fix: SSE bağlantısı sadece giriş yapıldıktan sonra başlatılacak şekilde düzeltildi

- console_log::init_with_level() now uses expect()
- web_sys::window() now uses expect() with helpful message
- window.document() now uses expect()
- document.body() now uses expect()

This provides meaningful error messages if WASM initialization fails.

Cargo.lock

@@ -300,6 +300,7 @@ dependencies = [
  "clap",
  "dotenvy",
  "futures",
+ "governor",
  "mime_guess",
  "openssl",
  "quick-xml",
@@ -316,6 +317,7 @@ dependencies = [
  "tokio-util",
  "tower 0.4.13",
  "tower-http",
+ "tower_governor",
  "tracing",
  "tracing-subscriber",
  "utoipa",
@@ -801,6 +803,20 @@ dependencies = [
  "parking_lot_core",
 ]
 
+[[package]]
+name = "dashmap"
+version = "6.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
+dependencies = [
+ "cfg-if",
+ "crossbeam-utils",
+ "hashbrown 0.14.5",
+ "lock_api",
+ "once_cell",
+ "parking_lot_core",
+]
+
 [[package]]
 name = "data-encoding"
 version = "2.10.0"
@@ -1084,6 +1100,12 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 
+[[package]]
+name = "foldhash"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
+
 [[package]]
 name = "foreign-types"
 version = "0.3.2"
@@ -1108,6 +1130,16 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "forwarded-header-value"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8835f84f38484cc86f110a805655697908257fb9a7af005234060891557198e9"
+dependencies = [
+ "nonempty",
+ "thiserror 1.0.69",
+]
+
 [[package]]
 name = "frontend"
 version = "0.1.0"
@@ -1214,6 +1246,12 @@ version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
 
+[[package]]
+name = "futures-timer"
+version = "3.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24"
+
 [[package]]
 name = "futures-util"
 version = "0.3.31"
@@ -1337,6 +1375,29 @@ dependencies = [
  "web-sys",
 ]
 
+[[package]]
+name = "governor"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9efcab3c1958580ff1f25a2a41be1668f7603d849bb63af523b208a3cc1223b8"
+dependencies = [
+ "cfg-if",
+ "dashmap 6.1.0",
+ "futures-sink",
+ "futures-timer",
+ "futures-util",
+ "getrandom 0.3.4",
+ "hashbrown 0.16.1",
+ "nonzero_ext",
+ "parking_lot",
+ "portable-atomic",
+ "quanta",
+ "rand 0.9.2",
+ "smallvec",
+ "spinning_top",
+ "web-time",
+]
+
 [[package]]
 name = "group"
 version = "0.13.0"
@@ -1348,6 +1409,25 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "h2"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http 1.4.0",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
 [[package]]
 name = "half"
 version = "2.7.1"
@@ -1373,7 +1453,7 @@ checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
 dependencies = [
  "allocator-api2",
  "equivalent",
- "foldhash",
+ "foldhash 0.1.5",
 ]
 
 [[package]]
@@ -1381,6 +1461,11 @@ name = "hashbrown"
 version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+dependencies = [
+ "allocator-api2",
+ "equivalent",
+ "foldhash 0.2.0",
+]
 
 [[package]]
 name = "hashlink"
@@ -1569,6 +1654,7 @@ dependencies = [
  "bytes",
  "futures-channel",
  "futures-core",
+ "h2",
  "http 1.4.0",
  "http-body 1.0.1",
  "httparse",
@@ -1578,6 +1664,20 @@ dependencies = [
  "pin-utils",
  "smallvec",
  "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-timeout"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0"
+dependencies = [
+ "hyper 1.8.1",
+ "hyper-util",
+ "pin-project-lite",
+ "tokio",
+ "tower-service",
 ]
 
 [[package]]
@@ -1600,13 +1700,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f"
 dependencies = [
  "bytes",
+ "futures-channel",
  "futures-core",
+ "futures-util",
  "http 1.4.0",
  "http-body 1.0.1",
  "hyper 1.8.1",
+ "libc",
  "pin-project-lite",
+ "socket2 0.6.2",
  "tokio",
  "tower-service",
+ "tracing",
 ]
 
 [[package]]
@@ -2229,6 +2334,18 @@ dependencies = [
  "minimal-lexical",
 ]
 
