[Tunnelbroker] invalidate bad FCM tokens
ClosedPublic
Actions

Authored by kamil on Jul 31 2024, 2:49 AM.

Details

Reviewers

bartek
marcin
tomek

Commits

rCOMM91f7b442cbb2: [Tunnelbroker] invalidate bad FCM tokens

Summary

ENG-8498.
ENG-8824.

Keyserver code is here and here.

This is implemented according to the Detect invalid token responses from the FCM backend section in the Firebase docs.

Unfortunately, for INVALID_ARGUMENT there are no detailed docs of how the error might look like, the only information is a description of each ErrorCode. This is a common issue with Firebase, see e.g. here.

We had two options:

Invalidate token for all INVALID_ARGUMENT errors - this error could be caused by multiple things e.g., a badly created HTTP request can invalidate the token.
Check if the error has a message about an invalid registration token (this is a bit experimental).

The returned error looks like this:

{
  "error": {
    "code": 400,
    "message": "The registration token is not a valid FCM registration token",
    "status": "INVALID_ARGUMENT",
    "details": [
      {
        "@type": "type.googleapis.com/google.firebase.fcm.v1.FcmError",
        "errorCode": "INVALID_ARGUMENT"
      }
    ]
  }
}

Based on what node SDK is doing on a keyserver this approach is basically the same, so I implemented option 2 but I am open for changing this.

Depends on D12946

Test Plan

Manually malform device token for Android in DDB, try sending notif to this device and verify that flag was flipped and the message was sent to the device (both online and offline device).

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kamil created this revision.Jul 31 2024, 2:49 AM

kamil held this revision as a draft.

Herald added subscribers: tomek, ashoat. · View Herald TranscriptJul 31 2024, 2:49 AM

kamil edited the summary of this revision. (Show Details)Jul 31 2024, 2:50 AM

Harbormaster failed remote builds in B30830: Diff 42988!Jul 31 2024, 2:53 AM

kamil published this revision for review.Jul 31 2024, 2:59 AM

kamil edited the summary of this revision. (Show Details)

kamil added a reviewer: tomek.

Harbormaster completed remote builds in B30830: Diff 42988.Jul 31 2024, 3:08 AM

update to option 1

Harbormaster completed remote builds in B30834: Diff 42992.Jul 31 2024, 4:45 AM

About option 1 vs option 2: I think it is much worse if we have a false-negative token invalidation than a false-positive.
False-positive means that we think that a token is invalid when it is valid. In this case, we would ask a client to send a new token. If we have a good validation of notifications on Tunnelbroker, then it is unlikely to cause serious issues.
False-negative means that we think that a token is valid when it isn't. We won't be able to send any notif and don't have a way of recovering from it.

In D12951#366176, @tomek wrote:

About option 1 vs option 2: I think it is much worse if we have a false-negative token invalidation than a false-positive.
False-positive means that we think that a token is invalid when it is valid. In this case, we would ask a client to send a new token. If we have a good validation of notifications on Tunnelbroker, then it is unlikely to cause serious issues.
False-negative means that we think that a token is valid when it isn't. We won't be able to send any notif and don't have a way of recovering from it.

Makes sense, updated to option 1

bartek accepted this revision.Jul 31 2024, 5:56 AM

bartek added inline comments.

services/tunnelbroker/src/websockets/session.rs
500–516 ↗	(On Diff #42992)	Not sure what is more readable

This revision is now accepted and ready to land.Jul 31 2024, 5:56 AM

rebase before landing

services/tunnelbroker/src/websockets/session.rs
500–516 ↗	(On Diff #42992)	This does not work, we try to execute something like `Result<_, fcm::error::Error> \| Result<_, fcm::error::Error>` which is not correct