According to this link, the registration token must be kept secret.
Registration token: An ID generated by the FCM SDK for each client app instance. Required for single device and device group messaging. Note that registration tokens must be kept secret.
How sensitive is the token? Can anyone with the registration token send notifications to the device? Or is the token specific to my project?
What are the risks if some else gets hold of a device registration token?
How sensitive is the token? Can anyone with the registration token send notifications to the device? Or is the token specific to my project?
Not really. If the a sender not associated with the registration token sends a message, then they're going to receive an error:MismatchSenderId:
A registration token is tied to a certain group of senders. When a client app registers for FCM, it must specify which senders are allowed to send messages. You should use one of those sender IDs when sending messages to the client app. If you switch to a different sender, the existing registration tokens won't work.
If you base it from that, it does seem that keeping the registration token a secret is not that much of a thing. But what if a scenario happens that an unauthorized user gets an access to send messages, if he doesn't know/have the registration tokens, then it's pretty much useless. Just think of it as another safety measure.
What are the risks if some else gets hold of a device registration token?
From the scenario I mentioned above, if someone (unauthorized users) got access to send messages and the registration tokens, then they can pretty much send anything towards it.
Related
According to the documentation, we know that the client can send its ID Token, or Registration Token, to the application server to notify the client that it is logged in.
https://firebase.google.com/docs/auth/admin/verify-id-tokens
I would like to know if this token can have duplicate values? I know it is similar to a JWT, which contains information such as uid, issue time, etc. If the same account logs in at the same point in time, is it possible for different devices to generate ID Token with the same value?
No it is not possible. Application installation is one of the things that change.
Assuming you mean the FCM token, used to send e.g notifications.
I am using .NET Core 3.1 in my Web API project. In that, I have used JWT authentication. Now I want to allow users to log in or register using their mobile number. So when the user enters the mobile number an OTP will be sent and after verifying the OTP, I want to issue JWT for the user. Now, I have the below queries regarding this:
If this flow is correct or something needs to be changed?
Where should I store the OTP sent to the user's mobile number? Should I create a separate table for storing OTP and mobile numbers or it should be managed on the front-end site where I am using ReactJs?
Note: I cannot change the authentication mechanism from JWT to any other as I already have dependencies over it.
So when the user enters the mobile number an OTP will be sent and
after verifying the OTP, I want to issue JWT for the user. Now, I have
the below queries regarding this:
If this flow is correct or something needs to be changed?
First, I think the workflow is correct.
Generally, when we using JWT authentication, the workflow as below:
Client sends a request (which contains the user information, such as: name and password) to server for token
Server receives the user information and checking for authorization. If validated success, server generates a JWT token.
Client receives the token and stores it somewhere locally.
Client sends the token in the future requests.
Server gets the token from request header, computes Hash again by using a) Header from token b) payload from token c) secret key which server already has.
If ("newly computed hash" = "hash came in token"), token is valid otherwise it is tempered or not valid
So, in your workflow, you are using Mobile number and the OTP to login, and validate the user. It also is correct.
Where should I store the OTP sent to the user's mobile number? Should I create a
separate table for storing OTP and mobile numbers or it should be
managed on the front-end site where I am using ReactJs?
For this issue, I think it depends on how you generate/send the OTP.
If the OTP is generated by yourself, you have to store the phone number and OTP in the database, because, after client send the phone number and OTP to the server side, you have to validate whether the user is valid or not.
If you are using some provider or package to generate the OTP, might be the OTP has an expired time property, you can also store them in the database. If the expired time very short, there is no need to store them in database, you could try to use session to store the OTP.
I am not sure what a proper FCM token handling mechanism would be so I’m writing our process down here just to get some validation or suggestions for improvements:
Fetch FCM token on client Login (Flutter)
Save FCM token on our Database (Using our REST API)
Delete FCM token on Logout (Using our REST API)
Q1: Should we be getting the FCM token more often than just on login? AFAIK, FCM token only changes on app re-installs, clearing cache, etc. Does this also include app-updates from the PlayStore? In that case, should we save the FCM token on every app launch since the user will remain logged in after an app update and hence we wouldn't trigger the save FCM call.
