I got my Firebase Cloud Messaging registration token for web push. And I sent this to my server to save in database for later push. But how can I verify this token is valid or fake?
I have tried this but I think this is for Auth tokens not for web push.
Someone else can send request of a random fake token to my server. I want to prevent this before save in db.
Edit: It's solved and I wrote a simple class to use FCM for web push quickly. https://github.com/emretekince/fcm-web-push
When sending to an invalid registration token, you'll should receive 200 + error:InvalidRegistration:
Check the format of the registration token you pass to the server. Make sure it matches the registration token the client app receives from registering with Firebase Notifications. Do not truncate or add additional characters.
This is the response when you try to send a simple cURL request where the registration token is just randomly made:
curl --header "Authorization: key=$[your_server_key_here]" \
--header Content-Type:"application/json" \
https://fcm.googleapis.com/fcm/send \
-d "{\"registration_ids\":[\"ABC\"]}"
Notice that I added in "ABC", in the registration_ids parameter. If ever it is a valid registration token, but is not associated to your project, you'll probably receive 200 + error:NotRegistered.
You can try sending a test message from your server to see the response without sending an actual message towards the device by using the dry_run parameter:
This parameter, when set to true, allows developers to test a request without actually sending a message.
If anyone using firebase Admin SDK for node.js, there is no need to manually send the request using the server_key explicitly. Admin SDK provide sending dry_run push message to verify the fcm_token.
function verifyFCMToken (fcmToken) => {
return admin.messaging().send({
token: fcmToken
}, true)
}
Use this method like following
verifyFCMToken("YOUR_FCM_TOKEN_HERE")
.then(result => {
// YOUR TOKEN IS VALID
})
.catch(err => {
// YOUR TOKEN IS INVALID
})
You can use following function
public Boolean isValidFCMToken(String fcmToken) {
Message message = Message.builder().setToken(fcmToken).build();
try {
FirebaseMessaging.getInstance().send(message);
return true;
} catch (FirebaseMessagingException fme) {
logger.error("Firebase token verification exception", fme);
return false;
}
}
One way is to send a message with the dry_run option = true, as is described by AL. in the other answer.
Another way is to use the InstanceId server API:
https://developers.google.com/instance-id/reference/server
According to the docs, you can use validate_only for testing the request without actually delivering the message.
https://firebase.google.com/docs/reference/fcm/rest/v1/projects.messages/send
You can refer to doc for using HTTP v1 of the firebase endpoint URL
After that, you could use this request body with "validate_only": true for testing the request without actually delivering the message.
{
"validate_only": true,
"message": {
"token": "your fcm token"
}
}
With go and adminsdk account credential
ctx := context.Background()
opt := option.WithCredentialsJSON([]byte(credential))
app, err := firebase.NewApp(ctx, nil, opt)
if err != nil {
t.Error(err)
}
msg := &messaging.Message{
Notification: &messaging.Notification{
Title: "Hi",
Body: fmt.Sprintf("Welcome at %d", time.Now().Unix()),
},
Token: pushToken,
}
fcmClient, err := app.Messaging(ctx)
run, err := fcmClient.SendDryRun(ctx, msg)
if err != nil {
t.Error(err)
}
fmt.Println(run)
