Reputation: 1
In FCM (Firebase cloud messaging), is it safe to include token in the notification?
When sending push notification to an Android device using FCM, is it safe to include token in the notification body? Will this somehow violate security/privacy or GDPR?
In the firebase documentation (https://firebase.google.com/docs/cloud-messaging/concept-options), their example includes notification token in the notification:
{
"message":{
"token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
"notification":{
"title":"Portugal vs. Denmark",
"body":"great match!"
}
}
}
Instead can we do something like this?
{
"message":{
"token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
"notification":{
"token":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
"title":"Portugal vs. Denmark",
"body":"great match!"
}
}
}
If there is nothing wrong with including token in the notification, I was hoping I could include the token in the notification for client side check to filter receiving notification from expired token (token isn't always invalidated right away. At least in GCM it isn't)
NOTE: The reason I'm doing this is because when user uninstalls and reinstalls the app, the old token can still be active. Until Firebase's cron job goes and deletes old token, the old token can still be used. This is a problem if you have a separate server maintaining tokens. So I was hoping I could just include token in the notification to filter invalid notifications and invalidate old token on our private server.
Upvotes: 0
Views: 1444
Answers (1)
Reputation: 5589
In the example the token is being sent in the message, not in the notification. The notification is also part of the message.
The message is sent to the FCM server where, using the token, it will know to whom direct the notification.
About including the token in the notification, I would not do that.
Besides, the mobile device already has the token that has been sent to it when the device registered with FCM. And if the device hasn't registered for any reason, like an uninstall, then even if you add the token to the notification, it will not reach the device.
EDIT I
You won't be able to add a token in the notification that way (as an additional attribute).
See how the json message has to be formed in the fcm docs. If there is a place you could set it (which I don't recommend doing) is as part of the data.
The reason not to include it is that there is no reason to do so:
The Token is not managed by your app, it is managed by the FCM server. You just need to take care of updating your server when the Token changes, in which case, the FCM api lets your app know by triggering a callback in the app (onTokenRefresh()). When you do this, you keep a copy of the token in shared preferences.
Following last point, the app already has the token. Sending it in each notification, if it gets to the mobile device, it is because it is still valid, so you already have it in shared preferences. On the other hand, if the token is invalid, then the message won't be received, and the app will never be aware about this. Things will come back to normal when the FCM server provides a new Token to the app. In which case the app is notified with a callback, and your app replaces the token in shared preferences and updates your server.
Upvotes: 2
Related Questions
- Are FCM tokens specific to an App or a Device?
- Firebase FCM token as security token for Android
- Is it safe to expose fcm token or notification key?
- What is FCM token in Firebase?
- FCM Token Issue
- Use GCM Token for push messages in FCM
- Token update in FCM
- iOS push notification using Firebase FCM tokens
- Store token for FCM
- Is there any use of Device Token while integrating FCM for push notification in iOS?