How to send a firebase message to topic from Android

Question

I want to send a message to FCM topics from within my Android app. Sending the message through the Firebase console is working well, but once a user executes a particular action, I want a message to be sent to all other users who have subscribed to a particular topic.

In the documentation there is this code:

// The topic name can be optionally prefixed with "/topics/".
String topic = "highScores";

// See documentation on defining a message payload.
Message message = Message.builder()
.putData("score", "850")
.putData("time", "2:45")
.setTopic(topic)
.build();

// Send a message to the devices subscribed to the provided topic.
String response = FirebaseMessaging.getInstance().send(message);
// Response is a message ID string.
System.out.println("Successfully sent message: " + response);

I can't figure out from which class Message is. It is obviously not RemoteMessage.

Answer 1

You can do it by Volley and FCM API

here an example to send notification from user to "newOrder" Topic and have title and body

RequestQueue mRequestQue = Volley.newRequestQueue(this);

        JSONObject json = new JSONObject();
        try {
            json.put("to", "/topics/" + "newOrder");
            JSONObject notificationObj = new JSONObject();
            notificationObj.put("title", "new Order");
            notificationObj.put("body", "New order from : " + phoneNum.replace("+", " "));
            //replace notification with data when went send data
            json.put("notification", notificationObj);

            String URL = "https://fcm.googleapis.com/fcm/send";
            JsonObjectRequest request = new JsonObjectRequest(Request.Method.POST, URL,
                    json,
                    response -> Log.d("MUR", "onResponse: "),
                    error -> Log.d("MUR", "onError: " + error.networkResponse)
            ) {
                @Override
                public Map<String, String> getHeaders() {
                    Map<String, String> header = new HashMap<>();
                    header.put("content-type", "application/json");
                    header.put("authorization", "key=yourKey");
                    return header;
                }
            };


            mRequestQue.add(request);
        } catch (JSONException e) {
            e.printStackTrace();
        }

Replace yourKey with server key in your project in firebase

---

UPDATE : as @frank say in correct answer You will always need a server (or otherwise trusted environment) to hold yourKey and make it not public

so this answer is already work and can send notifications from android to topic or token

but if anyone take your key can send also to your apps notifications in any time so i suggest to use firebase functions or any service on your server just make sure your key in trusted environment and not reachable

also when get key there two type : 1 - Server key 2 - Legacy server key

like firebase say below also i suggested to use first because is more flexible to change or deleted

Firebase has upgraded our server keys to a new version. You may continue to use your Legacy server key, but it is recommended that you upgrade to the newest version

Answer 2

There is no way to securely send messages directly from one Android device to another device with Firebase Cloud Messaging. You will always need a server (or otherwise trusted environment) to do that. See this docs section showing how messages are sent and my answer. here: How to send one to one message using Firebase Messaging.

The code sample you shared is using the Admin SDK for Java to send a message, which is meant to be run in a trusted environment. It can't be used in your Android app.

Answer 3

Refer this link.. You can do what you need via this official google documentation.

But I can show you an example that I wrote via AndroidFastNetworking library:

        JSONObject dataJsonObject = new JSONObject();
        dataJsonObject.put("anyDataYouWant":"value");

        try {

            bodyJsonObject.put("to", "/topics/topic");
            bodyJsonObject.put("data", dataJsonObject);
            
        } catch (JSONException e) {
            e.printStackTrace();
        }
        
        
        
        
        AndroidNetworking.post("https://fcm.googleapis.com/fcm/send")
                .setContentType("application/json; charset=utf-8")
                .addJSONObjectBody(bodyJsonObject)
                .addHeaders("Authorization", "Your Firebase Authorization Key with 'key=' prefix:  ("key=AAAAjHK....") ")
                .setPriority(Priority.HIGH)
                .build()
                .getAsJSONObject(new JSONObjectRequestListener() {
                    @Override
                    public void onResponse(JSONObject response) {
                        Toast.makeText(context, "Success", Toast.LENGTH_SHORT).show();
                    }
                    
                    
                    @Override
                    public void onError(ANError anError) {
                        Toast.makeText(context, "Error: " + anError.toString(), Toast.LENGTH_SHORT).show();
                    }
                });

Answer 4

Here's an implementation using OkHttp 4.x and Kotlin:

// create the payload
val payload = JSONObject()
    .put("key", "value")       

// create the request body (POST request)
val mediaType = "application/json; charset=utf-8".toMediaType()
val requestBody = JSONObject()
    .put("to", "/topics/my_topic")
    .put("data", payload)
    .toString().toRequestBody(mediaType)

// create request
val request = Request.Builder()
    .url("https://fcm.googleapis.com/fcm/send")
    .post(requestBody)
    .addHeader("Authorization", "key=${server_key_please_replace}")
    .addHeader("Content-Type", "application/json")
    .build()

// execute the call
val response = OkHttpClient().newCall(request).execute()
val responseBody = response.body?.charStream()?.readLines()
val httpCode = response.code

// error handling goes here, it's an error if the http response code is not 200
// or if the responseBody contains an error message like
// [{"multicast_id":2633602252647458018,"success":0,"failure":1,"canonical_ids":0,"results":[{"error":"InvalidRegistration"}]}]

Security Considerations

It's not recommended to use the server API key on client side since the key can be extracted by an attacker and then used to send messages on behalf of the key owner (that would be you). I would however argue that the risk is quite low under certain circumstances:

• Notification messages: the ability to send notifications to all app users is only a risk if those messages can do harm. In my case it's not possible to surface notifications because the app only processes data messages.
• Data messages: in my case the app accepts specific topics but only when they are sent from the same user id (I use FCM to sync data for the same user across multiple devices). Without knowing all user ids an attacker could not even send messages. The user ids are impossible to retrieve because they are stored on the device and the user's Google Drive only so unless the Google Drive service as a whole is compromised this is a theoretical risk. On top of that, the data messages are harmless in my case.
• The only real risk I see is that an attacker can launch a DOS attack so that Google shuts down access to FCM for your app. If FCM is business critical for your app then that's a real threat. BUT preventing the same attack against your backend API isn't trivial. If you have an API to send messages, that API needs to be protected. Having an endpoint to send messages might protect the FCM key but won't protect against a DOS attack per se. If users are not authenticated (in many apps they aren't) then providing that protection is a non trivial task (bot manager solutions are expensive and implementing mTLS between client and server isn't simple).

To summarize: while it's not recommended to use the server API key on client side, depending on the use case, the security risk is very low. Many apps can't afford to run a backend service just for that one functionality so I would argue using the server key client side can be justified in some cases.