How to secure Firebase Messaging topics with cloud functions? - firebase

Is there a way to secure validate subscriptions to topics? For example, is it possible to limit topic Test to a specific user with ID XXXXX? Is this possible with Cloud Functions?

firebaser here
To be able to subscribe to a topic, you currently need to know two things: the FCM token/instance ID of the app instance, and the path/name of the topic to subscribe to.
Knowing these two allows one to subscribe to the topic from any client. There currently is no public API to limit who can subscribe to what topics. So if you need to guarantee that the message is only delivered to authorized app instances, you should not use topics and instead delivery to each FCM token/instance ID directly from your own (server-side) code.
This request comes along regularly though, so I recommend that you file a feature request to add your vote.

Related

Flutter FCM Topic named like a document

I am new to firebase cloud messaging and i search the best way to send notifications to clients.
I want people to be able to subscribe to new entry in subcollection like this :
books/{bookID}/comments/{commentId}/reply/{replyId}}
Is that bad if i use that kind of syntax?
so i can push notification on that topic when new reply are created
void fcmSubscribe(String bookId,String commentId) {
firebaseMessaging.subscribeToTopic('book-${bookiD}_comment-${commentId}');
}
or i need to use Individual Device Notifications and create entries like this
books/{bookID}/comments/{commentId}/notifications/{tokenId}}
i want to avoid firestore Read and Write.
You can use whatever valid topic names that you want. Use whatever you like - it's your choice. There is nothing particularly "bad" about your choice of name, as long as it works for you. Things can only go badly for you if you exceed one of the documented limits for topic messaging:
Topic messaging supports unlimited subscriptions for each topic. However,
FCM enforces limits in these areas:
One app instance can be subscribed to no more than 2000 topics.
If you are using batch import to subscribe app instances, each request is limited to 1000 app instances.
The frequency of new subscriptions is rate-limited per project. If you send too many subscription requests in a short period of time, FCM
servers will respond with a 429 RESOURCE_EXHAUSTED ("quota exceeded")
response. Retry with exponential backoff.
If you're thinking that FCM is tied in any way to Firestore, that's not the case. You are not obliged to make anything match between your Firesore documents and your FCM topics.

How to use FCM topics for notification in chat app?

I am make chat feature with Flutter and Firestore backend.
Every message is new document in Firestore collection with UID and text field. Chat is 1:1 and random so no know who user will talk to before enter chat. DocID in chat collection are all auto-id.
I have read can use topics to manage send notification. This should be easier than use individual device fcm token.
Anyone know how to implement use topic for this random 1:1 chat app?
You can definitely use a separate topic for each 1:1 conversation, for example with the naming scheme I described here: Best way to manage Chat channels in Firebase. But there are some things to consider which, as Doug already pointed out in his comment, leads most developers to not solely use FCM for their chat apps.
For example: FCM topics are not secured. This means that anyone who finds out the topic ID can subscribe to it, and thus overhear the 1:1 conversation. And while you can generate topics that are hard to guess, you should not rely on not knowing the topic ID as a security mechanism.
Another reason to consider alternatives is that FCM messages are transient: once they are delivered there is no longer any trace of them. With your current Firestore implementation you can query the database to get all messages to show, while with a pure FCM implementation you will have to build your own database (if that is required for your app).
For these reasons most chat apps I know of use a combination of FCM (for push notifications) and an online database (for persistence) as their backend services.
I found Frank's comment really interesting about the "sorted userID composed key". I would probably use that as the chat key in the database (realtime/firestore), however, for the notifications I think I would still use a topic for each user - this way I would be able to avoid notifying the user who posted the message. If that wouldn't be an issue, then just go for just one topic per chatroom.
Also mentioning Frank, I would probably use extra keys in all topic names to make them really difficult to guess. (but add that later so you don't get distracted with non core stuff)
In this answer you have an example of how to post the notifications with a onCreate trigger to a topic (from a functions backend).
In the flutter code, you can use subscribeToTopic from the firebase_messaging plugin to start listening to a topic.
Note: if your app will support user log-off [probably it will :)], then you'll also have to delete the token in the device to avoid receiving notifications from the last logged user.

