What characters can the firebase notification token consist of?
The official docs are not revealing much about the possible characters of the token: https://firebase.google.com/docs/cloud-messaging/concept-options#credentials
Im suspecting that my app's security is blocking certain tokens, as Im seeing these kind of log messages on my backend:
The request was rejected because the URL contained a potentially malicious String ";"
Can the tokens consist ';' characters?
The format of an FCM token is unspecified by the API contracts, so you should not try to rely on specifics here as they can change over time without notice. You should treat these as general strings and properly escape them if you pass them in a URL format.
Currently, the characters include base 64 encoded strings concatenated with a :, so the character list includes A-Za-z0-9+/=: (again, this could change at any time, don't try to rely on this in your code).
Not the question you asked, but it seems unlikely this is the root cause of your error. If you can produce a minimal repro of the problem and show some evidence it's caused by the FCM services and not a coding error, might be worth submitting a bug through support.
A notification Token should consist of AlphaNumeric characters with dashes. The error is reporting that the URL itself contained a malicious character but does not say from where.
I would introduce a catch that will encode the URL and its payload into an encoded URL string and save it for further investigation, preferably a realtime database bucket dedicated to it.
You can then decode the URL to ensure that the URL and payload was safe and nothing else is going wrong.
