为每个用户创建Firebase主题 [英] Creating Firebase topic for each user
问题描述
- 创建一个新用户 $ b我们有一个设计方法,为每个注册用户创建一个主题。 $ b
- 使用生成的令牌将其保存到数据库中
- 当用户订阅
/ topics / {user-token}在Android或
ios设备上登录。
因此,如果用户有多个设备,并且要发送用户我们只是把它发送到 / topics / {user-token} ,这样它就被所有的设备收到了。
我们还没有遇到过一些用户的问题,但是对于Firebase的限制,这是一个好方法吗? 解决方案
(我正在将我的意见转换为答案)
每个用户创建一个FCM TOPIC的大部分时间不是一个好主意。
发送给FCM TOPICS的消息是公共的。任何用户(甚至是来自
不同的应用程序)都可以订阅/ topics / {user-name}并接收这些
消息。
示例:
另一个开发人员可以从apk中复制google-services.json文件。
然后他可以订阅任何主题。
要拦截用户消息,攻击者仍然需要猜测您正在使用的{用户名}或其他任何标识符。但是,如果你认为这可能发生,那么问题是很大的,因为你永远不知道是否有人收到你的消息副本,你通常不会改变{用户名}。
这不是FCM的安全问题。这是主题API设计的一部分。
如果您需要安全的消息,您可以直接将它们发送到设备令牌。
如果你还想要为每个用户做一个主题,请注意不要发送敏感数据或不应被第三方拦截的数据。
We have a design approach which is creating a topic for each registered user.
- Creating a new user
- Save it to our database with a generated token
- Subscribe to
/topics/{user-token}when user login on android or ios device.
So if user have more than one device and if we want to send a user specific notification, we just send it to /topics/{user-token} so it received by all devices.
We've not encountered any problem with a few users yet, but is that ok for Firebase limitations and is it a good approach?
(I am moving my comments into an answer)
Most of the times creating an FCM TOPIC per user is NOT a good idea.
Messages sent to an FCM TOPICS are public. Any user (even from a different app) can subscribe to /topics/{user-name} and receive those messages.
Example:
Another developer can copy the google-services.json file from your apk.
Then he can subscribe to any topic.
To intercept your user messages the attacker still need to guess the {user-name} or any other identifier you are using. But if you assume this can happen then the issue is big because you would never know if someone is receiving a copy of your messages, and you usually never change {user-name}.
This is not a security issue of FCM. This is part of the topic API design.
If you need secure messages you can send them directly to the device token.
If you still want to do one topic per user, please pay attention to not send sensitive data, or data that should not be intercepted by third parties.
这篇关于为每个用户创建Firebase主题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
