I am getting weird issue of sending push notification to Android using FCM.
Goal :- Having error while sending push notification
Below is the scenario I do have function for sending push notification to Android
public static function SendMultipleNotificationAndroid($groups)
{
//your api key SERVER API KEY
$apiKey = Yii::$app->params['android_api_key'];
$url = 'https://fcm.googleapis.com/fcm/send';
$headers = array(
'Authorization:key=' . $apiKey,
'Content-Type: application/json'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
foreach($groups as $resG){
$users = $resG['users'];
$msg = $resG['message'];
$type = $resG['notification_type'];
$notification_data = $resG['notification_data'];
$deviceTokens = [];
foreach($users as $resUser){
$deviceTokens[] = $resUser['device_token'];
//Add Friend badge count +1
Common::AddRemoveBadgeCount($resUser['user_id']);
}
if(!empty($deviceTokens)){
$fields = array(
'registration_ids' => $deviceTokens,
'priority' => 'high',
'collapse_key' => $resG['notification_type'],
'time_to_live' => 2419200,
"click_action" =>"NotificationListingActivity",
'data' => [
"title" => "ProjectName",
"body" => $resG['message'],
"action_tag" => $resG['notification_type'],
"message" => $resG['message'],
'notification_type' => $type,
'notification_data' => $notification_data,
'sound' => 'default',
]
);
//Print result
p($ch,0);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($fields));
curl_exec($ch);
}
}
curl_close($ch);
}
So the issue is when I send single notification it works fine but when I send multiple notification I got error every time
<pre>Resource id #5</pre>{"multicast_id":4818908994630396118,"success":1,"failure":1,"canonical_ids":0,"results":[{"error":"NotRegistered"},{"message_id":"0:1487136045570022%c3bae3c6002e9358"}]}
<pre>Resource id #5</pre>{"multicast_id":5218359780835228544,"success":1,"failure":1,"canonical_ids":0,"results":[{"error":"NotRegistered"},{"message_id":"0:1487136046618669%c3bae3c6002e9358"}]}
As we debug the code we do have device token in our database no firewall which stops sending push notifications.
Every time I call above function I get
"error":"NotRegistered"
According to the doc its because the mobile device testing does not have your app installed anymore
If it is NotRegistered, you should remove the registration ID from
your server database because the application was uninstalled from the
device, or the client app isn't configured to receive messages.
Don't know much about php, but recently I have faced the same issue in another project and I have resolved this way :
Refere this first :
Where can I find the API KEY for Firebase Cloud Messaging?
and get updated API key as shown in below snapshot
This is a client-side (device) issue, not service-side.
Multiple scenarios can cause this:
If the client app unregisters with GCM.
If the client app is automatically unregistered, which can happen if the user uninstalls the application. For example, on iOS, if the APNS Feedback Service
reported the APNS token as invalid.
If the registration token expires (for example, Google might decide to refresh registration tokens, or the APNS token has expired for iOS devices).
If the client app is updated but the new version is not configured to receive messages.
See https://developers.google.com/cloud-messaging/http-server-ref
On app startup I check to see if the token I have stored locally matches the new token. If not then I refresh the token on my servers. I also do this in FirebaseInstanceIDService::onTokenRefresh.
The thing is firebase generates a unique device-ID for your target device when the app is run for the first time, and it will be used as the identity of the device.
If the user uninstalls the app or clears the data of the app then in that case on reinstalling or reopening the app the device-ID will differ. This will result in the ID not be identified by firebase to send the notification. This will result in the error Not Registered
I got this error when i uninstalled and reinstalled my application.
What i think is, when we reinstall application, we cant get a new fcm token every time we install.
So, we must first delete the previous instance id and then create new fcm token. Please see the code below..
Just adding the uncommented line resolved my issue..
