0

I'm developing an Android app that involves Firebase Cloud Messaging. My messages consist of notifications with data payload, and are sent to the Firebase server by means of a node.js script. This setup is very similar to what is explained in this Firebase blog, but one difference is that I do not make use of topic subscription, but rather send my messages directly to a user, identified by the Firebase InstanceID token. I keep track of this token for each user in my Firebase database.

This setup works, but when a user logs out my Android app (for example because another user wants to log on using the same device), I have to prevent receiving notifications for the user that just logged off.

I was planning to get a new token when a user logs on:

FirebaseInstanceId.getInstance().getToken();

and release it when that user logs off. However, this is the point where I got lost. In the documentation, I found the command to delete the token:

public void deleteToken (String authorizedEntity, String scope)

but I can't figure out what the strings "authorizedEntity" and "scope" should contain. Can someone point me in the right direction, or am I on the wrong track altogether by deleting tokens (I could hardly find any related questions, which surprised me)?

Cuculus
  • 166
  • 1
  • 2
  • 10
  • This may help you. https://developers.google.com/instance-id/guides/android-implementation But based on old GCM implementation – Subin S V Jan 14 '17 at 16:29

1 Answers1

0

The Firebase Instance ID token identifies an installed instance of your application. Trying to change its meaning is a recipe for headaches.

You should not use it to identify a user. So unless the user uninstalls the app (in which case the token is automatically deleted), you should not try to delete the token when the user logs out.

If you want to stop sending notifications to a user-on-a-device once they sign out, you should track that in your database: "user A is using token B". 

UserTokens
  UserA: "tokenB"

Then you can clear that data when the user signs out: "user A is no longer using a token".

UserTokens
  UserA: ""

Then when user B signs in to the same app on the same device, they'd get the same token:

UserTokens
  UserB: "tokenB"
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • I was clearly trying to use the InstanceID token the wrong way. I'll follow your advice and implement user tracking as you suggested, thanks! – Cuculus Jan 14 '17 at 17:54
  • 1
    IMHO not a great advice. Imagine the UserCEO logs out when the device is off-line, the server will not be notified, she passes the device to the UserSysAdmin. UserSysAdmin enjoys receiving the informative push notifications intended for the CEO. The security team finds out and hints the Programmer's boss to reconsider his (your) employment. Conclusion: delete the registration token on the client side (in addition the the server side disassociation). – Jacob Eckel Oct 17 '17 at 09:32
  • 1
    So, Frank, is this a serious objection, and should I worry about re-using the same token for different users on the same device? – Cuculus Dec 24 '17 at 12:08