Firebase admin is only available for admin or users also to send notification to other users?
Actually i am little bit confused in send notification from one user to another and which data is used like on the basis of user receiver uid or receiver fcm token.
firebaser here
Calls to the FCM API to send messages require that you specify the FCM server key in your code. As its name implies, this key should only be used in server-side code, or in an otherwise trusted environment. The reason for this is that anyone who has the FCM server key can send whatever message they want to all of your users.
So sending messages to users is indeed only possible from a trusted environment, either through the Admin SDK, or the REST APIs. See How to send one to one message using Firebase Messaging for more.
Related
I had used fcm to send notification in my app using api.after some days google send this and removed my app from play store.please help me.
I have tried everywhere not getting exact answer.
Put FCM Key in untrusted environment is a security issue, Any hackers are possible to send message to any user by using FCM key.
FCM key shouldn't exists in your public app like downloaded to your instance, Store in local storage, Hardcode inside application etc.
FCM key should only exists in trusted environment like your server, cloud functions etc.
You can also see this Do I need to protect my firebase Server Key?.
I am already using IDM together with Wilma PEP for access control to Orion.
Now I want to achieve the same for outgoing notificaitons.
Example:
I have an app with users which for example shows devices. The user logs in and authenticates with FIWARE IDM to access the Orion instance.
However, User A should only allowed be to access Device A and only get notifications for this Devices.
In Orion I have a subscription defined which triggers when any Device changes. Now an external system is updating the Device B.
I am currently having a notification endpoint (simple node js app) where the notification from the Device is passed back to the app via websocket.
Is there a way I can prevent sending the notification to User A? Is there a way I can check that notification with PEP and sending it only to the allowed users?
I was thinking of first passing the received auth token from the IDM with the websocket to check if the user is authorized. However, I still don't know how to check to which user I should send the notification. Is there a way I could pass the notificaiton request to the PEP proxy or any other solution?
I have a web application with e.g 1...n users. User(s) logs in use application and logs out.
Now How to achieve if a logged in user say User "A" want to video chat with User "B"?
Does WebRTC shares a sessionId etc to identify which user is sending request and how this request is for specific set of users (Receivers would be only "B" User) ?
No, WebRTC does not provide this kind of authorization. That's because WebRTC relies on an external signaling system.
This kind of authorization you must include it in your signaling system. E.g. if you're using websockets you can use the session from there to authorize, identify and route the message to the appropriate user. And that will depend of course on what platform/technology you're using on the server side.
I am using Microsoft Bot Framework to build a bot that receives messages from a user and then connects to a a banking service he already registered. (In case you don't know Bot Framework, is just a Web Api where you post messages and it answers you according to the behaviour you specified in advance).
So the banking service knows his user and password. And let's say it also knows the user Skype's username, because the bot will be connected to a Skype Channel via Bot Framework Connector.
My question is: how can I authenticate (in the banking service) the user that sending messages to the bot? The idea of this is of course not to make the user send his credentials (user and password) via messages.
Making the bot send a link where the user can write his credentials and then trigger a callback is not an option. I need to make the authorization flow the most transparent I could do it for the user.
The only examples I currently have of Auth involve invoking a browser for the authenticating service where the user can enter their service-specific credentials, such as Mat Velloso's AuthBot sample on github: https://github.com/matvelloso/authbot
I assume your last statement means this isn't a valid option?
I have no interest in authenticating my clients as they are.
I do, however, want to make sure that anyone reaching my FireBase is authorized. Namely, that it's only via my Android app.
Could it be done somehow? I couldn't find any option or alternative in FireBase documentation.
The best approach I see is to have my app signed by a certificate, and aithorize itself using it.
To authenticate your app, use FCM (but regretably, it requires a server code):
Create an anonymous firebase account.
send an FCM message to your server, with the firebase account uid.
the server will create a node such as /uids/$uid/enabled.
have a rule to require it, e.g.:
".read" : "root.child('uids').child(auth.uid).child('enabled').val() == true"
The reason for the FCM message, is that in order to send such a message, the app should be "registered", which means the developer's signing certificate for the app is known. anyone attempting to send such an FCM message and not through your app will fail - even if someone re-sign (and probably modify) your app.
The drawback is, of course, you need your server to receive FCMs - which is very easy on the device, but harder on the server side.