I don’t really get the concept of triggering a push notification directly from the app
My goal is to trigger push notifications directly from the devices that run my app.
For example, if a user creates a new “event”, all other users should get a notification.
My questions are:
What is the best way to trigger push notification directly from the app?
Is it possible to use the push api directly from the app?
What is the concept of using another backend server that communicates with the push api?
I could be wrong, but since Firebase is a JSON data store and not a server, you probably won’t be able to make POST requests via the Ionic Push API. Read the Sending Push doc for reference about how to use the Push API.
That means you might need to build a Node server hosted it on Heroku that’s wired up with your Ionic app in order to send POST requests on a user triggered action.
I have been using Zapier.com, which is a service that has recipes for APIs. So if you connect your Firebase account, you might be able to use Parse or Pushwoosh or another push notification service to trigger push notifications. I haven’t been able to successfully do this myself, but it might be worth exploration.
Meanwhile, I just trigger the push by using an http request to the Ionic Push API directly from the device. Angular $http docs
It’s working fine - how come, this is not a common solution?
Is anything wrong with that solution?
I don’t see the point of having another server in between?
I mean, that’s great. I’m actually trying to figure out how to do the same thing. Would you be able to post your code and comments on how you accomplished it?
Ionic.io has a rest API you can use to create push notifications.
You can use Angular’s $http method to create requests against Ionic.io.
Here is an example you could use. $http.post('https://push.ionic.io/api/v1/push', { "user_ids": ["Your", "user", "ids"], "notification": { "alert":"Hello World!" } }, {"headers" : {"X-Ionic-Application-Id": "<APP_ID>", "Authorization": "Basic <PRIVATE_KEY>"}});
This has not been tested as I don’t use Ionic.io, but its a start for you.
I would have to recommend against this, as if someone looks through our app’s source code, they will be able to push notifications using your service, to your users, through your app.
What I would suggest, is creating an intermediary server, that the your app posts to. This server then is the one that communicates with Ionic.io. Therefore your App ID and Private Key is secure.
This still poses a threat though, so you need to check if the request was made with Ajax before handling the content and pushing it to Ionic.io (this will stop people creating a server to submit, they will have to do it using Ajax aswell. You can also reply with a fake success if its not Ajax, the hacker would then believe it was successful).
You can also log the information, and IP of the user submitting it in a database of some sort, then if your app gets hacked, you then have the IP, and information to block from submitting push notifications.
Thanks again for your comments. I was able to successfully send a push notification through the Ionic.io dashboard today, tomorrow I will try your $http.post function and see if that works.
Regarding reading through the app’s source code—if the github repo is private and because the app is complied to a native build for iOS and released through the App Store, how would a person get to the source code? It’s not the same as a web browser where a person can open their console and inspector and see all of the code on the client.
This makes me think that perhaps an intermediary server is overkill for a developer who is making an app for a smaller audience.
You can never be too safe.
I’m not sure about IOS.
But with android, you can download an APK from the play store, export the compressed APK file, and view the HTML, JS, CSS source of the application.
I would suggest researching as to whether you can do this with IPA files in the App Store.
Unbeknownst to many PhoneGap/Cordova developers, the HTML/JavaScript/CSS assets that make up your mobile app are not compiled or otherwise obfuscated when the final app package is built. Unlike the true native bits of the app (i.e. the Cordova framework and custom plugins), which do get compiled into byte code, the core HTML5 assets exist, as they are delivered, inside the app package.
Regarding your example, just want to note for others reading this that instead of “user_ids”, which is for users registered through your Ionic Users service, you could use “tokens” to target device tokens.
Here is an example you could use.
$http.post(‘https://push.ionic.io/api/v1/push’, {
“user_ids”: [“Your”, “user”, “ids”],
“notification”: {
“alert”:“Hello World!”
}
}, {“headers” : {“X-Ionic-Application-Id”: “<APP_ID>”, “Authorization”: “Basic <PRIVATE_KEY>”}});
Hey guys,
thanks for your feedback so far!
I am actually using the exact code posted by @EffakT.
The security issue is probably a contra, but on the other hand - will it not be the same by using an intermediate server? There has to be an authentication somehow in either way, which would be accessible through the source code? Or how would it be safer to authenticate with the intermediate server instead of the ionic one?
If you authenticate in the frontend, the user has a possibility of finding all your authentication informtaion. Running it server side, your information is protected by the back end (its never displayed in code the user can find), Server Side also means you can log the hacker’s information. Although, you might run into CORS (Cross-Origin Resource Sharing) issues (I am unable to test this, so if anyone can shed light if Ionic.io blocks CORS).
If you look at my code in that post reply you will see that I send the Google Cloud Messaging ID along with device information … etc to my RESTful API … which is Firebase in your case. ( I use custom API written with NodeJS and ExpressJS). The RESTful API takes care of delivering the appropriate message to the appropriate user(s)
If you authenticate in the frontend, the user has a possibility of finding all your authentication informtaion. Running it server side, your information is protected by the back end (its never displayed in code the user can find), Server Side also means you can log the hacker’s information.
I think I’m still not getting the advantage
If I set up my own backend - doesn’t that mean I should also have some authentication between the device and this (my own) backend? As a result I will have authentication between the device and my backend and then my backend authenticates with the ionic push backend. Otherwise I will just expose my own backend to everybody?
