🛂 Fix authorization while mapping APNS tokens to FCM #1002
Merged
+15
−9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We had already turned on debug logging for the "remind" case acf6864 so that we can more easily debug errors It looks like we have had multiple issues with FCM deprecation/migrations recently and this will be helpful until the APIs stabilize.
FCM is doubling down on the "I'm going to change my API and break everything" approach. We made one round of fixes in: e-mission/e-mission-docs#1094 (comment) at which time the mapping to convert APNS tokens to FCM was working However, in the ~ 2 months since, that has also regressed, and we are now getting a 401 error with the old code. The new requirements include: - using an OAuth2 token instead of the server API key - passing in `"access_token_auth": "true"` as a header We already use an OAuth2 token to log in and actually send the messages ``` DEBUG:google.auth.transport.requests:Making request: POST https://oauth2.googleapis.com/token DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): oauth2.googleapis.com:443 DEBUG:urllib3.connectionpool:https://oauth2.googleapis.com:443 "POST /token HTTP/1.1" 200 None DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): fcm.googleapis.com:443 ``` So it seems like it would be best to just reuse it for this call as well. However, that token is retrieved from within the pyfcm library and is not easily exposed outside the library. Instead of retrieving the token, this change retrieves the entire authorization header. This header includes the token, but is also formatted correctly with the `Bearer` prefix and is accessible through the `requests_session` property. With this change, the mapping is successful and both silent and visible push notification are sent to iOS phones. Before the change: ``` DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): iid.googleapis.com:443 DEBUG:urllib3.connectionpool:https://iid.googleapis.com:443 "POST /iid/v1:batchImport HTTP/1.1" 401 None DEBUG:root:Response = <Response [401]> Received invalid result for batch starting at = 0 after mapping iOS tokens, imported 0 -> processed 0 ``` After the change ``` DEBUG:root:Reading existing headers from current session {'User-Agent': 'python-requests/2.28.2', 'Accept-Encoding': 'gzip, deflate, br', 'Accept': '*/*', 'Connection': 'keep-alive', 'Content-Type': 'application/json', 'Authorization': 'Bearer ...'} DEBUG:root:About to send message {'application': 'gov.nrel.cims.openpath', 'sandbox': False, 'apns_tokens': [.... DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): iid.googleapis.com:443 DEBUG:urllib3.connectionpool:https://iid.googleapis.com:443 "POST /iid/v1:batchImport HTTP/1.1" 200 None DEBUG:root:Response = <Response [200]> DEBUG:root:Found firebase mapping from ... at index 0 DEBUG:root:Found firebase mapping from ... at index 1 DEBUG:root:Found firebase mapping from ... at index 2 ... ``` Visible push ``` ... s see if the fix actually worked" -e nrelop_open-access_default_1hITb1CUmGT4iNqUgnifhDreySbQUrtP WARNING:root:Push configured for app gov.nrel.cims.openpath using platform firebase with token AAAAsojuOg... of length 152 after mapping iOS tokens, imported 0 -> processed 0 combo token map has 1 ios entries and 0 android entries {'success': 0, 'failure': 0, 'results': {}} Successfully sent to cK0jHHKUjS... {'success': 1, 'failure': 0, 'results': {'cK0jHHKUjS': 'projects/nrel-openpath/messages/1734384976007500'}} ```
|
@JGreenlee @Abby-Wheelis for visibility before I merge this |
|
Verified on staging Plan to push to production in a day or two |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FCM is doubling down on the "I'm going to change my API and break everything" approach. We made one round of fixes in: e-mission/e-mission-docs#1094 (comment)
at which time the mapping to convert APNS tokens to FCM was working
However, in the ~ 2 months since, that has also regressed, and we are now getting a 401 error with the old code.
The new requirements include:
"access_token_auth": "true"as a headerhttps://developers.google.com/instance-id/reference/server
The current headers don't match these requirements
We already use an OAuth2 token to log in and actually send the messages
So it seems like it would be best to just reuse it for this call as well. However, that token is retrieved from within the pyfcm library and is not easily exposed outside the library.
The token is retrieved using in `_get_access_token`
which is called automatically in `requests_session`
However, the
requests_sessiononly caches a property on when the token expires, it does not cache the token itself.It does cache the headers and update them periodically, so instead of retrieving the token, this change retrieves the entire authorization header. This header includes the token, but is also formatted correctly with the
Bearerprefix, so we can use it directly.With this change, the mapping is successful and both silent and visible push notification are sent to iOS phones.
Please see testing details in
400f9fa