My signed-in Android clients register their tokens with my server. The problem is I am not sure whether the token sent by a particular client genuinely belongs to that client user id. A bad client could register valid tokens of other users.
Given an FCM token and a user id, how can my admin code on the server verify that the token indeed belongs to the (authenticated) user id?
On a Firebase level there is no connection between a Authentication UID, and a Cloud Messaging Instance ID token.
A Firebase Authentication UID uniquely identifies a user. If that user signs in on a different device, they have the same UID value.
A Firebase Authentication Instance ID token identifies a single app on a single device. If a different user signs in to that app, the app will keep the same Instance ID token.
If you want to associate a UID with an FCM tokens, you have to do that in your application code. For example, many developers clear the FCM Instance ID tokens when the user signs out of their app. This ensures that a new user who signs in on the same device will get a new Instance ID token.
Also see:
Firebase Cloud Messaging Auth Tokens vs Registration Token
What is the proper way to capture device registration tokens in order to send notifications via Firebase Cloud Messages?
Related
Users who have certain user IDs can perform add and delete operations.
How can I log in and disable idToken to log out after adding or deleting, log out? Tokens have a 1-hour duration. People who are learning idToken can make additions and deletions. That's why it should be disabled.
I get idToken by requesting https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY].
With the Firebase Realtime Rest Api xxx.com/abc.json?auth= endpoint, you can have the authority to add and delete.
The REST API itself is stateless, so the only available information that someone is logged in is in your application that calls the REST API.
When you sign out in one of the Firebase SDKs they simply remove the ID token from the local state. I recommend you do the same: remove the ID token from memory effectively signs the user out.
Firebase only passes the ID token over encrypted connections, so is not susceptible to man-in-the-middle attacks (like the one you describe) unless your network is already compromised.
There is no way to revoke the ID token itself once it's minted, but if you want to revoke access for a specific ID token or user, have a look at https://firebase.google.com/docs/auth/admin/manage-sessions
We are migrating users to the Firebase and for specific app reasons I need to create a verify token on the backend side.
So the schema is next -
I receive the user email and password from the user. Passing it to
the backend.
Backend generates a verify token, retrieves all the
info from Firebase, and informs the user.
I'm looking for some way to do it with firebase SDK, but I don't see any option.
I have already created a push notification system using firebase. It generates and saves a token for a user, then upon login displays their subscription status. It works fine, unfortunately it’s only one device per user, the most recent device they logged in on. I’d like to allow for multiple devices per user.
I’m assuming firebase uses some ID unique to each device to generate a token. If I’m wrong in that assumption, please point me in the right direction.
As Doug commented, since FCM doesn't associate its tokens with users, this is probably some limitation in your implementation.
You'll want to allow multiple ID tokens per user in your database, and then send to all tokens for the current user. If the device/app install can be shared between users, you'll want to remove the association between the user and the token for that installation when the user signs out/a new user signs in.
On associating tokens with users, see:
Is FCM (firebase cloud messaging) Token for one device or for one account?
When to register an FCM token for a user
How to get Firebase user id from FCM token? (in admin code on server)
And then finally you'll also want to clean up any tokens that FCM flags as not valid anymore, as otherwise you'll keep adding more and more tokens, which may not be valid anymore.
On deleting expired tokens, see:
When device token expires, is it automatically removed from FCM device group?
How do I identify and delete the expired FCM token on server?
In our app we use Firebase Cloud Messaging to send push notifications to our users. We save the registration tokens of our users in our SQL database and when a user logs in or out we use the Firebase API to manage his topic subscriptions.
This works out pretty well in most of the cases but now the topic subscriptions return the following error for some of our registration tokens:
The provided registration token is not registered. A previously valid registration token can be unregistered for a variety of reasons. See the error documentation for more details. Remove this registration token and stop using it to send messages
In which cases does Firebase delete previously registered registration tokens? I can not find any specific information about this in the error documentation.
Thanks for your help!
From the documentation:
A previously valid registration token can be unregistered for a variety of reasons, including:
The client app unregistered itself from FCM.
The client app was automatically unregistered. This can happen if the user uninstalls the application or, on iOS, if the APNS Feedback
Service reported the APNS token as invalid.
The registration token expired. For example, Google might decide to refresh registration tokens or the APNS token may have expired for
iOS devices.
The client app was updated, but the new version is not configured to receive messages.
Is firebase token is use to sent to specific device?
How do I store firebase token in MySQL?
From google website, It does not mention about the length of the token.
It seems to be very long.
An Instance ID Token identifies a specific app on a specific device. From the Firebase documentation:
Registration token - An ID generated by the FCM SDK for each client app instance.
The Instance ID Token indeed only expires in very few conditions. Also from the documentation:
The registration token may change when:
The app deletes Instance ID
The app is restored on a new device
The user uninstalls/reinstall the app
The user clears app data.
The token is a relatively long string. Since you're unlikely to frequently search for it, I'd store in in a text field in your database.