I am trying to use Delphi (10.3.2) code to send push notifications to specific Android devices, but can't figure out how to do it properly.
The tutorials and guides I have looked at only provide help for receiving notifications (which works very nicely), but in all of them the notifications are sent directly via the Firebase console.
Is it possible to accomplish this directly in Delphi?
Sending messages to devices through Firebase Cloud Messaging requires that you call the FCM versioned API and specify the so-called FCM Server Key. As its name implies, this key should only be used on trusted environments, such as your development machine, a server you control, or Cloud Functions. The reasons for this is that anyone who has the FCM Server Key for your project can send notifications to all users of your app. So you'll not want to include this key and functionality directly in your application code.
The common approach is to set up a server-side endpoint (e.g. a self-defined API that you create on something like Cloud Functions or your existing server), and call that from your application code. The server-side code can then ensure that the user is authorized to send notifications to the folks that are targeted, and call the relevant FCM API to send the messages to the devices.
This FCM API for sending messages comes in a few flavors. I'd first consider if there's an Admin SDK for your platform, as that's the easiest way to make this work. If there is no Admin SDK, you can make HTTP calls to the v1 API directly.
Related
I am currently setting up a Firebase Cloud Messaging project. When adding apps to this project some credentials are automatically generated by FCM, e.g. the Server key as well as Android and iOS client keys.
For Android, I can download and use the google-services.json file to setup the client, i.e. registering for an FCM token and receiving push messages. But how do I restrict this so only my app can receive these messages?
I thought it would be the (auto created) Android client API key, so to test I've put an incorrect package name and SHA fingerprint in restrictions for the key. No effect, can still receive messages.
I then tried removing the API key as well as oauth client info completely from the google-services.json file, to confirm that the device then would not be able to receive messages. No effect, can still receive messages. All client info seems to be completely ignored, except for the app id (and the general project info).
So, I am really wondering what prevents reverse engineering of an app to extract the app id and general project info, and then receiving push messages in an entirely different app? I don't understand why the Android client API key, etc. is included in the google-services.json file, or why they are even created, if it is not used.
All the information in google-services.json is essentially configuration data that your app uses to find the Firebase services on Google's servers. You should not rely on knowing it, or lack of knowing it, as a security mechanism.
Instead you should send your messages in a way that ensures they are delivered only to the targeted recipients. A large part of this is sending messages to specific FCM Instance ID tokens. Firebase's Instance ID tokens are unguessable. Initially this registration token is only known on the client-side device where it is generated, and that device determines who to share it with.
By ensuring your client-side code only shares the token with your own server-side code, which then use it to target FCM messages, you can create a completely safe delivery environment where you fully control who can receive each specific message.
On the other side of this are FCM topics, which are a simpler mechanism for delivering messages to groups of users. Since any client can subscribe to any topic that it knows the ID of, topics should be used for delivering messages that require less securely targeted delivery.
I've been in contact with Firebase Support over the past week to shed light on this. It seems there is an important difference between the now deprecated Google Cloud Messaging (GCM) and Firebase Cloud Messaging (FCM), and it is currently not well documented.
With GCM it was possible to use and restrict e.g. the Android client API key with a package name and a SHA fingerprint. This is no longer possible with FCM. The keys are auto created when you add apps to your project in the Firebase console, and included in the google-services.json file, and you can add the restrictions to these under Credentials in APIs & Services, but it will not have any effect.
Please also note that the SHA fingerprint you can add in the Firebase project is only for Firebase Invites or Firebase Dynamic Links.
Be careful and have this in mind when you decide what to use the messaging service for, or when you migrate from GCM to FCM.
There is a feature request for this at Firebase but they currently have no timeline. There also a request now for an update of their documentation regarding this issue.
I am currently developing an Android app and I would like to include Firebase Cloud Messaging.
I was planning to have a Raspberry Pi checking a website every 5 Minutes or so and sending push notifications when something changed.
In the official documentation they say that I need an 'app-server' in order to send messages via Firebase.
Does that mean I need to have my Raspi up and running as a server 24/7 and need a static IP / Domain for it?
Or is it enough to have my Raspi send the message via the Api (https://fcm.googleapis.com/fcm/send) as I only need downstream messages?
Any help and explanation would be highly appreciated as I can't find a definite answer in any thread or documentation.
You don't as such need an app-server for just one device. If you have some sort of internet connectivity on your Raspberry Pi device, all you need to do is make a request to the firebase API.