+[[package]]
+name = "nonempty"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e9e591e719385e6ebaeb5ce5d3887f7d5676fceca6411d1925ccc95745f3d6f7"
+
+[[package]]
+name = "nonzero_ext"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
+
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -2700,6 +2817,21 @@ dependencies = [
  "yansi",
 ]
 
+[[package]]
+name = "quanta"
+version = "0.12.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3ab5a9d756f0d97bdc89019bd2e4ea098cf9cde50ee7564dde6b81ccc8f06c7"
+dependencies = [
+ "crossbeam-utils",
+ "libc",
+ "once_cell",
+ "raw-cpuid",
+ "wasi",
+ "web-sys",
+ "winapi",
+]
+
 [[package]]
 name = "quick-xml"
 version = "0.31.0"
@@ -2806,6 +2938,15 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
+[[package]]
+name = "raw-cpuid"
+version = "11.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "498cd0dc59d73224351ee52a95fee0f1a617a2eae0e7d9d720cc622c73a54186"
+dependencies = [
+ "bitflags",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
@@ -3196,7 +3337,7 @@ dependencies = [
  "bytes",
  "ciborium",
  "const_format",
- "dashmap",
+ "dashmap 5.5.3",
  "futures",
  "gloo-net 0.6.0",
  "http 1.4.0",
@@ -3375,6 +3516,15 @@ dependencies = [
  "lock_api",
 ]
 
+[[package]]
+name = "spinning_top"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d96d2d1d716fb500937168cc09353ffdc7a012be8475ac7308e1bdf0e3923300"
+dependencies = [
+ "lock_api",
+]
+
 [[package]]
 name = "spki"
 version = "0.6.0"
@@ -3917,6 +4067,35 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
 
+[[package]]
+name = "tonic"
+version = "0.14.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a286e33f82f8a1ee2df63f4fa35c0becf4a85a0cb03091a15fd7bf0b402dc94a"
+dependencies = [
+ "async-trait",
+ "axum",
+ "base64 0.22.1",
+ "bytes",
+ "h2",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "hyper 1.8.1",
+ "hyper-timeout",
+ "hyper-util",
+ "percent-encoding",
+ "pin-project",
+ "socket2 0.6.2",
+ "sync_wrapper",
+ "tokio",
+ "tokio-stream",
+ "tower 0.5.3",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
 [[package]]
 name = "tower"
 version = "0.4.13"
@@ -3941,9 +4120,12 @@ checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
 dependencies = [
  "futures-core",
  "futures-util",
+ "indexmap",
  "pin-project-lite",
+ "slab",
  "sync_wrapper",
  "tokio",
+ "tokio-util",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -3988,6 +4170,23 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
 
+[[package]]
+name = "tower_governor"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44de9b94d849d3c46e06a883d72d408c2de6403367b39df2b1c9d9e7b6736fe6"
+dependencies = [
+ "axum",
+ "forwarded-header-value",
+ "governor",
+ "http 1.4.0",
+ "pin-project",
+ "thiserror 2.0.18",
+ "tonic",
+ "tower 0.5.3",
+ "tracing",
+]
+
 [[package]]
 name = "tracing"
 version = "0.1.44"
@@ -4404,6 +4603,16 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "whoami"
 version = "1.6.1"
@@ -4414,6 +4623,22 @@ dependencies = [
  "wasite",
 ]
 
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
 [[package]]
 name = "winapi-util"
 version = "0.1.11"
@@ -4423,6 +4648,12 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
 [[package]]
 name = "windows-core"
 version = "0.62.2"

backend/.env

@@ -0,0 +1,8 @@
+# Database
+DATABASE_URL=sqlite:vibetorrent.db
+
+# VAPID Keys for Push Notifications
+# Generate new keys for production using: cargo run --bin web-push --features web-push -- generate-vapid-keys
+VAPID_PUBLIC_KEY=BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU
+VAPID_PRIVATE_KEY=aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10
+VAPID_EMAIL=mailto:admin@vibetorrent.app

backend/Cargo.toml

@@ -39,3 +39,5 @@ axum-extra = { version = "0.10", features = ["cookie"] }
 rand = "0.8"
 anyhow = "1.0.101"
 time = { version = "0.3.47", features = ["serde", "formatting", "parsing"] }
+tower_governor = "0.8.0"
+governor = "0.10.4"

