Firebase push notification topic security

Question

We have a multi-tenant application with mobile apps for each tenant. Each of our tenants have a separate Firebase account with their own set of app users. Our tenants want to send push notifications to their users in different ways (sometimes targeted, sometimes just notifying all users of the app).

For the latter use case we identified that topics could be a solution to approach this. We thought about subscribing each user to an all topic of the tenant which in turn our server application can send messages to. However, we also identified that this could increase risk due to less control of when and which notifications are sent.

As far as we know there is no way to cancel a sending notification to a topic once it was published. So the question is: Is using topics the recommended way to send messages to large customer base in a multi-tenant environment or should it be controlled using tokens and user sessions on our end?

We also thought about using a message queue for this purpose to have greater control of the messages being published.

Answer 1

FCM Topics are essentially public. Anyone who knows about a topic in a project, can subscribe to that topic with a simple API call- regardless of the app they use. There is no way to prevent this.

Hosting multiple apps in a single project like that is an anti-pattern on shared infrastructure services from Firebase. While a multi-tenant project may work for projects where you retain full control over the data (e.g. secure all of them through security rules, or all calls are secured through your own serve-side code). For products like Firebase Cloud Messaging however, Firebase recommends using a separate project for each separate "logo".

Also see:

• Use same server keys on different firebase projects
• Is it possible using one firebase project api key and sender id to many apps?
• Firebase project notifications with multiple applications