Retrieve FCM canonical_id in v1 API - firebase

I'm migrating to the FCM v1 API (https://firebase.google.com/docs/reference/fcm/rest/v1/projects.messages) from the legacy API (https://firebase.google.com/docs/cloud-messaging/http-server-ref) to send push notifications.
I want to know if is there some way to retrieve the canonical_id related to the token (registration_id) just like in the legacy API.
I have found nothing about it in the docs, only that the result is a Message object, and if an error occurs it returns a FcmError Object.
If I can't retrieve the canonical_id I think I would end up receiving errors of invalid / not registered token after some time (or am I wrong?), and would have to invalidate them in my database, if the user doesn't use the app during a reasonable amount of time.

AFAICT, canonical_ids haven't been used since the legacy api. See my answer here.
Registration tokens don't get invalidated on a regular basis, just on a few scenarios, where onTokenRefresh() is actually called and thus must be handled on the client side (resend the new token towards your server).

Related

Should I cache Firebase idTokens for a while, after I authenticated it in node admin sdk?

I am building an app, where I need to use my own backend besides Firebase. I need to authenticate a logged-in user in my backend too. So I found this tutorial which does this. I send an idToken and verify this header in admin sdk in my node, based on the docs. I thought I could cache this token with redis or just a js map after the first verification for 10 minutes or as much as a user session would take, to speed things up, instead of verifying each request in a 10 min sess. I could probably cache the token in the phone too for some time?
My question is, what security consequences would this bring? Thank you.
To clarify I am not using custom tokens, I will be using the built in Firebase Authentication.
The convention is to send the ID token to your backend with every request. It's not expensive to verify the token with the Admin SDK as shown in that documentation. It doesn't cost any money.
Typically what you're supposed to do is use a listener to detect when the ID token changes (it will be refreshed automatically every hour), and keep using that token until the SDK delivers a new one to your callback. In web clients, you're supposed to use onIdTokenChanged to register a callback to get changes to this token over time. There is no need to persist or cache this token - simply use whatever the callback most recently provided.
Some of the Firebase backend services keep a small cache of recent ID tokens, and their decoded results. So if they receive the exact same token, they'll use the already decoded result. This is a riskless operation, as the decoding operation is idempotent: the same input will always deliver the same output.

Best practice for Firebase authorization persistence and API calls

I've been following a tutorial to build a full stack website using firebase, react and redux. Log in sends a call to a back end function which uses
firebase.auth().signInWithEmailAndPassword for logging in. The IdToken is passed back to the client and stored in localstorage. Authentication and state persistence then relies on the client checking if the current date is past the expiry of the JWT token. API calls to the back end cloud functions also require an Authorization header using 'Bearer {IdToken}'.
This structure is causing me lots of headaches. I've done lots of reading and my current understanding is that firebase has it's own authorization persistence (?) that I can implement directly on my front end. Then using a listener I can automatically get new Id tokens on auth state change. This would solve my problem of the tokens expiring every hour. From what I've read local storage of the tokens is also a security risk.
I'm unsure as to how that affects authorization of my function calls. Should I still use the authorization header or is there a more elegant firebase way of doing that?
If you use Firebase Authentication's built-in providers, they indeed automatically persist the sign-in information information on most clients, restore it upon restart, and refresh the ID token just before it expires.
So if you use one of the standard providers, you can just get the user's ID token and then pass that to your Cloud Function.
You can even skip that step by using Callable Cloud Functions. For those, the Firebase Functions SDK passes the ID token along automatically, and the server automatically decodes and verifies it, and passes it to your code as context.auth.

Avoid spamming to my API that build with Firebase Function

I am building some internal API for my apps/website with Firebase Functions. Internal API as in to let my apps/website to process something on server side, its doesn't mean to open to public use.
My Apps is built with ionic and website is built with angular.
I noticed the one of Firebase Functions Pricing calculation include "Invocations". Is that Invocations means every time when I call the API equal to 1 Invocation? If yes, then the API might be abused by end user, since they able to view the website source and found the API.
I been searching solution in google, some of them suggest to enable authentication and cors, to avoid abuse of the usage. But authentication and cors still counting the Invocations right?
My code structure:
client call API by get/post method, pass user TOKEN that get from Firebase Authentication
request reach the Firebase Functions
server will check the preflight info by using CORS, as well as validate the TOKEN.
Return error if didn't pass on the (3), else proceed to execute the function.
So I assume if end user inspect my web source code and get the API URL, they can simply spam my API right? Then my bill will burst because of the load of Invocations.
If you suspect that your project is being abused, which is always possible, contact Firebase support to work towards a resolution.

How to make sure an iOS app instance stay subscribed to a FCM topic?

1 Are FCM token and Instance Id one and the same?
In my next questions, I suppose there aren't.
2. Is it possible to register an app instance ID twice to the same topic?
FCM token and Instance Id expire and are refresh.
3. Do we need to subscribe to a topic again after a token refresh?
I suppose we do.
4. Should we listen to a FCM token refresh or to an Instance Id refresh?
I am confused because the Firebase iOS API to register to a topic is:
[[FIRMessaging messaging] subscribeToTopic:#"news"]
It is not explicit which token is involved. My guess is that the internal logic uses the Instance Id because the server API endpoint is https://iid.googleapis.com/iid/v1/IID_TOKEN/rel/topics/TOPIC_NAME
However the Firebase documentation only mentions FCM token refresh and how to monitor them.
The InstanceID and the Token are different. See an explanation of the InstanceID in my answer here, and a general explanation for the token in my answer here.
Usually tho, the token (when printed) contains the InstanceID as well. It may be a format Google chose to make sure that the token is unique, or to connect it to a specific device. I can't say for sure.
There is no way that you can duplicate a subscription. Whenever a token is refreshed, the corresponding subscriptions are kept by the new token.
No. See #2.
It uses the token. The InstanceID is just the ID for the app instance. The token is what FCM needs to send the message.

Firebase Cloud Messaging for Web - How to maintain the token list in the database and ensure they are valid or up-to-date

With Firebase Cloud Messaging for Web,
How do I maintain the list of valid tokens in my database? For example I've noticed when a user turns off notifications and revisits the site, a new token will be generated and the old token in my database is useless.
I've also tried using Firebase messaging.onTokenRefresh() callback, but it does not get called when I turned off notifications. Also in this case, even if it did get triggered, it returns a new token that was refreshed. How do I keep track of the old token that was refreshed?
Can someone please share with me their thoughts/ways to maintain and ensure the token list in the database are valid or up-to-date?
Any feedback is much appreciated.
Thank you,
Christina
messaging.onTokenRefresh() is probably a wrapper around the event onpushsubscriptionchange.
Indeed that event is currently only called when the subscription is enabled (or enabled again), but not when the permission for push notifications is revoked. So at the moment you can only know that an endpoint has expired when you try to send a notification to it.
More details:
http://blog.pushpad.xyz/2016/05/the-push-api-and-its-wild-unsubscription-mechanism/
In any case you can use the callback to send any new token to the server: at first you will have two tokens stored for the same browser, one expired and the other valid.
Some problems arise if you have data associated to the endpoint (e.g. tag) that you want to preserve during the endpoint change: see the blog post for some suggestions.

Resources