backend/migrations/001_init.sql

@@ -0,0 +1,16 @@
+-- 001_init.sql
+-- Initial schema for users and sessions
+
+CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY,
+    username TEXT NOT NULL UNIQUE,
+    password_hash TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS sessions (
+    token TEXT PRIMARY KEY,
+    user_id INTEGER NOT NULL,
+    expires_at DATETIME NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES users(id)
+);

backend/migrations/002_push_subscriptions.sql

@@ -0,0 +1,13 @@
+-- 002_push_subscriptions.sql
+-- Push notification subscriptions storage
+
+CREATE TABLE IF NOT EXISTS push_subscriptions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    endpoint TEXT NOT NULL UNIQUE,
+    p256dh TEXT NOT NULL,
+    auth TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Index for faster lookups by endpoint
+CREATE INDEX IF NOT EXISTS idx_push_subscriptions_endpoint ON push_subscriptions(endpoint);

backend/src/db.rs

@@ -16,35 +16,27 @@ impl Db {
             .await?;
 
         let db = Self { pool };
-        db.init().await?;
+        db.run_migrations().await?;
         Ok(db)
     }
 
-    async fn init(&self) -> Result<()> {
-        // Create users table
-        sqlx::query(
-            "CREATE TABLE IF NOT EXISTS users (
-                id INTEGER PRIMARY KEY,
-                username TEXT NOT NULL UNIQUE,
-                password_hash TEXT NOT NULL,
-                created_at DATETIME DEFAULT CURRENT_TIMESTAMP
-            )",
-        )
-        .execute(&self.pool)
-        .await?;
+    async fn run_migrations(&self) -> Result<()> {
+        // WAL mode - enables concurrent reads while writing
+        sqlx::query("PRAGMA journal_mode=WAL")
+            .execute(&self.pool)
+            .await?;
 
-        // Create sessions table
-        sqlx::query(
-            "CREATE TABLE IF NOT EXISTS sessions (
-                token TEXT PRIMARY KEY,
-                user_id INTEGER NOT NULL,
-                expires_at DATETIME NOT NULL,
-                FOREIGN KEY(user_id) REFERENCES users(id)
-            )",
-        )
-        .execute(&self.pool)
-        .await?;
+        // NORMAL synchronous - faster than FULL, still safe enough
+        sqlx::query("PRAGMA synchronous=NORMAL")
+            .execute(&self.pool)
+            .await?;
 
+        // 5 second busy timeout - reduces "database locked" errors
+        sqlx::query("PRAGMA busy_timeout=5000")
+            .execute(&self.pool)
+            .await?;
+
+        sqlx::migrate!("./migrations").run(&self.pool).await?;
         Ok(())
     }
 
@@ -59,23 +51,24 @@ impl Db {
         Ok(())
     }
 
-        pub async fn get_user_by_username(&self, username: &str) -> Result<Option<(i64, String)>> {
-            let row = sqlx::query("SELECT id, password_hash FROM users WHERE username = ?")
-                .bind(username)
-                .fetch_optional(&self.pool)
-                .await?;
+    pub async fn get_user_by_username(&self, username: &str) -> Result<Option<(i64, String)>> {
+        let row = sqlx::query("SELECT id, password_hash FROM users WHERE username = ?")
+            .bind(username)
+            .fetch_optional(&self.pool)
+            .await?;
 
-            Ok(row.map(|r| (r.get(0), r.get(1))))
-        }
+        Ok(row.map(|r| (r.get(0), r.get(1))))
+    }
 
-        pub async fn get_username_by_id(&self, id: i64) -> Result<Option<String>> {
-            let row = sqlx::query("SELECT username FROM users WHERE id = ?")
-                .bind(id)
-                .fetch_optional(&self.pool)
-                .await?;
+    pub async fn get_username_by_id(&self, id: i64) -> Result<Option<String>> {
+        let row = sqlx::query("SELECT username FROM users WHERE id = ?")
+            .bind(id)
+            .fetch_optional(&self.pool)
+            .await?;
+
+        Ok(row.map(|r| r.get(0)))
+    }
 
