I want to let my customers send push notifications to their users. I am using Firebase Admin SDK for that, which requires the "service-account.json" file. For security reasons this file should not be shared with others. How could I make this feature available to my customers, without sharing any "secret" information?
Asked
Active
Viewed 146 times
1 Answers
1
If you want to allow your users to send push notifications, you'll have to make a custom API endpoint that you can call from the application they use. It's quite common to use Cloud Functions or Cloud Run for this, but any trusted environment you may already have can work too.
By running the code that sends the message in an environment only you can access, allows you to securely use the Admin SDK that has full administrative access to your Firebase project.
Then when this code gets a request from a user running your app, it needs to check whether this user is authorized to send this message to the user(s) they are trying to send this to. Exactly how to check authorization depends on your app, but some things to consider:
- Is any user allowed to send a message to any other user, or is there some mechanism where they opt-in to receiving messages from each other?
- Can any message be sent, or is there some mechanism that validates the messages, for example by detecting whether any foul language is used?
These are just some examples of the types of checks you might want to do, and the actual list completely depends on your app and its use-cases.
Frank van Puffelen
- 565,676
- 79
- 828
- 807
-
Ok, but is there any other way like using permissions? Because I don't really want to provide an API. – H.Gndgn Jun 17 '22 at 12:26
-
1There is no other way to do this with the FCM API. Also see https://stackoverflow.com/a/37993724. – Frank van Puffelen Jun 17 '22 at 12:36