Integrate Push Notification server for LDAP and WebUI authentication

[runleveldev]

1. Data model

• Sequelize model Setting (key STRING primary key unique, value STRING not null).
• Migration + Seeder with:
  • push_notification_url => ''
  • push_notification_enabled => 'false'
• Update database schema docs and ER Mermaid diagram.

2. Admin UI

• New admin-only /settings page to edit:
  • push_notification_url (text)
  • push_notification_enabled (checkbox)
• Validation: push_notification_enabled can only be saved true when push_notification_url is non-empty.
• I18N: externalize all labels/messages. A11Y: proper labels and focus handling.

3. ldap.conf behavior (create-a-container/routers/sites.js)

• Read Setting for push_notification_url and push_notification_enabled.
• If enabled (value === 'true') and URL is non-empty:
  • AUTH_BACKENDS = 'sql,notification'
  • NOTIFICATION_URL = ${push_notification_url}/send-notification
• Else: AUTH_BACKENDS = 'sql' and omit NOTIFICATION_URL.
• Keep existing DIRECTORY_BACKEND behavior.

4. Login flow integration

• In the server-side login handler (after password verification, before session creation):
  • If push_notification_enabled is true and URL is set:
    • POST JSON to ${push_notification_url}/send-notification:
      {
      "username": ,
      "title": "Authentication Request",
      "body": "Please review and respond to your pending authentication request.",
      "actions": [
      { "icon": "approve", "title": "Approve", "callback": "approve" },
      { "icon": "reject", "title": "Reject", "callback": "reject" }
      ]
      }
    • If HTTP 200 and body.action === 'APPROVE' → continue login.
    • If HTTP 200 and action !== 'APPROVE' or non-200 → fail login with generic MFA required/denied message.
    • If body equals {"success":false,"error":"No device found with this Username [invalid-username]"}:
      • Redirect user to push_notification_url to download/register the app (clarify server vs. frontend redirect).