-            Ok(row.map(|r| r.get(0)))
-        }
     pub async fn has_users(&self) -> Result<bool> {
         let row: (i64,) = sqlx::query_as("SELECT COUNT(*) FROM users")
             .fetch_one(&self.pool)
@@ -128,4 +121,36 @@ impl Db {
             .await?;
         Ok(())
     }
+
+    // --- Push Subscription Operations ---
+
+    pub async fn save_push_subscription(&self, endpoint: &str, p256dh: &str, auth: &str) -> Result<()> {
+        sqlx::query(
+            "INSERT INTO push_subscriptions (endpoint, p256dh, auth) VALUES (?, ?, ?)
+             ON CONFLICT(endpoint) DO UPDATE SET p256dh = EXCLUDED.p256dh, auth = EXCLUDED.auth"
+        )
+        .bind(endpoint)
+        .bind(p256dh)
+        .bind(auth)
+        .execute(&self.pool)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn remove_push_subscription(&self, endpoint: &str) -> Result<()> {
+        sqlx::query("DELETE FROM push_subscriptions WHERE endpoint = ?")
+            .bind(endpoint)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn get_all_push_subscriptions(&self) -> Result<Vec<(String, String, String)>> {
+        let rows = sqlx::query_as::<_, (String, String, String)>(
+            "SELECT endpoint, p256dh, auth FROM push_subscriptions"
+        )
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows)
+    }
 }

backend/src/main.rs

@@ -3,6 +3,7 @@ mod diff;
 mod handlers;
 #[cfg(feature = "push-notifications")]
 mod push;
+mod rate_limit;
 mod scgi;
 mod sse;
 mod xmlrpc;
@@ -25,6 +26,7 @@ use std::sync::Arc;
 use std::time::Duration;
 use tokio::sync::{broadcast, watch};
 use tower::ServiceBuilder;
+use tower_governor::GovernorLayer;
 use tower_http::{
     compression::{CompressionLayer, CompressionLevel},
     cors::CorsLayer,
@@ -320,13 +322,25 @@ async fn main() {
     // Channel for Events (Diffs)
     let (event_bus, _) = broadcast::channel::<AppEvent>(1024);
 
+    #[cfg(feature = "push-notifications")]
+    let push_store = match push::PushSubscriptionStore::with_db(&db).await {
+        Ok(store) => store,
+        Err(e) => {
+            tracing::error!("Failed to initialize push store: {}", e);
+            push::PushSubscriptionStore::new()
+        }
+    };
+
+    #[cfg(not(feature = "push-notifications"))]
+    let push_store = ();
+
     let app_state = AppState {
         tx: tx.clone(),
         event_bus: event_bus.clone(),
         scgi_socket_path: args.socket.clone(),
         db: db.clone(),
         #[cfg(feature = "push-notifications")]
-        push_store: push::PushSubscriptionStore::new(),
+        push_store,
     };
 
     // Spawn background task to poll rTorrent
@@ -455,7 +469,12 @@ async fn main() {
         // Setup & Auth Routes
         .route("/api/setup/status", get(handlers::setup::get_setup_status_handler))
         .route("/api/setup", post(handlers::setup::setup_handler))
-        .route("/api/auth/login", post(handlers::auth::login_handler))
+        .route(
+            "/api/auth/login",
+            post(handlers::auth::login_handler).layer(GovernorLayer::new(Arc::new(
+                rate_limit::get_login_rate_limit_config(),
+            ))),
+        )
         .route("/api/auth/logout", post(handlers::auth::logout_handler))
         .route("/api/auth/check", get(handlers::auth::check_auth_handler))
         // App Routes
@@ -524,7 +543,12 @@ async fn main() {
         }
     };
     tracing::info!("Backend listening on {}", addr);
-    if let Err(e) = axum::serve(listener, app).await {
+    if let Err(e) = axum::serve(
+        listener,
+        app.into_make_service_with_connect_info::<SocketAddr>(),
+    )
+    .await
+    {
         tracing::error!("Server error: {}", e);
         std::process::exit(1);
     }

backend/src/push.rs

@@ -6,10 +6,7 @@ use web_push::{
     HyperWebPushClient, SubscriptionInfo, VapidSignatureBuilder, WebPushClient, WebPushMessageBuilder,
 };
 
