Send firebase cloud message from client without exposing API secret

Question

I'm developing a new chat application that currently works with firebase realtime database and cordova.

I was looking for a backend-less solution since my currently working app doesn't need any server at all apart from a tiny server that its only function is to provide with temporal authorization tokens for the clients.

This tokens allow the client to work directly with firebase without the need for a more expensive and loaded server, and still have a central control for the usage of the app.

By reading the new firebase documentation I believe that the notifications and the firebase cloud messages app can't be used by the client side to post messages, only to listen notifications since all the send message examples expose the server API key, which obviously can't be on the client side.

Is there a way to issue temporal tokens from a central server that can be used by the clients to send messages instead of having to send all the messages to the server and then back to the other devices?

Thanks

Answer 1

Sending downstream messages to devices with Firebase Cloud Messaging requires access to the authorization key. For that reason it should run in a trusted process, such as on hardware you control.

Answer 2

Cloud Functions for Firebase was launched today, which would solve your problem! You can initialize the firebase-admin SDK within your functions code (which runs on Google's servers, not client side), and use it to access FCM. That way you can send messages in response to new database items, or in response to HTTPS requests.

Here's an intro to Cloud Functions for Firebase: https://firebase.google.com/docs/functions/

Here's how you can use firebase-admin to send FCM messages: https://firebase.google.com/docs/cloud-messaging/admin/send-messages