Best practices for storing FCM tokens

[Filip Grządkowski]

Hi all!

I'm starting to work on integration with FCM and I'm wondering what are best practices for storing registration tokens. I've been considering using Firestore for it (I already use it for other use-cases), but it's unclear to me how to authenticate there (writing would be done from a Service so there's not associated user). Do you have some suggestions? I'd really like to avoid exposing some backend servers (which is the purpose of Firebase), but I'm not sure how to achieve this...

Cheers,

Filip

[Kiana McNellis]

When you report the device's registration token to your service, why not pass the user's uid as well?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/2bcdb31b-f299-4185-8343-78bb06ea60c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Filip Grządkowski]

My understanding is that a service might be running and reporting new tokens even if user is not logged in. So reporting user ID is not feasible, iiuc. Am I missing something?

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAM7amBBhtcG%2BLivL2MowoVc6bxa2PSvE0P0Dbn30WBsP6uwmdw%40mail.gmail.com.

[Kiana McNellis]

You can always turn the FCM service on or off.  Most people who are trying to target a subset of their users use Auth (including anonymous auth) as a good identifier of which token goes with which user.  It also lets you keep track of which tokens are no longer valid.

If you are not trying to target a user based on their specific usage of your app (you just want a list of all tokens), you could do 1 of 2 things:

1) (recommended) Setup a Cloud Function that takes in registration tokens from your app, verifies them, and then writes them to the database using the Admin SDK.

2) Setup your security rules on Firestore to allow only writing new data to your token list, and no deleting.  Also write some verification into the rules (or a on-write Cloud function) to make sure it looks like a token before saving it.

 Bonus points if you use anonymous auth and secure your function/database so that a user can only write to the entry for their uid.  If your users later login, you can link it to the same account.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CALMY%2BM6qdcuQJZiTH83TZ7TUA%3DDjtu5fStSHT-wkfaUseufq6g%40mail.gmail.com.