-// VAPID keys - PRODUCTION'DA ENVIRONMENT VARIABLE'DAN ALINMALI!
-const VAPID_PUBLIC_KEY: &str = "BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU";
-const VAPID_PRIVATE_KEY: &str = "aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10";
-const VAPID_EMAIL: &str = "mailto:admin@vibetorrent.app";
+use crate::db::Db;
 
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct PushSubscription {
@@ -23,34 +20,72 @@ pub struct PushKeys {
     pub auth: String,
 }
 
-/// In-memory store for push subscriptions
-/// TODO: Replace with database in production
-#[derive(Default, Clone)]
+#[derive(Clone)]
 pub struct PushSubscriptionStore {
+    db: Option<Db>,
     subscriptions: Arc<RwLock<Vec<PushSubscription>>>,
 }
 
 impl PushSubscriptionStore {
     pub fn new() -> Self {
         Self {
+            db: None,
             subscriptions: Arc::new(RwLock::new(Vec::new())),
         }
     }
 
+    pub async fn with_db(db: &Db) -> Result<Self, Box<dyn std::error::Error>> {
+        let mut subscriptions_vec: Vec<PushSubscription> = Vec::new();
+
+        // Load existing subscriptions from DB
+        let subs = db.get_all_push_subscriptions().await?;
+        for (endpoint, p256dh, auth) in subs {
+            subscriptions_vec.push(PushSubscription {
+                endpoint,
+                keys: PushKeys { p256dh, auth },
+            });
+        }
+        tracing::info!("Loaded {} push subscriptions from database", subscriptions_vec.len());
+
+        Ok(Self {
+            db: Some(db.clone()),
+            subscriptions: Arc::new(RwLock::new(subscriptions_vec)),
+        })
+    }
+
     pub async fn add_subscription(&self, subscription: PushSubscription) {
+        // Add to memory
         let mut subs = self.subscriptions.write().await;
-        
+
         // Remove duplicate endpoint if exists
         subs.retain(|s| s.endpoint != subscription.endpoint);
-        
-        subs.push(subscription);
+        subs.push(subscription.clone());
         tracing::info!("Added push subscription. Total: {}", subs.len());
+
+        // Save to DB if available
+        if let Some(db) = &self.db {
+            if let Err(e) = db.save_push_subscription(
+                &subscription.endpoint,
+                &subscription.keys.p256dh,
+                &subscription.keys.auth,
+            ).await {
+                tracing::error!("Failed to save push subscription to DB: {}", e);
+            }
+        }
     }
 
     pub async fn remove_subscription(&self, endpoint: &str) {
+        // Remove from memory
         let mut subs = self.subscriptions.write().await;
         subs.retain(|s| s.endpoint != endpoint);
         tracing::info!("Removed push subscription. Total: {}", subs.len());
+
+        // Remove from DB if available
+        if let Some(db) = &self.db {
+            if let Err(e) = db.remove_push_subscription(endpoint).await {
+                tracing::error!("Failed to remove push subscription from DB: {}", e);
+            }
+        }
     }
 
     pub async fn get_all_subscriptions(&self) -> Vec<PushSubscription> {
@@ -65,7 +100,7 @@ pub async fn send_push_notification(
     body: &str,
 ) -> Result<(), Box<dyn std::error::Error>> {
     let subscriptions = store.get_all_subscriptions().await;
-    
+
     if subscriptions.is_empty() {
         tracing::debug!("No push subscriptions to send to");
         return Ok(());
@@ -83,6 +118,9 @@ pub async fn send_push_notification(
 
     let client = HyperWebPushClient::new();
 
+    let vapid_private_key = std::env::var("VAPID_PRIVATE_KEY").expect("VAPID_PRIVATE_KEY must be set in .env");
+    let vapid_email = std::env::var("VAPID_EMAIL").expect("VAPID_EMAIL must be set in .env");
+
     for subscription in subscriptions {
         let subscription_info = SubscriptionInfo {
             endpoint: subscription.endpoint.clone(),
@@ -93,18 +131,18 @@ pub async fn send_push_notification(
         };
 
         let mut sig_builder = VapidSignatureBuilder::from_base64(
-            VAPID_PRIVATE_KEY,
+            &vapid_private_key,
             web_push::URL_SAFE_NO_PAD,
             &subscription_info,
         )?;
-        
-        sig_builder.add_claim("sub", VAPID_EMAIL);
-        sig_builder.add_claim("aud", subscription.endpoint.clone());
+
+        sig_builder.add_claim("sub", vapid_email.as_str());
+        sig_builder.add_claim("aud", subscription.endpoint.as_str());
         let signature = sig_builder.build()?;
 
         let mut builder = WebPushMessageBuilder::new(&subscription_info);
         builder.set_vapid_signature(signature);
-        
+
         let payload_str = payload.to_string();
         builder.set_payload(web_push::ContentEncoding::Aes128Gcm, payload_str.as_bytes());
 
