I am using Mesibo SDKs on my Android app for chat and so far all my requirements are fulfilled. All of my Mesibo APIs and token information are stored on server side only. The android app fetches user token from the backend server.
Recently, my app started working unexpectedly such as chat messages not sent/received, user account not created and add group not working at Mesibo side. The backend APIs are all working fine. Upon calling one of the Mesibo API from PostMan, I got this response.
Request:
{'token':$appToken,
'op':'groupadd',
'name':$roomName,
'flag':0,
'expiry':$expiry,
'expiryext'"$expiry,
'active':1
}
Response:
{"op":"groupadd","result":false,"error":"TOKENBREACH"}
This error is new to me and I do not know how to resolve this. Any help would be highly appreciated.
TOKENBREACH indicates that backend API and app token are used from multiple IP addresses which jeopardizes your app security. You are likely to be using an app token from the client-side and hence breach has been flagged.
Read here https://mesibo.com/documentation/api/backend-api/
Related
I am implementing a VUE client app running on subdomain client.example.com and Laravel API on api.example.com. I am using webpush package to implement the browser notifications. I have my service worker (sw.js) on my vue app and manages to register the user, store the data to database on the push_notifications table.
The problem comes when I simulate the notification, it is not sent to the browser. I tend to think may be it is because the client app that requested for the permission is different from the API subdomain that triggers the notification.
Is there any way to implement this or my worries not realistic?
So i'm making an app using React JS, Cordova, node backend and a mongo database. I want to integrate firebase cloud messaging (FCM) into my platform. I'm quite new to firebase, and developing in general, and i'm not quite sure where to initialise firebase. I currently have it integrated into the front-end and it's requesting permission to receive notifications, generating tokens, and receiving messages from the firebase console. However i'm not entirely sure where to go from here. Do I add it to my backend as-well?
If you can receive messages in your client app, your front-end work is done for the moment.
But to send messages programmatically, you will need to write back-end code indeed. That's because sending messages through FCM requires that you specify the FCM server key to the API, and as its name implies that key should only be used in a trusted environment, such as your development machine, a server you control, or Cloud Functions.
For more on this, have a look at:
The architectural overview of FCM
The documentation on your server and FCM
My answer to How to send one to one message using Firebase Messaging
You have to get the FCM token from the frontend (or, client app).
After getting the token, just send it to your backend server using a POST method.
Then, store the token in whatever database you're using in your backend. It can be MongoDB, PostgreSQL, etc.
When I try to send Get Request in Postman in the Url
'https://iid.googleapis.com/iid/info/IID_TOKEN', it gives me Internal Server Error.
The IID_TOKEN I get is from FCM (Firebase Cloud Messaging) Server Key.
The YOUR_API_KEY I get is from FCM (Firebase Cloud Messaging) Legacy Server Key.
Am I sending the correct IID_TOKEN and YOUR_API_KEY? Or is it any authorization that I have not done?
Please help me on this.
Thank you.
How you obtain the IID_TOKEN depends on the client SDK you are using. In the Cloud Messaging Guide, the section for each client SDK (e.g. iOS, Android, Web, etc) has a topic titled Send Your First Message with a step describing how to obtain the registration token. For example, the Android description says to use FirebaseInstanceId.getInstance().getToken().
From your post, it sounds like you are using a server key, which is not correct.
There is an example GET request in the documentation.
Everyone who successfully authenticates through Google account would be able to execute the API through the API Explorer.
I would like to limit the ability to execute the API through API Explorer only to some users. But at the same time have the API accessible for all users of my Android and iOS apps.
Security in the case of at least Android App is facilitated through the Android Client Id and SHA fingerprint. So, the scope here is to NOT include the App access security.
Identify that the request is coming through the API explorer. One way is through the origin/referrer in the headers. For obtaining header information see this question.
And,
If the list of users is known, in the endpoints method raise endpoints.UnauthorizedException if the user (endpoints.get_current_user()) is not in the list.
Python sample code:
if self.request_state.headers.get('x-referer') == "https://apis-explorer.appspot.com" and endpoints.get_current_user() not in MY_LIST:
raise endpoints.UnauthorizedException('Not Authorized')
I am working on a project that might use Firebase only for messaging. The goal is for the following to happen:
App registers with Firebase on startup
App sends Firebase token to our server
Our server sends Firebase messages to all clients via the token from step 2
Note there is no step where the user will log into anything or enter any credentials. I am a little confused if this is possible in a production app, as most Firebase documentation talks extensively about different ways to authenticate, either via username/password, OAuth, etc.
The server will be sending different messages to different clients, but that logic will be handled by the server and not by different types of registration to Firebase. I know Firebase supports groups, but to make a long story short it probably won't be leveraged.
Can all this be done on Firebase? Is GCM a better match for these requirements? I feel like we would be throwing away 95% of Firebase and just trying to force it to simplify the messaging part.
Firebase Authentication does not at all affect the way that Firebase Cloud Messaging works. FCM only cares about the token for the app on the device as a means to target the app for messages. It doesn't care at all if the end user is authenticated by any means. If you want to associate a token to a user somehow, using Firebase Authentication or some other system, that's up to you.
FCM is an evolution of GCM. They are powered by essentially the same components. Using GCM doesn't give you any additional constraints or flexibility than FCM, except for the path to integration in your app.