Fixed Enable push notifications notice appears every sign in

[Sami Jalal]

Affected version

2.1

As the title

I don`t know if it`s a bug but I get notice every sign in although I have enabled it.

"XenForo community would like your permission to enable push notifications".

 

[Chris D]

It's expected.

We have to expire your push subscription when you log out.

If we didn't and it is a shared computer then notifications might still be delivered to the browser, even though you have logged out.

 

[Sami Jalal]

I see. Thanks @Chris D

 

[Chris D]

Actually, I'm going to leave this open for a bit. There's a few things I want to look into.

 

[Lukas W.]

Would it not be possible to just pause then sending and continue it if/once the user logs in again from that device? The device information could be cleared in a regular interval to not leave too much data junk piling up.

 

[Chris D]

I've explored a few different approaches, and the simple answer is no.

The sending of a push notification is a server side operation, and we'd really have no concept of whether a user is logged in or out on any given subscription.

The receiving of a push notification is handled by a service worker which has absolutely zero knowledge of the XF framework. There's no access to cookies or local storage (a limitation of the service workers themselves). So all we can do is either carry on delivering notifications regardless (which would be inappropriate for privacy/permission reasons) or clear the subscription on log out.

 

[ibnesayeed]

@Chris D I can think of a more unobtrusive workflow here which would be less frustrating for people who log in and log out frequently while still preventing cross-user notification leakage on shared computers.

• When someone subscribes for the notification the first time, use the usual on-boarding workflow as it is set up currently
• When a user logs out, clear the notification subscription, but place a note in the local storage that the <USER> has subscribed to push notifications
• When the <USER> logs back in, check if there is a local storage entry that reports that the <USER> has subscribed to notifications, silently register for notifications again (since the browser is already trusting the domain for notifications after the on-boarding step, there should be no issues in doing so, but if notifications are not allowed, then start over the usual on-boarding routine)

 

[Lukas W.]

I think I don't exactly follow the problematic here Chris. There's basically two types of logout scenarios. The first one is logging out directly through XenForo. Leaving some information on the device in that case should be fairly trivial, for as long as it can only be used when logging back in with the given user, pausing shouldn't be an issue?

The other scenario is a logout by deleting cookies/browsing data. As XF won't have knowledge about that unless the user visits the page again afterwards, I assume this will just happily continue push notifications anyway?

Alternatively, the user could be asked whether he wants to continue push notifications even though he logs out when starting them. Not sure how to best present that option without making people accidentally activate it though.

 

[Chris D]

The terminology of "pausing" was the issue because that's a concept that essentially doesn't exist. Regardless, we have to totally remove their subscription when the user logs out one way or another as the service_worker.js which receives the notifications has no concept as to whether an XF user is logged in or not.

@ibnesayeed's idea is something we can explore though. I wasn't sure how frictionless automatically re-subscribing a user was going to be. That may be something we can work with though.

 

[Dad.]

I like the suggestion from @ibnesayeed, only question I'd be curious of if there are any downsides to doing that, security or edge cases. But to me, its just tying it to the session id, which is no different than being logged in anyway. In fact, do you need to use local storage, could you just have it as a preference? On log out, cancel subscription, on log in add it in? This would work for any machine then.

 

[Dad.]

@ibnesayeed's idea is something we can explore though. I wasn't sure how frictionless automatically re-subscribing a user was going to be. That may be something we can work with though.

Like I wonder if it would need to reprompt you. Even if you're performing the trigger quietly, question is if the browser, say Chrome, would let you do that without first triggering their confirm prompt. If it could be done quietly, I would have expected this to be something a lot of sites abuse.

 

[Chris D]

When you grant permission for notifications, that sticks until you revoke it. At that point you're free to subscribe/unsubscribe a user as you see fit without having to re-grant it.

 

[XF Bug Bot]

Thank you for reporting this issue. The issue is now resolved.

Change log:

Store a history of push subscribed user IDs in Local Storage (this change is not retroactive) so that when a user logs in who has previously subscribed, we can attempt to resubscribe them automatically.

Any changes made as a result of this issue being resolved may not be rolled out here until later.