Given a FCM sender id, can any one send msg to our server?

Question

In our use case, we need to use multiple sender id to send msg to server. According to this link, I successfully send msg to our server using multiple sender id.

What confuse me is that if I can send msg to the server only given a sender id, any others with the sender id can send msg to our server too. Does it harm?

Test env: sender id A configured in google-service.json, sender id B used to send msg to server and it works.

could any one tells me why this is not a good question? – Jekton Apr 12 '19 at 08:40 — Jekton, Apr 12 '19 at 08:40

score 1 · Answer 1 · answered Apr 12 '19 at 09:17

As far as I know that's not possible to send FCM message only with sender id. You need to send your server key in the HTTP POST request header as a Authorization key. According to this link a sample FCM POST request is as follows.

https://fcm.googleapis.com/fcm/send
Content-Type:application/json
Authorization:key=AIzaSyZ-1u...0GBYzPu7Udno5aA

{ 
   "data": {
      "score": "5x1",
      "time": "15:10"
},
  "to" : "bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1..."
}

If anyone has the server key than they can send FCM to your sever

I use the java api and the only param specified is sender id (say, send msg to sender_id@gcm.googleapis.com) — Jekton, Apr 12 '19 at 10:09

score 0 · Accepted Answer · answered Apr 16 '19 at 08:41

From FCM support:

After discussing with our engineers, it seems that FCM doesn't have an authorization mechanism for upstream messages. We will be working on a fix for this, although we can't share any timelines for now as to when the fix with be available. You may keep an eye out on our release notes for further updates.

It is a bug of firebase

Given a FCM sender id, can any one send msg to our server?

2 Answers2