0

I'm wondering how to ensure security within some scenarios.

Let's say you save your messaging tokens for each device to Firestore as a subcollection 'tokens' under each user, like so: https://youtu.be/2TSm2YGBT1s?t=382

You want to send a message to a user's devices, so you loop through the tokens and send a message to each one of them.

But what if you have previously logged in on someone else's computer or phone? Now the other computer is saved under tokens and if you send a message, it goes to another person's device, which would be:

  1. A security flaw if your payload contains private data (like a chat message)
  2. Annoying for the person whose device is being targeted.
  3. Wasteful: maybe some of the tokens are old and the device doesn't exist anymore.

How can I build a messaging system that works on users multiple devices that doesn't have these flaws?

HJo
  • 1,902
  • 1
  • 19
  • 30
  • I just saw this https://stackoverflow.com/questions/51238396/how-to-invalidate-expired-firebase-instance-id-token?rq=1 which deals with #3 – HJo Jan 31 '20 at 11:05
  • I was about to answer, when I saw you'd already found my answer to a previous question. :) With that answer, do you have any question left? – Frank van Puffelen Jan 31 '20 at 15:02
  • Yeah - that just deals with point 3, but how don't you still receive messages if logged out? Or does the token become invalid upon logout? My worry is that somebody logs in briefly on somebody else's device and now their notifications are getting sent to that person – HJo Feb 01 '20 at 03:11
  • FCM messages target applications (or more specifically app installations), they don't target users. Any user-specific targeting that you do with FCM, is the result of a mapping you make in your application. If you want to do user-level targeting, delete the token when the user signs out. Also see https://stackoverflow.com/questions/54850853/how-to-get-firebase-user-id-from-fcm-token-in-admin-code-on-server/54853590#54853590 – Frank van Puffelen Feb 01 '20 at 04:26
  • Okay, understood - wasn't sure if deleting from the client was the only way to do it. Thanks Frank! – HJo Feb 01 '20 at 04:30

0 Answers0