feat(notifications): bind device registrations to authenticated user DID

Scope register and refresh to verified JWT identity (req.did). Persist
devices under userId::deviceId, reject client-supplied userId, and dedupe
FCM tokens per user.
This commit is contained in:
Jose Olarte III
2026-05-19 19:02:42 +08:00
parent 4bf57d26fd
commit 8e502a2335
3 changed files with 89 additions and 22 deletions

View File

@@ -1,6 +1,8 @@
export interface Device {
/** Internal row id used for persistence updates. */
id: string;
/** Authenticated user DID (from verified JWT). */
userId: string;
/** Client-provided stable physical device identity. */
deviceId: string;
fcmToken: string;