I have integrated GCM on client also made its Server side component. Every thing was working fine, I was able to send push notification from server to all the registered client. I am using google App engine as my server.
Problem came when:
I changed the API Key on server.
Earlier I was using my personal GMail account to get API Key and all other access was through my account. Just before pushing the application live I moved the server to Production account and also changed the IDs as per production Ids. By Id I mean API Key, project ID, Production Keystore etc. Now the issue is when I want to send Push notification on Server I am getting URL Exception "HTTP Error 401: Unauthorized"
I tried doing:
- Deleting my older Ids.
- Deleting Old Public API access keys.
The same code works fine if I try to send Push notification from my old Server.
Does it has something to do with : Project package name and API key... which gets registered once can only be used....If yes How to delete that without changing the client project package name.
Please help we cannot go live with Old Server.
Check if ports 5228-5230(GCM ports) are open in the new server. It could be the problem.
The issue can be beacause you are using the old server api key for the new server as well. For sending the push notification from server side, you need the api key generated with the help of server's public IP address.
If it is testing purposes, make sure your server API key on the google console has the relevant ip addresses in the whitelist:
0.0.0.0/0
::/0
These are for ipv4 and ipv6 ips
Since this is an older question that was never answered but still gets views, I'll post here that this issue may have been obsoleted as the Cloud Console has gone through a couple of iterations since then.
Also, Google Cloud Messaging has been superseded by Firebase Cloud Messaging. New projects should use FCM, and existing projects are encouraged to upgrade in order to benefit from new features.
Firebase Cloud Messaging
https://firebase.google.com/docs/cloud-messaging/
Related
I am currently setting up a Firebase Cloud Messaging project. When adding apps to this project some credentials are automatically generated by FCM, e.g. the Server key as well as Android and iOS client keys.
For Android, I can download and use the google-services.json file to setup the client, i.e. registering for an FCM token and receiving push messages. But how do I restrict this so only my app can receive these messages?
I thought it would be the (auto created) Android client API key, so to test I've put an incorrect package name and SHA fingerprint in restrictions for the key. No effect, can still receive messages.
I then tried removing the API key as well as oauth client info completely from the google-services.json file, to confirm that the device then would not be able to receive messages. No effect, can still receive messages. All client info seems to be completely ignored, except for the app id (and the general project info).
So, I am really wondering what prevents reverse engineering of an app to extract the app id and general project info, and then receiving push messages in an entirely different app? I don't understand why the Android client API key, etc. is included in the google-services.json file, or why they are even created, if it is not used.
All the information in google-services.json is essentially configuration data that your app uses to find the Firebase services on Google's servers. You should not rely on knowing it, or lack of knowing it, as a security mechanism.
Instead you should send your messages in a way that ensures they are delivered only to the targeted recipients. A large part of this is sending messages to specific FCM Instance ID tokens. Firebase's Instance ID tokens are unguessable. Initially this registration token is only known on the client-side device where it is generated, and that device determines who to share it with.
By ensuring your client-side code only shares the token with your own server-side code, which then use it to target FCM messages, you can create a completely safe delivery environment where you fully control who can receive each specific message.
On the other side of this are FCM topics, which are a simpler mechanism for delivering messages to groups of users. Since any client can subscribe to any topic that it knows the ID of, topics should be used for delivering messages that require less securely targeted delivery.
I've been in contact with Firebase Support over the past week to shed light on this. It seems there is an important difference between the now deprecated Google Cloud Messaging (GCM) and Firebase Cloud Messaging (FCM), and it is currently not well documented.
With GCM it was possible to use and restrict e.g. the Android client API key with a package name and a SHA fingerprint. This is no longer possible with FCM. The keys are auto created when you add apps to your project in the Firebase console, and included in the google-services.json file, and you can add the restrictions to these under Credentials in APIs & Services, but it will not have any effect.
Please also note that the SHA fingerprint you can add in the Firebase project is only for Firebase Invites or Firebase Dynamic Links.
Be careful and have this in mind when you decide what to use the messaging service for, or when you migrate from GCM to FCM.