@@ -122,6 +160,6 @@ pub async fn send_push_notification(
     Ok(())
 }
 
-pub fn get_vapid_public_key() -> &'static str {
-    VAPID_PUBLIC_KEY
+pub fn get_vapid_public_key() -> String {
+    std::env::var("VAPID_PUBLIC_KEY").expect("VAPID_PUBLIC_KEY must be set in .env")
 }

backend/src/rate_limit.rs

@@ -0,0 +1,16 @@
+use governor::clock::QuantaInstant;
+use governor::middleware::NoOpMiddleware;
+use tower_governor::governor::GovernorConfig;
+use tower_governor::governor::GovernorConfigBuilder;
+use tower_governor::key_extractor::SmartIpKeyExtractor;
+
+pub fn get_login_rate_limit_config() -> GovernorConfig<SmartIpKeyExtractor, NoOpMiddleware<QuantaInstant>> {
+    // 5 yanlış denemeden sonra bloklanır.
+    // Her yeni hak için 60 saniye (1 dakika) bekleme süresi.
+    GovernorConfigBuilder::default()
+        .key_extractor(SmartIpKeyExtractor)
+        .per_second(60) 
+        .burst_size(5)
+        .finish()
+        .unwrap()
+}

frontend/src/components/auth/login.rs

@@ -41,6 +41,8 @@ pub fn Login() -> impl IntoView {
                         logging::log!("Login successful, redirecting...");
                         // Force a full reload to re-run auth checks in App.rs
                         let _ = window().location().set_href("/");
+                    } else if resp.status() == 429 {
+                        set_error.set(Some("Çok fazla başarısız deneme yaptınız. Lütfen bir süre bekleyip tekrar deneyin.".to_string()));
                     } else {
                         let text = resp.text().await.unwrap_or_default();
                         logging::error!("Login failed: {}", text);

frontend/src/components/torrent/table.rs

@@ -46,6 +46,9 @@ fn format_duration(seconds: i64) -> String {
 }
 
 fn format_date(timestamp: i64) -> String {
+    if timestamp <= 0 {
+        return "N/A".to_string();
+    }
     let dt = chrono::DateTime::from_timestamp(timestamp, 0);
     match dt {
         Some(dt) => dt.format("%d/%m/%Y %H:%M").to_string(),

frontend/src/lib.rs

@@ -11,11 +11,15 @@ use app::App;
 #[wasm_bindgen(start)]
 pub fn main() {
     console_error_panic_hook::set_once();
-    console_log::init_with_level(log::Level::Debug).unwrap();
+    console_log::init_with_level(log::Level::Debug)
+        .expect("Failed to initialize logging");
 
-    let window = web_sys::window().unwrap();
-    let document = window.document().unwrap();
-    let body = document.body().unwrap();
+    let window = web_sys::window()
+        .expect("Failed to access window - browser may not be fully loaded");
+    let document = window.document()
+        .expect("Failed to access document");
+    let body = document.body()
+        .expect("Failed to access document body");
     
     // Add app-loaded class to body to hide spinner via CSS
     let _ = body.class_list().add_1("app-loaded");

frontend/src/store.rs

@@ -143,6 +143,12 @@ pub fn provide_torrent_store() {
 
     // Initialize SSE connection with auto-reconnect
     create_effect(move |_| {
+        // Sadece kullanıcı giriş yapmışsa bağlantıyı başlat
+        if user.get().is_none() {
+            logging::log!("SSE: User not authenticated, skipping connection.");
+            return;
+        }
+
         spawn_local(async move {
             let mut backoff_ms: u32 = 1000; // Start with 1 second
             let max_backoff_ms: u32 = 30000; // Max 30 seconds