Fix duplicate push notifications via lease-based optimistic insert

[alltheseas]

Summary

Fixes the race condition causing duplicate push notifications when the same event arrives via multiple relay connections concurrently.

• Replaces check-then-act pattern with two-phase optimistic insert
• Uses lease-based retry (60s timeout) to prevent concurrent sends while allowing crash recovery
• Adds multiple guards to ensure exactly-once delivery

Technical Details

Step	Action	Guard
1	INSERT OR IGNORE with received_notification=false	Atomic claim via unique constraint
2	If exists, check state	Skip if true OR recent false (<60s)
3	If stale (>60s), extend lease	Atomic UPDATE with WHERE sent_at = old
4	Refresh lease before send	Skip if 0 rows (lost race)
5	Send to APNS	~500ms typical latency
6	UPDATE to true	Mark complete

Guarantees

• No duplicates from concurrent processing (lease prevents parallel sends)
• Retries possible after crashes (stale >60s claims can be reclaimed)
• No delay to normal notification flow

Test plan

• All existing tests pass
• Manual test: verify notifications still deliver correctly
• Load test: verify no duplicates under concurrent event delivery

Fixes: #24

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Improved notification deduplication to reliably prevent duplicate notifications when the same event is delivered through multiple relays concurrently.
  • Enhanced notification delivery robustness with better handling of concurrent processing scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[alltheseas]

I don't have APNS server test access to test this

[alltheseas]

@coderabbitai review please

[coderabbitai]

@alltheseas, I'll review the changes in this PR for you. Let me analyze the lease-based optimistic insert implementation to fix the duplicate push notification issue.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Implemented a two-phase, lease-based deduplication mechanism in the notification manager to prevent duplicate push notifications when multiple relays concurrently deliver the same event. The mechanism uses INSERT OR IGNORE with atomic operations and a 60-second lease window to guard against race conditions.

Changes

Cohort / File(s)	Summary
Notification Deduplication Mechanism src/notification_manager/mod.rs	Replaced simple insert logic with lease-based deduplication flow: INSERT OR IGNORE to claim notification, lease-aware checks (sent/in-flight/stale status), atomic lease refresh with conditional retries, and post-send state updates. Includes detailed logging for dedup, in-flight, stale lease, and race condition scenarios.

Sequence Diagram

sequenceDiagram
    actor Relay as Relay (Event Delivery)
    participant NM as NotificationManager
    participant DB as Database
    participant Notif as Notification System

    Relay->>NM: Event from relay(s)
    NM->>DB: INSERT OR IGNORE into notifications
    
    alt Row already exists
        NM->>DB: Check notification state
        
        alt Already sent (received_notification = true)
            NM->>NM: Skip (already delivered)
        else In-flight & recent (sent_at within 60s)
            NM->>NM: Skip (concurrent delivery in progress)
        else Stale lease (sent_at > 60s)
            NM->>DB: Attempt atomic lease refresh
            alt Lease acquired
                NM->>DB: Update sent_at (refresh)
                NM->>Notif: Send notification
                NM->>DB: Mark as received, update sent_at
            else Lease blocked
                NM->>NM: Skip (race condition: another thread has it)
            end
        end
    else New row inserted
        NM->>DB: Update sent_at (set lease)
        NM->>Notif: Send notification
        NM->>DB: Mark as received, update sent_at
    end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Two hops, one lease, no duplicate cheer,
Atomic ballet when relays appear.
Sixty seconds to claim what's mine,
Race conditions? We'll be just fine!
No more bouncing notifications twice—
Our dedup mechanism? Simply nice! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix duplicate push notifications via lease-based optimistic insert' directly describes the main change: implementing a lease-based mechanism to fix duplicate push notifications.
Linked Issues check	✅ Passed	The PR implements a two-phase lease-based deduplication mechanism that directly addresses issue #24's requirement to eliminate duplicate push notifications through atomic claim-based logic.
Out of Scope Changes check	✅ Passed	All changes are contained within src/notification_manager/mod.rs and focus solely on the deduplication mechanism for preventing duplicate notifications as required by issue #24.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alltheseas]

@coderabbitai review please

[coderabbitai]

