How to pass android app token from the app to a php page? Laravel

I built an android application where it only displays a web login and register page.

I connected the application to firebase and I can successfully generate a token for each device.

Then, I created a test.php page where it sends a push notification to a single device rather than a group and it successfully pushed the notification.

<?php
define('API_ACCESS_KEY','xxxx');
 $fcmUrl = 'https://fcm.googleapis.com/fcm/send';
 $token='xxxxx';

    $notification = [
            'title' =>'xxxx',
            'body' => 'xxxx',
            'icon' =>'myIcon', 
            'sound' => 'mySound'
        ];
        $extraNotificationData = ["message" => $notification,"moredata" =>'dd'];

        $fcmNotification = [
            //'registration_ids' => $tokenList, //multple token array
            'to'        => $token, //single token
            'notification' => $notification,
            'data' => $extraNotificationData
        ];

        $headers = [
            'Authorization: key=' . API_ACCESS_KEY,
            'Content-Type: application/json'
        ];


        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL,$fcmUrl);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($fcmNotification));
        $result = curl_exec($ch);
        curl_close($ch);


        echo $result;

The problem is I can’t insert the token into my website database for each user since, logically, you can’t know to which user this token belongs to,

So, after user login or register — > PHP code gets the app token –> Insert into current user database.

How to let the PHP code gets the app token?

Answer

When a user logs in or registers within your android application, you have access to their user information from the Firebase Auth User Database and can retrieve their current ID Token as a signed JWT. You can send this ID Token back to your PHP server and use it to map the Firebase User with a user in your website’s database.

I think there are two general steps involved:

  1. Mapping a Firebase User to a user in your PHP backend
  2. Storing/Connecting the device token(s) in your backend

0. Making authenticated requests from your application to your PHP backend

  1. Sign in/Register on the user’s device
  2. Retrieve the user’s current ID token
  3. Use the ID token to authenticate requests from your application to your PHP backend
  4. Verify the ID token in your PHP backend (don’t skip this, it’s important to reject JWTs not sent by your application)

You now have access to the Firebase UID of the user by accessing the JWT’s sub claim.

1. Mapping a Firebase User to a user in your PHP backend

You should only need to do this once.

  1. Once verified, use the ID token to fetch the user’s account info
  2. Use the email from the account info and match it to a user in your PHP application’s website database.
  3. Store the Firebase UID as a property on your PHP application’s local user
  4. Next time you receive an ID token, you don’t need to fetch the account info anymore and can just search for a local user that has the Firebase UID

2. Storing/Assigning the device token(s) in your backend

  1. On the user’s device, retrieve the device token/registration token
  2. With an authenticated request, send the registration token back to your PHP backend.
  3. On the backend, you can use the Firebase UID from the ID token to find the local user and assign the device token to that user.

A Firebase Admin SDK can make the process on the backend side much easier (including sending the actual notifications). If you don’t have to use PHP, I’d recommend using one of the official Admin SDKs that Firebase provides.

If you’re stuck with PHP, there’s an unofficial PHP Admin SDK (Disclaimer: I’m the maintainer), but being unofficial, it will never have the same feature set and comfort as an official SDK supported and maintained by the Firebase team.

Either way – keep in mind that device tokens can expire or become otherwise invalid over time (for example, when a user uninstalls the app), so you should regularly check the stored device tokens if they are still valid.

I hope this helps, at least for the general idea 🤞