See first comment for this solution for code :)
_firebaseRegister() {
// _firebaseMessaging.deleteInstanceID();
_firebaseMessaging.getToken().then((token) => fcmtoken = token);
}
Hope this works for you! :)
In my case, the problem was on the recipient side, not the sender. If you're sending a message to someone who has not run the app for awhile, then their device token is stale. All they need to do is restart the app.
In your case, did you ensure that when you sent multiple notifications all the devices you messaged were up and running and that the app refreshes the token on startup by calling FirebaseMessaging.getInstance().getToken()?
While searching for the "NotRegistered" issue, we found the following ...
At device end, the generation of device notification token was done by following code once, when user first time starts the app after installation.
RegToken = FirebaseInstanceId.getInstance().getToken(senderId, "FCM"); // Old code
We were using other class derived from "FirebaseMessagingService" to create / receive notifications. But the following method was missing in that class.
// New code
#Override
public void onNewToken(String token) {
Log.d(TAG, "Refreshed token: " + token);
// If you want to send messages to this application instance or
// manage this apps subscriptions on the server side, send the
// Instance ID token to your app server.
sendRegistrationToServer(token);
}
We found that, the above method was called by FCM system in device on every start of App. ( The App was not Uninstalled, still the method was giving different token every time. ) So we called our method 'sendRegistrationToServer(token);' to submit the token to our server along with the 'DeviceId' and other identification data. When we sent notification from php server on this token, it returned 'sent' instead of "NotRegistered".
This error appeared in an Android application when sending request to https://fcm.googleapis.com/fcm/send:
...
"results": [
{
"error": "NotRegistered"
}
]
While the application was working well for some time, and push notifications were delivered, then (probably after reauthorization in the app or reauthorization in Play Market) that error started to show.
If I changed push token (added "1", for instance), then I got another error:
"results": [
{
"error": "InvalidRegistration"
}
]
So, Firebase knew about the push token, but didn't deliver a notification.
I uninstalled the Android application and installed again.
My problem was different then all of the above. The Firebase message that we we're trying exceeded the maximum size of 4Kb. Very small chance this triggers an "NotRegistered". But the problem was that I took this log of a moment the app was probably not installed. So also check the size of the Firebase message.
In our case, this issue appears on iOS when we override a production installation of the app using Xcode "Run" (replaces production app with the debug version in-place).
The app still receives the same registration token, but doesn't accept messages (NotRegistered is returned from the FCM).
We've found out that uninstalling the app from the device, and performing a clean install fixes this issue.
In my case, updating the FCM token for the device worked!
I have a 100 percent solution i had fix recently this issue this
error, occurring because you are sending this notification on a device
which does does not contain your firebase setup api key For example
when you registered user that time user registered from different
firebase setup so your android token was different and your sending
request to other firebase setup for which didn't create android token
whom you trying to send notification(message) so you would have to
make sure your user android token generating from same firebase
project of which project you are using firebase api key
In my case, two cloned emulators are the reason.
I think cloned emulators have same device ID, so firebase think they are same device.
So when one device get a push message, the push token may be removed and return not NotRegistered.
If you are in the similar situation, try to remove the emulator and create new one.
A possible solution can be update user push token.
When the client app is updated (new version), old push token is changed.
I got this error after setting firebase and using app for some time.
I updated google-service.json file (look for new file in the user's personal account firebase) and reinstall app. It helps me.
For iOS, I ran into the same issue. We were only saving the token on didRegisterForRemoteNotificationsWithDeviceToken. As mentioned above, you can lose reference to the token for a variety of reasons.
