- VAPID-based push via web-push package
- push_subscriptions table: endpoint + keys per user (upsert on conflict)
- GET /api/push/vapid-key — public key for subscribe flow
- POST/DELETE /api/push/subscribe — store/remove subscription
- POST /api/push/test — manual test notification
- Hourly scheduler: notifies users day before homework due + countdown expires
- SW: push event handler shows notification; notificationclick opens /app
- Settings: Push section with enable/disable/test buttons, auto-detects
browser support and VAPID availability
- Require JWT_SECRET env var (fatal exit if missing)
- Add helmet middleware with custom CSP
- Cookie Secure flag when NODE_ENV=production
- requireAuth re-verifies user.status from DB on every request
- class_events DELETE restricted to creator or admin
- Rate limit /register (5/hr) and PUT /me/password (5/15min)
- Password minimum 6 to 8 chars
- crudRoutes truncates strings to 1000 chars
- Remove application/octet-stream from allowed upload MIMEs
Simon