prod-db psql -U postgres -d daagbox -c 'SELECT 1'"

server/src/app.ts

@@ -45,13 +45,45 @@ export function createApp(): express.Express {
   app.use(cookieParser())
   app.use(express.json({ limit: '50mb' }))
 
-  const authLimiter = rateLimit({
+  /** WebAuthn login/register/session — strict per IP; excludes high-volume sync routes. */
+  const authFlowPaths = new Set([
+    '/register-options',
+    '/register-verify',
+    '/login-options',
+    '/login-verify',
+    '/reauth-options',
+    '/reauth-verify',
+    '/logout',
+    '/session'
+  ])
+
+  /** Account/key/credential mutations — also strict; separate bucket from login flow. */
+  const sensitiveAuthExactPaths = new Set([
+    '/delete-account',
+    '/enroll-prf',
+    '/rotate-recovery',
+    '/add-credential-options',
+    '/add-credential-verify'
+  ])
+
+  function isSensitiveAuthPath(path: string): boolean {
+    return sensitiveAuthExactPaths.has(path) || path.startsWith('/credentials/')
+  }
+
+  const authFlowLimiter = rateLimit({
     windowMs: 15 * 60 * 1000,
     max: 60,
     standardHeaders: true,
     legacyHeaders: false
   })
 
+  const sensitiveAuthLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 30,
+    standardHeaders: true,
+    legacyHeaders: false
+  })
+
   const apiLimiter = rateLimit({
     windowMs: 1 * 60 * 1000,
     max: 300,
@@ -66,7 +98,15 @@ export function createApp(): express.Express {
     legacyHeaders: false
   })
 
-  app.use('/api/auth', authLimiter)
+  app.use('/api/auth', (req, res, next) => {
+    if (authFlowPaths.has(req.path)) {
+      return authFlowLimiter(req, res, next)
+    }
+    if (isSensitiveAuthPath(req.path)) {
+      return sensitiveAuthLimiter(req, res, next)
+    }
+    return next()
+  })
   app.use('/api/collaboration/invite-details', publicCollaborationLimiter)
   app.use('/api/collaboration/share-pull', publicCollaborationLimiter)
   app.use('/api', apiLimiter)