Is a FCM token reused? - firebase

Suppose a FCM token is generated abcd and assigned to a user say user 1 now this token is no longer associated to user 1 as he uninstalled his app. Can this token abcd be assigned to some other user in future?
EDIT 1:
I know it is unique at a time. But if a token is not being used by anyone abcd will that be used again by some other user as it is still unique as user 1 is using a different token?
EDIT 2:
The token I am referring to is the device regestration token.

The simple is NO
Google/Firebase practice is having a hashing algorithm to generate a long and non repeating id (usually associate with timestamp and other factors), which usually can be up to 20 characters or more, to ensure it is unique in the database (FCM device token db).
Therefore, it will always assign a new and unique token to the new device. Won't reuse the token in any circumstances.
[UPDATE]
Thanks for your comment, now I have a concrete answer to your problem now. Each token contains the particular user meta-data, and other info including unique id etc.
So the token can only be revoked by the same user but cannot be use by others (because it contains the user meta-data).

The documentation about GCM says that token is unique, I think the same applicable for FCM as well.
https://developers.google.com/cloud-messaging/registration
To verify that they can send and receive messages, client apps must register with GCM. In this process, the client obtains a unique registration token...

Related

Is it possible that the ID token generated by FCM is a duplicate?

According to the documentation, we know that the client can send its ID Token, or Registration Token, to the application server to notify the client that it is logged in.
https://firebase.google.com/docs/auth/admin/verify-id-tokens
I would like to know if this token can have duplicate values? I know it is similar to a JWT, which contains information such as uid, issue time, etc. If the same account logs in at the same point in time, is it possible for different devices to generate ID Token with the same value?
No it is not possible. Application installation is one of the things that change.
Assuming you mean the FCM token, used to send e.g notifications.

What does firebase use to generate a registration token?

I have already created a push notification system using firebase. It generates and saves a token for a user, then upon login displays their subscription status. It works fine, unfortunately it’s only one device per user, the most recent device they logged in on. I’d like to allow for multiple devices per user.
I’m assuming firebase uses some ID unique to each device to generate a token. If I’m wrong in that assumption, please point me in the right direction.
As Doug commented, since FCM doesn't associate its tokens with users, this is probably some limitation in your implementation.
You'll want to allow multiple ID tokens per user in your database, and then send to all tokens for the current user. If the device/app install can be shared between users, you'll want to remove the association between the user and the token for that installation when the user signs out/a new user signs in.
On associating tokens with users, see:
Is FCM (firebase cloud messaging) Token for one device or for one account?
When to register an FCM token for a user
How to get Firebase user id from FCM token? (in admin code on server)
And then finally you'll also want to clean up any tokens that FCM flags as not valid anymore, as otherwise you'll keep adding more and more tokens, which may not be valid anymore.
On deleting expired tokens, see:
When device token expires, is it automatically removed from FCM device group?
How do I identify and delete the expired FCM token on server?

FCM Token - When should I store/save it on my DB?

I am not sure what a proper FCM token handling mechanism would be so I’m writing our process down here just to get some validation or suggestions for improvements:
Fetch FCM token on client Login (Flutter)
Save FCM token on our Database (Using our REST API)
Delete FCM token on Logout (Using our REST API)
Q1: Should we be getting the FCM token more often than just on login? AFAIK, FCM token only changes on app re-installs, clearing cache, etc. Does this also include app-updates from the PlayStore? In that case, should we save the FCM token on every app launch since the user will remain logged in after an app update and hence we wouldn't trigger the save FCM call.
Q2: Did I mention the right way to handle deleting FCM tokens from our DB? We don’t want the user to keep getting notifications once they have logged out.
Q3: An add-on idea is to send the device_id to the server along with the fcm_token so that server deletes all previously saved FCM tokens for that device_id. This is useful to not have useless tokens on the DB from cases where the user uninstalls the app without logging out (which means that the DELETE fcm_token call never went through.)
The FCM token is refreshed under conditions that you don't control, and those conditions have even changed over time. To handle token updates properly, you'll need to implement both initially getting the token and then monitoring for token updates.
Note that FCM tokens are not associated with a user. It is fine if you want to associate them with a user, but it's up to your application code in that case to maintain the association. So that for example includes deleting the token from your database when the user signs out, as you're doing in step 3. 👍
For keeping your token registry clean, you can indeed do this proactively as you intend, or reactively as shown here: https://github.com/firebase/functions-samples/blob/master/fcm-notifications/functions/index.js#L76-L88
Hi Rohan fundamentaly you should use below logic to save tokens on server.
Step1:
as soon as you get token in callback whether new or same try to save it localstorage.
Step2:
Call your REST API to save it to your server. it is upto you if you want to send unique user identifier along with the token.
Step3:
It is obvious you will recieve token callback a lot of time so you can check whether you have similar token in localstorage, it means you have the token on the server so no point calling REST API.
Step 4: Now your app can send events back to server and based on it trigger Push notifications to the users.
Step 5: You can Add/update user token based on uniqye user identifier. In some cases a user can be guest user, so your app should generate guest userId and link it with token.
Stay safe.

Can FCM(Firebase Cloud Messaging) reassign the same token id

I am working on FCM. I discovered that after sometime, FCM token get refreshed. Is it possible that previous token id may get assigned to other user or new user?
I don't think so, Because token is generated based on the current timestamp therefore there are no chances of generating the same token again.

Sharing user ID's as a way to find people

Is it safe to share a user's ID that Firebase creates when a new user is created? I'd like to use it as an easy way to find other people on my platform.
I don't see why it should not be safe, so if it is. Please enlighten me :)
I am not too familiar with your system or how Nintendo does this (not really a gamer) but you can build something like this:
You can display the list of users (using uid, displayName and photoURL which can be obtained using the Admin SDK or by a list you maintain in the Firebase Database, Firestore, etc) to an authenticated user.
Let's say that user wants to add a connection or friend, you can get that user's ID token, the friend's uid and then add that user's uid to that authenticated user's pending connection list after you verify their ID token.
On the other end, you want the other user to accept the connection request (assuming this how your people finder feature works in your app). You would show the list of pending requests. When the user accepts the request, they would send their ID token and once that's verified, you can consider the connection completed.
To summarize, you still need an ID token to confirm the user sending the request and the one confirming it. Otherwise, if you just solely rely on uids, any user can get the uid of other users and try to add them to each other's friends list, etc.
Hopefully this points you in the right direction.

Resources