为每个用户创建 Firebase 主题 [英] Creating Firebase topic for each user
问题描述
我们的设计方法是为每个注册用户创建一个主题.
We have a design approach which is creating a topic for each registered user.
- 创建新用户
- 使用生成的令牌将其保存到我们的数据库中
- 当用户在android上登录时订阅
/topics/{user-token}或ios 设备.
- Creating a new user
- Save it to our database with a generated token
- Subscribe to
/topics/{user-token}when user login on android or ios device.
因此,如果用户拥有多个设备,并且如果我们想要发送特定于用户的通知,我们只需将其发送到 /topics/{user-token} 以便所有设备都能接收到.
So if user have more than one device and if we want to send a user specific notification, we just send it to /topics/{user-token} so it received by all devices.
我们还没有遇到少数用户的任何问题,但这对于 Firebase 的限制是否可以,这是一个好方法吗?
We've not encountered any problem with a few users yet, but is that ok for Firebase limitations and is it a good approach?
推荐答案
(我正在将我的评论变成答案)
(I am moving my comments into an answer)
大多数情况下,为每个用户创建 FCM 主题并不是一个好主意.
发送到 FCM TOPICS 的消息是公开的.任何用户(甚至来自不同的应用程序)可以订阅/topics/{user-name} 并接收那些消息.
Messages sent to an FCM TOPICS are public. Any user (even from a different app) can subscribe to /topics/{user-name} and receive those messages.
示例:
其他开发人员可以从您的 apk 复制 google-services.json 文件.
然后他可以订阅任何主题.
要拦截您的用户消息,攻击者仍然需要猜测 {user-name} 或您正在使用的任何其他标识符.但是,如果您认为这可能发生,那么问题就很大了,因为您永远不会知道是否有人收到了您的邮件副本,而且您通常永远不会更改 {user-name}.
Example:
Another developer can copy the google-services.json file from your apk.
Then he can subscribe to any topic.
To intercept your user messages the attacker still need to guess the {user-name} or any other identifier you are using. But if you assume this can happen then the issue is big because you would never know if someone is receiving a copy of your messages, and you usually never change {user-name}.
这不是 FCM 的安全问题.这是主题 API 设计的一部分.
如果您需要安全消息,可以将它们直接发送到设备令牌.
This is not a security issue of FCM. This is part of the topic API design.
If you need secure messages you can send them directly to the device token.
如果你仍然想每个用户做一个主题,请注意不要发送敏感数据,或者不应该被第三方拦截的数据.
If you still want to do one topic per user, please pay attention to not send sensitive data, or data that should not be intercepted by third parties.
这篇关于为每个用户创建 Firebase 主题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