To fix the "NotRegistered" error, I added the following to App Delegate:
extension AppDelegate: MessagingDelegate {
func messaging(_ messaging: Messaging, didReceiveRegistrationToken fcmToken: String) {
print("Firebase registration token: \(String(describing: fcmToken))")
//Notification setup. Token will be available anywhere
let dataDict: [String: String] = ["token": fcmToken ]
NotificationCenter.default.post(
name: Notification.Name("FCMToken"),
object: nil,
userInfo: dataDict
)
// Send token to application server.
if Auth.auth().currentUser?.uid != nil {
guard let userUid = Auth.auth().currentUser?.uid else { return }
let dataBaseRef = Database.database().reference()
let value: [String : Any] = ["pushToken" : fcmToken]
dataBaseRef.child("Your database path here").updateChildValues(value, withCompletionBlock: { (error, ref) in
if error != nil {
print("Error with storing/updating user token", error?.localizedDescription as Any)
}
})
}
}
}
didReceiveRegistrationToken is called anytime the token is updated.
After uninstalling the app in my device, the error occurred. That was because my code wasn't set up to regenerate a new fcm device token. The firebase documentation for this API recommends to call the method at app start and update your backend (or wherever you're using the tokens). I fixed it with the snippet below:
import {Platform} from 'react-native';
import messaging from '#react-native-firebase/messaging';
useEffect(() => {
requestPermission();
messaging()
.getToken()
.then(async token => {
console.log('_token=>>>', token);
if (token) {
setDeviceToken(token);
// update user realtime fdb with device token and userIdToken
const _authDriverIdRef = firebase
.database()
.ref(`users/${user.uid}`);
_authDriverIdRef.update({
fcmDeviceToken: deviceToken,
userIdToken: await user?.getIdToken(true),
});
}
});
});
const requestPermission = async () => {
return Platform.OS === 'ios' && (await messaging().requestPermission());
};
See if you have uninstalled the app and your device token is modified. Update the device token, and your error will be gone
I'm not very knowledgeable in SSL and certificates. I used the post
"How to use hash_hmac() with "SHA256withRSA" on PHP?" to see if I can get webhooks with PayPal working.
The issue I am have is I am getting the following error after calling openssl_verify() and a return result of (0):
OpenSSL error openssl_verify error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
I've tried to solve this, but documentation on errors and the functions around the web is minimal to none.
My current code looks like this:
// get the header post to my php file by PayPal
$headers = apache_request_headers();
// get the body post to me php file by PayPal
$body = #file_get_contents('php://input');
$json = json_decode($body);
// TransmissionId|TransmissionTimeStamp|WebhookId|CRC32 as per PayPal documentation
$sigString = $headers['Paypal-Transmission-Id'].'|'.$headers['Paypal-Transmission-Time'].'|'.$json->id.'|'.crc32($body);
// $headers['Paypal-Cert-Url'] contains the "-----BEGIN CERTIFICATE---MIIHmjCCBoKgAwIBAgIQDB8 ... -----END CERTIFICATE-----"
$pubKey = openssl_pkey_get_public(file_get_contents($headers['Paypal-Cert-Url']));
// and this is the call to verify that returns result (0)
$verifyResult = openssl_verify($sigString, base64_decode($headers['Paypal-Transmission-Sig']), $pubKey, 'sha256WithRSAEncryption');
Only different from the reference code I used, is that I do not use openssl_pkey_get_details($pubKey) because I will get below error in addition to the existing signature error:
OpenSSL error openssl_verify error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL error openssl_verify error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Also I've tried a variation by not using base64_decode() on the header but that would get the same return result (0) with error stating:
OpenSSL error openssl_verify error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length
What is wrong with the signature?
You may want to use this piece of code:
$pubKey = openssl_pkey_get_public(file_get_contents($headers['PAYPAL-CERT-URL']));
$details = openssl_pkey_get_details($pubKey);
$verifyResult = openssl_verify($sigString, base64_decode($headers['PAYPAL-TRANSMISSION-SIG']), $details['key'], 'sha256WithRSAEncryption');
if ($verifyResult === 0) {
throw new Exception('signature incorrect');
} elseif ($verifyResult === -1) {
throw new Exception('error checking signature');
}
The formula is <transmissionId>|<timeStamp>|<webhookId>|<crc32> not <transmissionId>|<timeStamp>|<eventId>|<crc32>. Also note that Webhook simulator events can't be verified.
