Web Push unique device ID for auth-only subscriptions

Question

In my web app I need to send web push notifications only to logged in users, but in all of their devices, so, I prompt for notifications only if user is logged, and store his subscription in my database: endpoint, auth and p256dh key, along with the user id.

But this happens for each user's device, so he could be logged in multiple devices and be stored multiple times with different endpoints and keys. So, in my db, I have those rows:

USER_ID 1, and all his PC's subscription keys
USER_ID 1, and all his mobile's subscription keys

Now, I want that, when the user is logging out, the subscription on the device on which he logged out is removed from db, but to do that I need to know which subscription belongs to which device. The problem is: I can't just know it.

I can't do it by storing the device's IP, because it's the same network and makes no sense, as IP can be dynamical.

I can't do it by user agent, because the user agent could just be edited manually, and also a user could have two identical devices with the same user agent.

I can't do it by storing it in device's local storage, because I need older browsers support.

I can't do it by storing it in cookies, because people could just remove that cookie and I won't know which token should I use.

What should I do? Is there a way to uniquely identify a user in JS without generating an ID myself? Like, idk, accessing a device ID. Or do you have other ideas?

Answer 1

When a user logs out from a device, you can read the push endpoint, and send it to the server for removal.