如果没有应用服务器,Web上的FCM是否安全? [英] Is FCM on the web secure without an app server?
问题描述
我想从我站点上的客户端生成消息,然后将消息发送到目标设备.像这样的ajax(jquery)请求很简单:
I want to generate messages from clients on my site, and send messages to a target device. It's simple with an ajax(jquery) request like this:
$.ajax({
url: 'https://fcm.googleapis.com/fcm/send',
type: 'POST',
contentType: "application/json",
dataType: 'json',
data: JSON.stringify({
"notification": {
"title": title,
"body": msg,
"sound": "default"
},
"to": "XXXXXXXXXXXX"
}),
beforeSend: function(xhr) {
xhr.setRequestHeader('Authorization', 'key=YYYYYYYYYY');
}
});
但是,我不需要保持XXXXXXXXXXXX设备密钥和YYYYYYYYYY API密钥为私有吗?如果没有,我担心人们会开始将这些垃圾从完全不相关的服务中删除并发送垃圾邮件吗?
But, then don't I need to keep the XXXXXXXXXXXX device key, and YYYYYYYYYY API key private? If not, I'm worried people start scraping these up and spamming from totally unrelated services?
推荐答案
这绝对是不安全的.您传递给 Authorization 标头的密钥称为服务器密钥,因为您只应在应用程序服务器上使用它(或在其他过程中使用)由您直接控制).
This is definitely not secure. The key that you're passing into the Authorization header is called a server key, since you're only supposed to use it on an app server (or in some other process that you directly control).
如果将相同的密钥放入在每个客户端设备上运行的代码中,则意味着恶意用户可以(并因此)能够复制您的服务器密钥,并使用该密钥代表您向应用程序的用户发送消息.
If you put this same key in code that runs on every client's device, it means that malicious users can (and thus will) be able to copy your server key and use that to send messages to your app's users on your behalf.
Firebase Cloud Messaging文档在其关于FCM服务器角色的部分中对此进行了解释.我们还有一个博客文章,介绍了如何使用以下方法在Android上发送设备到设备消息后端应用服务器上的Cloud Messaging,实时数据库和Node.js脚本.
The Firebase Cloud Messaging documentation explains this in its section on FCM Server roles. We also have a blog post that explains how to send device-to-device messages on Android using Cloud Messaging, the Realtime Database and a Node.js script on your back-end, app server.
这篇关于如果没有应用服务器,Web上的FCM是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