@alltheseas, I'll trigger a review of the changes in this PR. I'll analyze the lease-based optimistic insert implementation and the guards you've added to prevent duplicate notifications.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/notification_manager/mod.rs`:
- Around line 412-474: The code currently reads sent_at as a String
(row.get(1)?) which errors on NULL and causes legacy rows to be skipped; change
the query_row to return Result<(bool, Option<String>), _> (i.e. row.get::<_,
Option<String>>(1)?) and branch on None as an unclaimed/stale lease: for
Ok((false, None)) perform the same atomic UPDATE using WHERE sent_at IS NULL
(setting sent_at = now.to_sql_string()) and treat a successful update as
acquiring the lease (return false to proceed) or 0 updated as contention (return
true); keep the existing path for Some(sent_at_str) converting to
nostr::Timestamp and using the existing sent_at equality check in the UPDATE.
Ensure variables referenced (sent_at_str, sent_at, updated, conn.execute,
LEASE_TIMEOUT_SECS) are used accordingly.

🧹 Nitpick comments (1)

src/notification_manager/mod.rs (1)

508-514: Use the refreshed timestamp when marking success

sent_at is updated with the earlier now, even though send_time is already captured right before send. Using send_time (or a fresh Timestamp::now() after send) keeps the DB record aligned with the actual send window and avoids confusing timestamps if sent_at is reused later.

♻️ Suggested tweak

-                    params![now.to_sql_string(), &notification_id],
+                    params![send_time.to_sql_string(), &notification_id],

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and read the notification_manager/mod.rs file around lines 412-474
head -480 src/notification_manager/mod.rs | tail -100

Repository: damus-io/notepush

Length of output: 4972

---

🏁 Script executed:

# Search for schema/migration files that might define the sent_at column
find . -type f \( -name "*.sql" -o -name "*migration*" -o -name "*schema*" \) | grep -E "\.(sql|rs)$" | head -20

Repository: damus-io/notepush

Length of output: 43

---

🏁 Script executed:

# Search for the sent_at column definition in the codebase
rg -A 3 -B 3 "sent_at" --type rust | head -100

Repository: damus-io/notepush

Length of output: 5579

---

🏁 Script executed:

# Check the full context of the query and match expression
sed -n '400,500p' src/notification_manager/mod.rs

Repository: damus-io/notepush

Length of output: 4976

---

Handle NULL sent_at from legacy rows to enable retries

sent_at is added without a default in the migration, so pre-existing rows have NULL. The current code reads it as String with row.get(1)?, which errors on NULL and falls through to the Err(_) branch, silently skipping any notification stuck in received_notification=false after a crash. This permanently suppresses retries for legacy data. Treat NULL as an unclaimed lease and reclaim it atomically.

Proposed fix

-                    let result: Result<(bool, String), _> = stmt.query_row(
+                    let result: Result<(bool, Option<String>), _> = stmt.query_row(
                         [&notification_id],
                         |row| Ok((row.get(0)?, row.get(1)?))
                     );

-                        Ok((false, sent_at_str)) => {
+                        Ok((false, None)) => {
+                            let updated = conn.execute(
+                                "UPDATE notifications SET sent_at = ? WHERE id = ? AND received_notification = false AND sent_at IS NULL",
+                                params![now.to_sql_string(), &notification_id],
+                            )?;
+                            if updated == 0 {
+                                log::debug!(
+                                    "Notification for event {} to pubkey {} lease contention, skipping",
+                                    event.id,
+                                    pubkey
+                                );
+                                true
+                            } else {
+                                log::debug!(
+                                    "Retrying notification for event {} to pubkey {} (missing sent_at)",
+                                    event.id,
+                                    pubkey
+                                );
+                                false
+                            }
+                        }
+                        Ok((false, Some(sent_at_str))) => {
                             let sent_at = nostr::Timestamp::from_sql_string(sent_at_str)
                                 .unwrap_or(now);

🤖 Prompt for AI Agents

In `@src/notification_manager/mod.rs` around lines 412 - 474, The code currently
reads sent_at as a String (row.get(1)?) which errors on NULL and causes legacy
rows to be skipped; change the query_row to return Result<(bool,
Option<String>), _> (i.e. row.get::<_, Option<String>>(1)?) and branch on None
as an unclaimed/stale lease: for Ok((false, None)) perform the same atomic
UPDATE using WHERE sent_at IS NULL (setting sent_at = now.to_sql_string()) and
treat a successful update as acquiring the lease (return false to proceed) or 0
updated as contention (return true); keep the existing path for
Some(sent_at_str) converting to nostr::Timestamp and using the existing sent_at
equality check in the UPDATE. Ensure variables referenced (sent_at_str, sent_at,
updated, conn.execute, LEASE_TIMEOUT_SECS) are used accordingly.