3

I want to generate messages from clients on my site, and send messages to a target device. It's simple with an ajax(jquery) request like this:

$.ajax({
    url: 'https://fcm.googleapis.com/fcm/send',
    type: 'POST',
    contentType: "application/json",
    dataType: 'json',
    data: JSON.stringify({
        "notification": {
            "title": title,
            "body": msg,
            "sound": "default"
        },
        "to": "XXXXXXXXXXXX"
    }),
    beforeSend: function(xhr) {
        xhr.setRequestHeader('Authorization', 'key=YYYYYYYYYY');
    }
});

But, then don't I need to keep the XXXXXXXXXXXX device key, and YYYYYYYYYY API key private? If not, I'm worried people start scraping these up and spamming from totally unrelated services?

johnb003
  • 1,821
  • 16
  • 30
  • 1
    I realize I could send a request to an app server to send this message and keep the keys private, but I thought a major feature of firebase is that it prevents needing to use your own backend. In general I am not sure how you can have both. – johnb003 Jan 11 '17 at 20:19
  • In case anyone finds this, now there is an answer! https://firebase.google.com/docs/functions/ – johnb003 Mar 16 '17 at 00:11

1 Answers1

7

This is definitely not secure. The key that you're passing into the Authorization header is called a server key, since you're only supposed to use it on an app server (or in some other process that you directly control).

If you put this same key in code that runs on every client's device, it means that malicious users can (and thus will) be able to copy your server key and use that to send messages to your app's users on your behalf.

The Firebase Cloud Messaging documentation explains this in its section on FCM Server roles. We also have a blog post that explains how to send device-to-device messages on Android using Cloud Messaging, the Realtime Database and a Node.js script on your back-end, app server.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807