This may not be exactly what you were looking for, but an alternative to manually validating the signature with Open SSL could be to use the PayPal PHP Restful API.
The PayPal Restful API exposes an endpoint that allows you to validate webhook: /v1/notifications/verify-webhook-signature
The PayPal-PHP-SDK provides a VerifyWebhookSignature class that make it easy to make calls to that end point.
They also have a Sample Script illustrating how to use VerifyWebhookSignature class.
As #JUBEI mentioned, you need to get the WEBHOOK_ID from your PayPal account and NOT from the headers you've received, remember the first time you've registered the webhook event, you must find your webhook ID right there.
Plus, make sure to use OPENSSL_ALGO_SHA256 instead of: 'sha256WithRSAEncryption', refer to: https://www.php.net/manual/en/openssl.signature-algos.php
I want to use methods and resources from the code of a website which is developed in PHPFox.
Basically, I'll receive request from iPhone/Android, I'll get the request and pass to the respective function from the PHPFox code, take the response from that function and return it back to the device.
For this purpose I've developed REST APIs using Slim framework.
But the major blocker I'm facing currently is in accessing the resources(i.e. functions and data) of PHPFox website.
I'm not understanding how should I authenticate the user using 'Token Based Authentication' in order to access the website's resources.
If someone could guide me in proper direction with some useful working example it would be really helpful for me.
N.B. : The proposed implementation of 'Token Based Authentication' should be very secure and fast in speed. The security should not be compromised in any way.
Following is the code I tried on my own but I don't know whether it's right or wrong. Is my approach correct or wrong. Please someone analyse it and let me know your feedback on it.
To create a token i use this function which takes as parameters, the user's data
define('SECRET_KEY', "fakesecretkey");
function createToken($data)
{
/* Create a part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"]; // It can be 'stronger' of course
/* Encoding token */
$token = hash('sha256', $tokenGeneric.$data);
return array('token' => $token, 'userData' => $data);
}
So a user can authentified himself and receive an array which contains a token (genericPart + his data, encoded), and hisData not encoded :
function auth($login, $password)
{
// we check user. For instance, it's ok, and we get his ID and his role.
$userID = 1;
$userRole = "admin";
// Concatenating data with TIME
$data = time()."_".$userID."-".$userRole;
$token = createToken($data);
echo json_encode($token);
}
Then the user can send me his token + his un-encoded data in order to check :
define('VALIDITY_TIME', 3600);
function checkToken($receivedToken, $receivedData)
{
/* Recreate the generic part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"];
// We create a token which should match
$token = hash('sha256', $tokenGeneric.$receivedData);
// We check if token is ok !
if ($receivedToken != $token)
{
echo 'wrong Token !';
return false;
}
list($tokenDate, $userData) = explode("_", $receivedData);
// here we compare tokenDate with current time using VALIDITY_TIME to check if the token is expired
// if token expired we return false
// otherwise it's ok and we return a new token
return createToken(time()."#".$userData);
}
$check = checkToken($_GET['token'], $_GET['data']);
if ($check !== false)
echo json_encode(array("secureData" => "Oo")); // And we add the new token for the next request
Am I right?
Thanks.
1st you should understand what's token based authentication. It could be explained as below.
The general concept behind a token-based authentication system is
simple. Allow users to enter their username and password in order to
obtain a token which allows them to fetch a specific resource -
without using their username and password. Once their token has been
obtained, the user can offer the token - which offers access to a
specific resource for a time period - to the remote site.
Read more
Now let's see what are the steps of implementing it in your REST web service.
It will use the following flow of control:
The user provides a username and password in the login form and clicks Log In.
After a request is made, validate the user on the backend by querying in the database. If the request is valid, create a token by
using the user information fetched from the database, and then return
that information in the response header so that we can store the token
browser in local storage.
