React-native-firebase: [Question] Can we use Firebase Admin in React Native to send message ?

Created on 29 Mar 2020  路  6Comments  路  Source: invertase/react-native-firebase

Hi guys,

I would like ask a "newbie" question : Can we use Firebase Admin to send message in React Native?

I mean in your new docs and official Firebase docs, it talks about Node.js, Java, #C etc.

The fact is I'm using PHP for the server side. So I can use curl to call : https://fcm.googleapis.com/fcm/send or just HTTP by using axios in JS for example.

But I'm wondering if it's possible to use this code below in a React Native file since it's just JS (I don't have a Node.js server back end)

// Node.js
var admin = require('firebase-admin');

await admin.messaging().sendToDevice(
    owner.tokens, // ['token_1', 'token_2', ...]
    {
      data: {
        owner: JSON.stringify(owner),
        user: JSON.stringify(user),
        picture: JSON.stringify(picture),
      },
    }, {
      // Required for background/quit data-only messages on iOS
      contentAvailable: true,
      // Required for background/quit data-only messages on Android
      priority: 'high',
    });
}
picture Steffi3rd

Most helpful comment

the admin SDK doesn't run in react-native and they won't make any effort for it to run there for that reason - mobile devices must be considered compromised at all times essentially

well, for a few minutes at a time you can make a reasonable guess that if authentication from a device was successful you can allow minimally privileged function calls and manipulation to data owned by the authenticator to run, but that's it, and even then only with encryption on transport, encryption of data at rest etc etc.

so you must not put your server keys there

picture mikehardy on 29 Mar 2020
👍2

All 6 comments

Unfortunately not, you'd have to expose your server credentials to the public, and I'm not sure the library would run on a react native environment.

You could always spin up a cloud function in Firebase, there's zero maintenance.

Ehesp picture Ehesp on 29 Mar 2020
👍1

Also if you already have a PHP backend, you can just send messages from that?

Ehesp picture Ehesp on 29 Mar 2020

Yeah I can!
(But I prefer JS, that's why I'm thinking about use axios and call the 'https://fcm.googleapis.com/fcm/send` directly. I would be something like this code below, but I don't know if better that using PHP) 

axios({
  method: 'post',
  url: 'https://fcm.googleapis.com/fcm/send',
  data: JSON.stringify({"to": "<instance ID>", "notification": {"title":"Test","body":"Test"}}),
  headers : {
      Authorization : `key=${key}`
  },
});

In PHP, I would use something likes this : 

React:

axios({
  method: 'post',
  url: '/post/message',
  data: JSON.stringify({"to": "<instance ID>", "notification": {"title":"Test","body":"Test"}}),
});

PHP:
...
       $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "https://fcm.googleapis.com/fcm/send");
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'Authorization: key=' . API_ACCESS_KEY,
            'Content-Type: application/json'
        ]);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
            'to'        => $token, //single token
            'notification' => $notification,
            'data' => $extraNotificationData
        ];));
        $result = curl_exec($ch);
        curl_close($ch);
...

But I found this article about blocking API call in PHP and a solution by using shell. Weird...
https://medium.com/@jituboss/php-non-blocking-curl-requests-to-firebase-for-push-notifications-8cd613043327

What do you think about those approaches?

What would be the way with Cloud Functions (knowing that I already have a PHP backend)?
(I never used Cloud functions yet.)

What do you suggest? (as GDE :p)

Steffi3rd picture Steffi3rd on 29 Mar 2020

Just found some article about expose Firebase Server credentials to the public :

NEVER use your 'REST API key' in client code, it is intended for use on your system or server only. Add the REST API Key to the HTTP 'Authorization' header as basic authentication.

That's what you mean?

So even my axios approach seems not safe? 馃

Steffi3rd picture Steffi3rd on 29 Mar 2020

the admin SDK doesn't run in react-native and they won't make any effort for it to run there for that reason - mobile devices must be considered compromised at all times essentially

well, for a few minutes at a time you can make a reasonable guess that if authentication from a device was successful you can allow minimally privileged function calls and manipulation to data owned by the authenticator to run, but that's it, and even then only with encryption on transport, encryption of data at rest etc etc.

so you must not put your server keys there

mikehardy picture mikehardy on 29 Mar 2020
👍2

Okay, thanks guys. I get it now!

I'm learning more and more about FCM because of you 馃憣

Steffi3rd picture Steffi3rd on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

noahtallen picture noahtallen  路  3Comments
jonaseck2 picture jonaseck2  路  3Comments
NordlingDev picture NordlingDev  路  3Comments
dgruseck picture dgruseck  路  3Comments
ODelibalta picture ODelibalta  路  3Comments