Send Firebase Cloud Messaging notification to users by user property

I'm trying to send out an FCM message to a specific set of users (or really, a single user) based on a specific user property but looking through the FCM HTTP API I can't seem to find a way to do that. I can send to users via topics, registration tokens, and device group notification keys, but I don't have any of that infrastructure set up in the near term. I know this functionality exists as you can send such a message via the UI, but I'm not seeing how to do it in the API documentation as yet.
There is currently no parameter that you could use to specify a user property (or even for user segments) that will serve as a target for the FCM API to send the message to.
As you've already searched, the only targets possible are single/multiple registration tokens (to and registration_ids), topics, conditions, and device groups (notification_key).
The option you're looking for is currently only available when using the Notifications Console.

Firebase Registration Token for Website

I am looking to integrate Firebase into an existing project. I would like to create an administrative Website that would have the ability to create topics, and then post messages to topics.
From the mobile devices, the end user would be able to view the Topics that were created, and subscribe to them.
Ideally the administrative user would log into my website, opt to create a new Topic, and then from the backend I would send an HTTP request to FCM to create that topic.
The issue I am having is figuring out how to create Topics. My understanding is that I need to pass in a Token in order to create topics, but I can't find where to create Tokens for a web user in their SDK. Does anyone have any recommendations?
Topics in FCM follow a pub-sub model. There is no such explicit activity as creating a topic. You just subscribe to a topic. Usually you would subscribe from the client side using Android or iOS FCM APIs to subscribe.
If you wanted to subscribe users from the backend, you would need to use Instance ID APIs from your backend service.
Example:
// to list the subscriptions for a given token:
GET https://iid.googleapis.com/iid/info/nKctODamlM4:CKrh_PC8kIb7O...clJONHoA?details=true
Authorization:key=AIzaSyZ-1u...0GBYzPu7Udno5aA
// to subscribe
POST https://iid.googleapis.com/iid/v1/nKctODamlM4:CKrh_PC8kIb7O...clJONHoA/rel/topics/movies
Content-Type:application/json
Authorization:key=AIzaSyZ-1u...0GBYzPu7Udno5aA
Like you said you need this token. To get this token on the web for a user, use firebase messaging.

Dynamic Push Notifications

I know that Firebase has recently added support for Push Notifications and while this is a great thing, I only seem to be able to send push notifications manually via the Notifications Panel.
What I'd like to do is to send push notifications within a user scope...Let me explain that. Each User in my App has an account and then each user can join a group. Within this group the user can perform tasks and has a list of chores to do. Now when certain tasks are due for example I want to remind the user of doing it with a push notification. For 1-10 I might be able to pull this off manually, but is there a way to dynamically based on the data in the Database send out Push Notifications?
I know that certain Push Notifications can be created using the Analytics tool such as "Hey you have not visited for 3 days, please come back whatever"... but I'd like to register push notifications such as "I just created a task, this task needs to be done within 3 days. Remind me in 3 days if the task is still not done".
Is this possible with Firebase or do I need to have my own server connecting to Firebase and handling those events?
-xCoder
You need to implement FCM in your client and in a server. Let me put this straight:
First, you need that your client, or app, to register into FCM and get a FCM token that will be used to identify that device uniquely.
Then, store that token wherever you like. It can be into firebase database or other server you may like. I recommend you to store it into firebase if you are using it as a database for your users; that's my case.
Also, you need to implement a http or xmpp server in order to send FCM messages to your registered devices containing the data you are interested in. For example, you can implement a Google App Engine endpoint (can be done with Android Studio and Java) that is quite simple or a NodeJS module, depending on your preferred language.
If you are using Firebase as database you can connect from your server with the appropriate SDK and get the FCM tokens you want from your users, and then send the message to those with data. Don't forget to secure your serve.
The way you implement your server algorithm to send FCM messages depends on your app purposes.
Hope it is clear enough for you. Also you can find all the documentation with a short video that explains the general structure here: https://firebase.google.com/docs/cloud-messaging
You can use cloud functions to trigger on any create, update or delete operation in your database and in the trigger event, you can choose to send in FCM push notifications to the devices of your choice.
Here is the documentation regarding the use and structure of a cloud function: https://firebase.google.com/docs/firestore/extend-with-functions
Hope this helps!

Resources