Provide token information in every request header for accessing restricted endpoints in the application.
If the token fetched from the request header information is valid, let the user access the specified end point, and respond with JSON or
XML.
See the image below for the flow of control
You might be wondering what's a JWT
JWT stands for JSON Web Token and is a token format used in
authorization headers. This token helps you to design communication
between two systems in a secure way. Let's rephrase JWT as the "bearer
token" for the purposes of this tutorial. A bearer token consists of
three parts: header, payload, and signature.
The header is the part of the token that keeps the token type and encryption method, encoded in base64.
The payload includes the information. You can put any kind of data like user info, product info and so on, all of which is also stored in
base64 encoding.
The signature consists of combinations of the header, payload, and secret key. The secret key must be kept securely on the server-side.
You can see the JWT schema and an example token below;
You do not need to implement the bearer token generator as you can use php-jwt.
Hope the above explains your confusion. if you come across any issues implementing token based authentication let me know. I can help you.
Having recently finished the process of having created the script that retrieves permissions from a account holder I now find that I have to convert the retrieved access token and token secret (from the GetAccessToken response) to the API signature in order to create a X-PAYPAL-AUTHORIZATION header.
The X-PAYPAL-AUTHORIZATION header contains:
A timestamp
The access token from the GetAccessToken response
A signature generated from the following information:
Your API username
Your API password
The access token from the GetAccessToken response
The token secret from the GetAccessToken response
The endpoint for the PayPal API operation's request, such as https://api.paypal.com/nvp
HTTPS delivery method, such as POST
Request parameters associated with the request
The problem is I can't find how to generate the signature. There are no guides in PHP (JAVA and Ruby).
I did however note the line in the guide I followed (first link) to retrieve the permissions:
PayPal provides SDKs that you can use to generate authentication header signatures for Java, PHP, and .NET. When you use the SDK, you will get two values, such as the following:
But what followed was the JAVA guide and I could not find anything amongth Paypal's SDKs.
Any help would be greatly appreciated!
This documentation actually cuts out the function from their PHP SDK that should do it for you.
private function generateAuthString($apiCred, $accessToken, $tokenSecret, $endpoint)
{
$callerUid = $apiCred->getUserName();
$callerPswd = $apiCred->getPassword();
$auth = new AuthSignature();
$response = $auth->genSign($callerUid,$callerPswd,$accessToken,$tokenSecret,'POST',$endpoint);
$authString =
"token=".$accessToken.
",signature=".$response['oauth_signature'].
",timestamp=".$response['oauth_timestamp'];
return $authString;
}
I'm building a new project and I'm having some debate over how it needs to be developed. The big picture is to develop a consumable JavaScript widget that other internal developers can embed into their web applications. The trick is that the consumer needs to be able to tell me what AD user is currently logged into their page...and then I need to trust that the passed username is coming from the consumer and hasn't been tampered with via outside sources.
The overall solution needs to have a VERY simple set-up on the consuming side involving no compiled code changes. Also it needs to be functional across both ASP.net and PHP applications (hence my decision to go with JavaScript).
Overall, it's kind of like an Oauth solution...except the trust between domains can be intrinsic since I'll already know every user in the company trusts the host domain.
I started stubbing it out and got kind of stuck. My idea was that I would basically host a JavaScript file that the client host could embed in their page. During their page load cycle, they could init my JavaScript widget and pass it a plain text username (all I really need). Somehow I would establish an secure trust between the client host's web page, and my widget so that it would be impossible for a third-party to embed my widget into a false web page and send action commands under a user other than their own.
I hope this makes sense to someone.
I haven't really discovered an answer so to speak, but I've decided on a method:
So, I decided on a pattern where I write my JavaScript and HTML widget using the proposed jQuery UI Widget Factory. That allows the my consumer to implement the widget using simple syntax like:
<script src="widget.js"></script>
$('#someElement').myWidget({ encryptionUrl: handlerPath });
Now, you'll noticed that as part of my widget, I ask the consumer to pass a "handlerPath." The "handler" is simply an Microsoft MVC Controller which is in charge of getting the logged in user, and encrypting the call.