Firebase (Google servers) will handle the rest by pushing notifications to all the registered devices.
Sending downstream messages (messages to devices) requires that you specify the FCM server key. This key allows sending FCM messages on your behalf, so should only be used on environments you trust.
Typically this means a server that you control. But the recently launched Cloud Functions for Firebase can also serve as such a trusted environment. After all: only developers who have access to your Firebase project can access your Cloud Functions code, and those developers can already send messages using the Notification panel in the Firebase console.
Any device you control in your own environment is also fine as a trusted environment. It doesn't have to have a fixed IP address, since the FCM server typically receives its instructions through XMPP or (more commonly these days) through the Firebase Database. Both of these approaches initiate the connections from the trusted device to Google's servers, so can run without accepting incoming connections.
You don't need any server to implement FCM.
I want to send push notification using firebase from my admin panel web page to the android phones registered in firebase database. I have tried sending notifications using PHP and mySQL but want to use firebase only to send notification. I have also tried sending notification from firebase console to android devices. But I want to use the firebase API to send notification from web to android devices.
Firebase Notification is a panel in the Firebase Console, where you can send messages to specific devices, device groups, topics and audiences. It cannot send messages to Web users (yet). There is no public API for Firebase Notifications.
There is an API for Firebase Cloud Messaging, on top of which Notifications is built. FCM support most ways of sending messages: specific devices, device groups and topics. It also supports sending to all platforms: iOS, Android and Web.
But sending messages to devices through FCM always requires that you specify the FCM Server Key. As its name implies, this key should only be used on trusted processes. The most common way to run a trusted process is to run it on your app server (for example using PHP code that runs on a hosted server). But you can also run it on your own machine. Firebase recently released Cloud Functions for Firebase, which allows you to run JavaScript functions on Google's hardware. Sending FCM messages is one of the documented use-cases for Cloud Functions for Firebase.
I am new to android development,I am working on push notification app now and trying to get overview of concepts about GCM and got stuck with one of the concept about use of "endpoint".
I am going through below google developer link:
https://developers.google.com/eclipse/docs/endpoints-addgcm
they have given something like this
Google Cloud Messaging (GCM)allows your Cloud Endpoints to send
notifications to registered Android devices whenever the state of a
resource changes. For example, suppose a user uses a Note application
from 2 devices: Device A and Device B. If the user is adding a note
from Device A. Google Cloud Messaging can be used in the Cloud
Endpoint for the insert operation to ping Device B to indicate that a
note has been added.
my questions are
1>> Is GCM itself an endpoint?or it is a separate entity?
2>> how to interact with 3rd party app server without using endpoint for server and client?
Thanks in Advance!
GCM and Cloud Endpoints are separate and unrelated Google services (though one possible source of confusion is that the term 'endpoint' is often also used in more generic ways).
Endpoints is a service for creating public API's for GAE app's. It can make it easier to create the API's that will allow your clients to communicate with your GAE app, particularly if those clients are iOS, Android, or Web apps (the supported client types), and if you want to use OAuth2 authentication for the apps or their users.
GCM is for waking up, and pushing data to, your apps on those same platforms. It is true that your server app will probably use both GCM and Endpoints, they are separate and unrelated.
I read about Google Cloud Messaging at http://developer.android.com/google/gcm/gcm.html.
It supports Third Party Application server to Android application push notification.
I am wondering whether it is possible to implement the same thing push/receive notification from an Android app on one mobile to the same Android app on another mobile using Google Cloud Messaging.
If not, is there any other free service available similar to Google Cloud Messaging?
An Android device can send a GCM message to another Android device. All it needs is the API Key (of the Google API Project ID that the app uses to register to GCM) an the Registration ID of the other device. Using these parameters it can send a GCM message to another device via an HTTP request.
Usually applications that use GCM require a 3rd party server in order to store the Registration IDs of all registered devices. If your app has a different way to let devices share their Registration IDs with each other without requiring a server, you don't need the server.
As far as I'm aware, there has to be a server in the middle to send the push notifications (Android -> Personal Server -> GCM Server -> Android)
So the Android device sending the notification would send some data to a script on the server (using a HTTP GET/POST), and that script would then send the push notifications to all the devices that you wanted it to
Following the example Code from google (GCM Client Example), you can build an app to get a registration ID for your device, but sending messages without a server wouldn't work in my opinion. I didn't tried by now, but what about using the Google Backend Starter, or (what I tried) using a Backend as a Service Provider like apiOmat if you can't afford or don't want to set up a server.