There is a feature request for this at Firebase but they currently have no timeline. There also a request now for an update of their documentation regarding this issue.
I have a mix of GCM and FCM Server API keys that belong to different android apps. However I am not the owner of the apps and do not have direct access to the google developer console.
Is there a way to detect whether a Cloud Messaging Server API key is enabled for Firebase?
I would like to know this so that I can notify the owners of the GCM server keys to update to Firebase.
Thanks
-David
There is no way to tell if a Server Key used in the request is from a GCM/FCM enabled project. There is RemoteMessage.getFrom() which gives the Sender ID of the sender or to identify which topic the message was sent to, but it doesn't give any other details.
While on the matter, I'm fairly sure that there is even no way for you to retrieve the value of the Server Key that was used by the Sender in the first place.
With all that said, so long as it is a valid Server Key, it should be compatible to use for both GCM and FCM. From what I've experienced, I had a Server Key originally generated from my Developer Console, and after I imported the project to Firebase, the Server Key that appeared in the Cloud Messaging tab was still the same (I'm not so sure if that's still the case though).
Nonetheless, Server Key used for GCM should still be compatible for FCM.
I have been using Google Cloud Messaging to send messages to my phone via php pages on my permanently on server (a Raspberry Pi) successfully for some time. In that old app I used a browser key with no restrictions and not a server key.
I was aware that GCM should be migrated to Firebase Cloud Messaging (FCM) and have successfully done this. During development both FCM and GCM apps were working. Recently my GCM app returns Unauthorized (401) errors to my server. I know that FCM will only give out restricted server keys now and that unrestricted keys are not issued.
I am surprised that my old app developed before FCM even existed has stopped working. I assume that the message sent from my server to Google is being rejected by them.
Am I correct in my assumption that old GCM browser keys will always be rejected by Google?
Am I correct in my assumption that old GCM browser keys will always be rejected by Google?
Yes. As of right now, GCM and FCM will only accept Server Keys.
Using any other type of API Keys (Android, iOS, Browser) will result in a 401 error. One example of this is this post, the OP originally had an Android Key and it started to return a 401 error.
I'm following Google Cloud messaging tutorial, I'm not exactly understang phrase:
First, make sure your Server key (not the client API key in googleservices.json) is provided as the value of API_KEY in GcmSender.java.
So in order to run this sample, I need to write a server side? I thought that GcmSender.java already emulates server side of the application? Can someone clarify it?
As #MohanadMohie you should instead use FCM.
First, make sure your Server key (not the client API key in googleservices.json) is provided as the value of API_KEY in GcmSender.java
The GcmSender.java does emulate the function for sending a message. This only states that you should make sure that the API key you use is a valid Server Key.
And as per Server Keys go, there is already a note in the GCM docs saying:
Starting from Sept. 2016 new server key can only be created in the Firebase Console using the Cloud Messaging tab of the Settings panel. Existing projects that need to create a new server key can be imported in the Firebase console without affecting their existing configuration.
Plus, in FCM, you'll be able to make use of the Firebase Console to send push notifications.
The server key for cloud messaging under
Project Settings -> Cloud Messaging -> Server Key
keeps changing frequently, about once a week.
This is extremely frustrating. Our notification server calls fail with an error code of 401, which means it's an authorization problem.
But once I update the server key on my backend, with the key i see on the firebase console, which is different each time after this 401 authorization error, all works fine.
I have Googled my best on this, but there is no documentation, or support available for this error. Is this meant to change so much? If so, how can i update the SERVER_KEY automatically on my end..? Is there a REST API for this?
I asked directly to the Firebase Support with an issue similar to the one you have and they told me:
If someone changes the server API key in Google API console, the server API key will also be changed in Firebase console. Firebase does not change your server API key without notifying you. Make sure no one has changed your server API key in Google API console recently and that the Server API key is the same in both the consoles.
A change in my API Key occurred only once in the time I have been using Firebase. So maybe you could contact the Firebase support or try to check if someone is changing the key in the Google API console.
Google Firebase mostly sends you an email about upgrading their serve keys. when you receive such emails , quickly visit and update your scripts with your new key in the console. this can happen weekly or monthly, not really structured.