Add Ntfy push notifications for super admin events

Sends alerts to a configurable Ntfy topic on: new user registration,
account lockout after 5 failed login attempts, and login attempts on an
already-locked account. Fire-and-forget — never raises if Ntfy is down.

Configure via NTFY_URL and NTFY_TOKEN in .env.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/config.py

@@ -12,6 +12,8 @@ class Settings(BaseSettings):
     admin_username: str = "admin"
     admin_password: str  # no default — must be explicitly set in .env
     docs_enabled: bool = False
+    ntfy_url: str = ""       # e.g. https://ntfy.sh/your-secret-topic
+    ntfy_token: str = ""     # optional Bearer token if topic is protected
 
     @property
     def cors_origins_list(self) -> list[str]:

backend/app/routers/auth.py

@@ -18,6 +18,7 @@ from app.models.user import User
 from app.models.subject import Subject
 from app.schemas.auth import LoginRequest, RegisterRequest, TokenResponse
 from app.schemas.user import UserOut
+from app.utils.ntfy import notify
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
@@ -57,6 +58,14 @@ async def register(body: RegisterRequest, response: Response, db: AsyncSession =
     access = create_access_token({"sub": str(user.id)})
     refresh = create_refresh_token({"sub": str(user.id)})
     response.set_cookie(REFRESH_COOKIE, refresh, **COOKIE_OPTS)
+
+    await notify(
+        title="New User Registered",
+        message=f"{body.full_name} ({body.email})",
+        priority="default",
+        tags=["bust_in_silhouette"],
+    )
+
     return TokenResponse(access_token=access)
 
 
@@ -76,6 +85,12 @@ async def login(body: LoginRequest, response: Response, db: AsyncSession = Depen
     if user.locked_until and user.locked_until > now:
         remaining = int((user.locked_until - now).total_seconds() / 60) + 1
         logger.warning("Locked account login attempt for email=%s", body.email)
+        await notify(
+            title="Login Attempt on Locked Account",
+            message=f"{body.email} — locked for {remaining} more minute(s)",
+            priority="high",
+            tags=["lock"],
+        )
         raise HTTPException(status_code=429, detail=f"Account locked. Try again in {remaining} minute(s).")
 
     if not user.is_active:
@@ -87,6 +102,12 @@ async def login(body: LoginRequest, response: Response, db: AsyncSession = Depen
         if user.failed_login_attempts >= _LOGIN_MAX_ATTEMPTS:
             user.locked_until = now + timedelta(minutes=_LOGIN_LOCKOUT_MINUTES)
             logger.warning("Account locked for email=%s after %d failed attempts", body.email, user.failed_login_attempts)
+            await notify(
+                title="Account Locked",
+                message=f"{body.email} locked after {user.failed_login_attempts} failed attempts",
+                priority="urgent",
+                tags=["warning"],
+            )
         else:
             logger.warning("Failed login attempt %d/%d for email=%s", user.failed_login_attempts, _LOGIN_MAX_ATTEMPTS, body.email)
         await db.commit()

backend/app/utils/ntfy.py

@@ -0,0 +1,25 @@
+import logging
+import httpx
+from app.config import get_settings
+
+logger = logging.getLogger("homeschool.ntfy")
+
+
+async def notify(title: str, message: str, priority: str = "default", tags: list[str] | None = None) -> None:
+    """Fire-and-forget notification to Ntfy. Silently logs errors — never raises."""
+    settings = get_settings()
+    if not settings.ntfy_url:
+        return
+
+    headers = {"Title": title, "Priority": priority}
+    if tags:
+        headers["Tags"] = ",".join(tags)
+    if settings.ntfy_token:
+        headers["Authorization"] = f"Bearer {settings.ntfy_token}"
+
+    try:
+        async with httpx.AsyncClient(timeout=5) as client:
+            resp = await client.post(settings.ntfy_url, content=message, headers=headers)
+            resp.raise_for_status()
+    except Exception as exc:
+        logger.warning("Ntfy notification failed: %s", exc)