How secure is firebase cloud messaging at client side?
Question
It's true that firebase provides both client side sdk and server side admin sdk for using firebase cloud messaging.
What confuses me is this :
we include the client side initialization code in the public javascript file or script tag. Can't someone see this initialization credentials and send a post request directly to devices connected to our app? What if the user keeps sending spam or malicious notifications? Shouldn't the entire FCM feature only be made available by admin sdk?
I am using firebase hosting for my nodejs app for a project and am quite confused about how to implement FCM.
What sort of authentication or check is provided by firebase over cloud messaging and notifications?
How secure is using FCM notifications in my web app client?
1 answers
solution1
1 ACCPTED 2017-12-28 19:57:53
Never expose your FCM Api key that's used in the legacy FCM. If you're worried about it, just disable the GCM post api from your Google cloud admin console for your project.
Now their new v1 API uses the Oauth tokens issued using the service account key on your server. So that'll stop the abuse. Never put the service account key in a publicly accessible place. You'll have to enable this in your Google cloud management console for your project.
The database url, storage bucket info, app id and the apikey for db are safe to be exposed to the public.
For example, in my web project, on a button click which is supposed to send a notification, i post the data to a Servlet which will actually have the FCM part. Now this will prevent abuse.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.