没有服务器XMPP服务器的Firebase消息传递-提案 [英] Firebase messaging without server XMPP server - Proposal

问题描述

我知道这个问题被问了太多次了.但是我有一些建议，需要知道是否有意义.

我已经在使用Firebase数据库. 我需要的服务器是对Firebase消息进行POST调用.但是，如果应用程序进行相同的POST调用怎么办? 现在，我了解到存在与该模型一致的安全风险.可以反编译应用程序，并可以提取服务器密钥.但是，由于我已经在使用Firebase数据库，如果将密钥保留在数据库中并在需要时提出请求该怎么办.

I know this question has been asked too many times. But I have something to propose and need to know if it makes sense.

I am already using Firebase database. All I need a server is to make a POST call to Firebase messaging. But what if the app makes the same POST call? Now I understand that there is a security risk aligned with this model. Apps can be decompiled and the server key can be extracted. But as I am already using Firebase database, what if I keep the key in my database and request when I need it.

请告诉我这听起来不错还是有任何弊端，除了增加了对我的数据库的调用之外.

Please let me know if this sounds good or does it have any drawbacks other than one increased call to my database.

推荐答案

确保FCM服务器密钥安全的唯一方法是，不要将其暴露给不受信任的客户端的设备.

The only way to keep your FCM server key secure, is to not expose it to devices of untrusted clients.

如果将FCM服务器密钥存储在数据库中，则需要将其存储在要允许其发送FCM消息的应用程序用户可以某种方式访问​​的位置.

If you store the FCM server key in the database, you'll need to store it in a place that is somehow accessible to the users of your app who you want to allow to send FCM messages.

如果这些用户可以访问FCM服务器密钥，则他们可以拿走密钥并滥用它.如果只允许一小部分用户访问此值，则可以降低较小用户群的风险.而且，如果这些是不受信任的客户，那么您仍然会将密钥暴露给不受信任的客户.

If the FCM server key is accessible to those users, they can take the key and abuse it. If you only allow access to this value to a tiny subset of your users, you'll have reduced the risk to that smaller group of users. And if those are untrusted clients, then your still exposing the key to untrusted clients.

因此，您要添加一个间接层，但我认为它不会更加安全.

So you're adding a layer of indirection, but I would not consider it a lot more secure.

这篇关于没有服务器XMPP服务器的Firebase消息传递-提案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！