问题
According to this link, the registration token must be kept secret.
Registration token: An ID generated by the FCM SDK for each client app instance. Required for single device and device group messaging. Note that registration tokens must be kept secret.
How sensitive is the token? Can anyone with the registration token send notifications to the device? Or is the token specific to my project?
What are the risks if some else gets hold of a device registration token?
回答1:
How sensitive is the token? Can anyone with the registration token send notifications to the device? Or is the token specific to my project?
Not really. If the a sender not associated with the registration token sends a message, then they're going to receive an error:MismatchSenderId:
A registration token is tied to a certain group of senders. When a client app registers for FCM, it must specify which senders are allowed to send messages. You should use one of those sender IDs when sending messages to the client app. If you switch to a different sender, the existing registration tokens won't work.
If you base it from that, it does seem that keeping the registration token a secret is not that much of a thing. But what if a scenario happens that an unauthorized user gets an access to send messages, if he doesn't know/have the registration tokens, then it's pretty much useless. Just think of it as another safety measure.
What are the risks if some else gets hold of a device registration token?
From the scenario I mentioned above, if someone (unauthorized users) got access to send messages and the registration tokens, then they can pretty much send anything towards it.
来源:https://stackoverflow.com/questions/42102017/why-must-i-keep-the-registration-token-secret