So the handler in my app looks something like this...
[Authorize]
public JsonpResult GetToken(string body, string title, string sender)
{
Packet token = new Packet();
try
{
// Get the widget host's public cert
string publicKey = "some.ssl.key.name.here";
// Get the consumer host's private cert
string privateKey = "this.consumers.ssl.key.name.here";
// Build a simple message object containing secure details
// Specifically, the Body will have action items (in JSON) from my widget
// The User will be generated from the consumer's backend, thus secure
Message message = new Message(){
Body = body,
Title = title,
User = System.Web.HttpContext.Current.User.Identity.Name,
EncryptionServerIP = Request.UserHostAddress,
Sender = new Uri(sender),
EncryptionTime = DateTime.Now
};
PacketEncryption encryption = new PacketEncryption();
// This class just wraps basic encryption and signing methods
token = encryption.EncryptAndSign(message, publicKey, privateKey);
token.Trust = "thisConsumerTrustName";
}
catch (Exception exception)
{
throw;
}
return this.Jsonp(token);
}
Now, I have an encrypted "token" which has been encrypted using the widget host's public key, and signed using the widget consumer's private key. This "token" is passed back to the widget via JSONP from the consuming server.
My widget then sends this "token" (still as JSONP) to it's host server. The widget hosting server has decrypting logic which looks something like this.
public Message DecryptAndVerify(Packet packet, string requestIP)
{
if (packet == null) throw new ArgumentNullException("packet");
if (requestIP == null) throw new ArgumentNullException("requestIP");
Message message = new Message();
try
{
// Decrypt using the widget host's private key
RSAEncryption decrypto = new RSAEncryption("MyPrivateKey");
// Verify the signature using the "trust's" public key
// This is important because like you'll notice, I get the trust name
// from the encrypted packet. I then maintain a "trust store" mapping
// in my web.config, or SQL server
RSAEncryption verifyo = new RSAEncryption(GetPublicKeyFromTrust(packet.Trust));
string decryptedJson = decrypto.DecryptString(packet.EncryptedData);
// Verify the signature
if (!verifyo.Verify(decryptedJson, packet.Signature))
{
Exception ex = new Exception("Secure packet was not verified. Tamper evident");
throw ex;
}
// If the message is encrypted correctly, turn it into a message object
message = decryptedJson.FromJson<Message>();
// Verify the ip
if (message.EncryptionServerIP != requestIP)
{
Exception ex = new Exception("Request IP does not match encryption IP. Tamper evident");
throw ex;
}
// Verify the time
if ((DateTime.Now - message.EncryptionTime).Seconds > 30)
{
Exception ex = new Exception("Secure packet is too old");
throw ex;
}
}
catch (Exception ex)
{
throw ex;
}
return message;
}
The idea is that the JavaScript widget determines the secure actions the end user wants to take. Then it calls back to it's host (using the handler path provided by the consumer) and requests an encrypted token. That token contains the IP address of the caller, a timestamp, the current AD username, and a bundle of actions to be completed. Once the widget receives the token, it passes it over to it's own host server at which point the server checks to make sure that it is
Signed and encrypted properly according to predefined trusts
Not older than 30 seconds
From the same IP as the initial request to the consumer's server
After I determine those checks to be valid I can act on the user's actions by creating a WindowsPrincipal identity from the string username like this:
WindowsPrincipal pFoo = new WindowsPrincipal(new WindowsIdentity("username"));
bool test = pFoo.IsInRole("some role");
All said and done, I have established a trusted request from the widget consumer, and I no longer have to prompt for authentication.
Hopefully this helps you out. It's been running in my internal environment for about a month of QA and it's it's working great so far.