Q2: Did I mention the right way to handle deleting FCM tokens from our DB? We don’t want the user to keep getting notifications once they have logged out.
Q3: An add-on idea is to send the device_id to the server along with the fcm_token so that server deletes all previously saved FCM tokens for that device_id. This is useful to not have useless tokens on the DB from cases where the user uninstalls the app without logging out (which means that the DELETE fcm_token call never went through.)
The FCM token is refreshed under conditions that you don't control, and those conditions have even changed over time. To handle token updates properly, you'll need to implement both initially getting the token and then monitoring for token updates.
Note that FCM tokens are not associated with a user. It is fine if you want to associate them with a user, but it's up to your application code in that case to maintain the association. So that for example includes deleting the token from your database when the user signs out, as you're doing in step 3. 👍
For keeping your token registry clean, you can indeed do this proactively as you intend, or reactively as shown here: https://github.com/firebase/functions-samples/blob/master/fcm-notifications/functions/index.js#L76-L88
Hi Rohan fundamentaly you should use below logic to save tokens on server.
Step1:
as soon as you get token in callback whether new or same try to save it localstorage.
Step2:
Call your REST API to save it to your server. it is upto you if you want to send unique user identifier along with the token.
Step3:
It is obvious you will recieve token callback a lot of time so you can check whether you have similar token in localstorage, it means you have the token on the server so no point calling REST API.
Step 4: Now your app can send events back to server and based on it trigger Push notifications to the users.
Step 5: You can Add/update user token based on uniqye user identifier. In some cases a user can be guest user, so your app should generate guest userId and link it with token.
Stay safe.
I'm doing analysis on Firebase Token and understood below points:-
-> A Firebase token is saved in database which will be used for sending notifications.
-> The token generally do not expire except in the following cases:
- The app deletes Instance ID
- The app is restored on a new device
- The user uninstalls/reinstall the app
- The user clears app data.
-> When we use a token which is expired we get errors like Not Registered from the response while sending messages.
-> To avoid the error, we should be deleting the token from database.
However I have found that If we login to a cloud application (which is my app currently), a new fcm token gets generated when i logged in to a new browser say FireFox, Edge etc.
So, the token is generated based on browser or System IP or what exactly the Fcm uses to generate a token ?
The method used to generate the token is an implementation detail, and you should not depend on that to build your app.
A token uniquely identifies a device. Each device receives messages independently of each other, and does not know anything about the user of that device. It's expected that if a user signed into an app on multiple devices, that each device would generate a unique token. If you want to send message to a user, you will have to map each of the user's device tokens in your own database, and send the message to each of them, or only the ones that the user chooses.
You can expect that device tokens might change over time. If you send a message to a device, and the API tells you that the token is not valid, you should simply delete it from your records.
I have been looking for ways to send notifications to specific users and what I found was that I need the device token to do that.
I have tried Firebase and Ionic Cloud Service to do some pushs and it worked fine, but I'm wondering if it's possible to register a service with a key -> value, for exemple, register with the username and the token. If so, how can I do it?
And what is the best service to do it?
Thank you in advance for the help.
P.S.: I'm not asking for code, just the theory.
From you question [for example, register with the username and the token. If so, how can I do it?] I understand following.
You mean to say, there is a mobile app, which user will sign up to use and you want to send the notification to registered user i.e. get send push notification by username.
To solve this, you can follow the steps mentioned below.
On app launch when you get FCM registration token, save it to some intermediate location such as local storages along with device-id, mobile details etc..
Create a backend API which can save username and registration token in DB.
When a user signs up or signs in, then fetch the registration token from local storages, post username, token to backend API to save it. You can make backend API bit intelligent to handle multiple devices of the single user, distinguishable by device-id, mobile details.
Then while sending API from the backend, you can fetch all registration ids of a single user and send the notification to that users using all tokens of that user in FCM API. Use registration ids as JSON array in "registration_id" field. FCM Document - link.