stackoom
  简体   繁体   中英

How can I prevent users from maliciously calling HUAWEI Push Kit's message receipt function API when I use the function?

 原文  2020-06-23 02:27:12       push-notification/ huawei-mobile-services/ huawei-push-notification

Question

Since Google forbids new Huawei devices from using GMS, Huawei mobile phone users of my app often complain that they can't receive notification messages. So I recently started using HUAWEI Push Kit. The integration process is smooth. I have finished the integration and released my app on HUAWEI AppGallery. The users can now receive notification messages.

But now I've found the following problem relating to push data:

With FCM, I can use BigQuery to further analyze message push data, such as the number of sent messages and the number of received messages. For example, I can execute the following statement to collect statistical data on the number of sent messages by app:

SELECT app_name, COUNT(1)
FROM `project ID.firebase_messaging.data`
WHERE
_PARTITIONTIME = TIMESTAMP('date as YYYY-MM-DD')
AND event = 'MESSAGE_ACCEPTED'
AND message_id! =''
GROUP BY 1;

I read the HUAWEI Push Kit documents but did not find a function similar to BigQuery.

However, I found the message receipt, which can also be used for collecting statistical data. Therefore, I developed a receipt API and configured it on the Push Kit console. After testing, I can now receive the push data.

Now, when I plan to release my app, I need to verify the caller because the message receipt API is publicly available on the public network. How can I verify the caller to prevent malicious API calling?

1 answers

solution1
 2 ACCPTED  2020-06-23 08:34:35

HUAWEI Push Kit's message receipt function allows user names and passwords to be set for identity verification. You can use this function to prevent malicious API calls. The process is as follows:

  1. Set the user name and password when configuring the message receipt on the HUAWEI Push Kit console.
  2. When Huawei calls your receipt API, the X-HUAWEI-CALLBACK-ID parameter is added to the HTTP header. The parameter value consists of the following parts:

a. timestamp : UTC timestamp of the system.

b. nonce : random UUID.

c. value : string finally obtained after the to-be-encrypted string (consisting of the value of timestamp , value of nonce , and callback user name) is encrypted using the set password in HMAC-SHA256 algorithm and then encoded using Base64.

For example:

timestamp=1563105451261;nonce=a07bfa17-6d82-4b53-a9a2-07cfef5ceef1;value=E4YeOsnMtHZ6592U8B9S37238E+Hwtjfrmpf8AQXF+c=
  1. When receiving a request, the receipt API can obtain the value of X-HUAWEI-CALLBACK-ID in the HTTP header to check whether the caller is valid.

For more information, visit Message Receipt

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why can't I get pushToken by using Huawei Push Kit? Why can't I get token in response of Huawei Push Kit? Huawei Push Kit API - get Push Id from rest Api Huawei push kit message not received from clevertap push console Huawei Push Kit API - Read data from payload of Notifications - onRemoteMessageReceived don't work How can I make an android app start in the background on receipt of a push notification so it can fetch data from the server? Huawei push kit service doesn't send data message just on one topic How to run the function without showing the push message when it is sent? Problem with old tokens of Huawei PUSH kit How an I prevent the UIAlertView from appearing when a push notification is received while the app is in the foreground?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM