Amazon SNS - how to know that app has been uninstalled? - amazon-web-services

I am new on Amazon SNS.
I have apps that are using APNS and GCM through Amazon SNS.
So every time a user installs my app, I would register them into GCM or APNS.
I wanted to know when app my app has been uninstalled so that I can remove them in my database and they won't be sent a push notification.
I read somewhere about Apple Feedback Services and GCM returning NOTREGISTERED, but explanations are very unclear to me like where can I get these services and responses?
Any help is greatly appreciated!
Thanks.

Based from this blog, In order to push mobile notifications to an app using SNS, that app’s token needs to be first registered with SNS using the CreatePlatformEndpoint API method.
The best practice presented below creates a working, current, enabled endpoint in a wide variety of starting conditions. This approach works whether this is a first time the app is being registered or not, whether or not the PlatformEndpoint for this app already exists, and whether or not the endpoint is enabled or disabled, or has the correct token, and so on. The approach is also idempotent. It is safe to run it multiple times in a row and it will not create duplicate PlatformEndpoints or alter an existing PlatformEndpoint if it is already up to date and enabled.
retrieve the latest token from the mobile OS
if (endpoint arn not stored)
# first time registration
call CreatePlatformEndpoint
store returned endpoint arn
endif
call GetEndpointAttributes on the endpoint arn
if (getting attributes encountered NotFound exception)
#endpoint was deleted
call CreatePlatformEndpoint
store returned endpoint arn
else
if (token in endpoint does not match latest) or
(GetEndpointAttributes shows endpoint as disabled)
call SetEndpointAttributes to set the
latest token and enable the endpoint
endif
endif

Related

Why unsubscribed Application token can be used to access WSO2 APIM endpoint?

There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
Before Unsubscribe:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc
After Unsubscribe:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.
Postman :
Note: In above API Hit, I passed unsubscribed APP token as Authorization
In your case, you should not be able to invoke the API without a proper subscriptions. Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.
You can check whether the events are propagated successfully to your gateway node from the control plane node. This is basically when you have a distributed setup. If you have a HA setup, verify both nodes are working properly when it comes to event distribution.
Are you using the GA release of APIM 4.1.0? If so, this could be a bug in that was fixed later through U2 updates. When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this.
I tried the GA APIM 4.1.0 and this usecase worked as expected. Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal. You can use them to verify the event flow.

Handling "Missing Authentication Token" after setting up AWS Lambda with API Gateway

Here are the exact steps I just followed to setup a Lambda function behind and API Gateway.
1. Select blueprint
2. Add trigger
3. Configure
4. Create Role
5. Create Function
6. Congrats
7. Deploy API
However, when I visit the endpoint:
https://hq1hf4tmlf.execute-api.us-west-2.amazonaws.com/prod/myLambda
I get the following error:
{
"message": "Missing Authentication Token"
}
The error you are getting is because the API key isn't included when you invoke the API through the URL alone.
With the way you currently have it set up, you would need to use something like python's requests package to call the API and invoke the lambda:
import requests
CustomHeader = {'x-api-key': YOUR_API_KEY}
Response = requests.get(YOUR_API_URL, headers=CustomHeader)
Or, you could go back into your API's configuration (under Your API/Resources/API Call/Method Request) and disable use of your API key for that call, but is a very insecure option.
You may want to check if you have a web security service or web filtering proxy installed on your device that might be stripping off JWT/auth tokens from requests going out of your work/home network. I had the same problem where I was getting “Missing Authentication token” error while trying to create a lambda function on my work laptop. After struggling for few hours, I switched on to my personal laptop and was able to create the lambda function successfully in the first attempt. I then tried again on my work laptop with fiddler turned on and noticed that even though the auth credentials were setup properly in my outbound request, I was still getting “x-amzn-ErrorType: MissingAuthenticationTokenException” from AWS in the response. I turned off the web security proxy service on my work laptop and I was able to create Lambda functions successfully. Hope it helps.

GCP - Verify ownership of a cloud function https endpoint for a PubSub push

Pretty sure there's no way to do this but would be great to reach out to see if anyone else has any ideas.
What I'm trying to do is this:
I have 2 microservices hosted on Google Cloud Platform as cloud
functions
My first microservices does stuff and fires a PubSub
message with topic [x]
I'd like to set my second microservice up as a
push subscriber to the topic [x]. I know I can do this by deploying
the 2nd cloud function with a subscription trigger but I don't want
to do this as there's no decent way to acknowledge/reject the message
(see this post: Google Cloud Functions to only Ack Pub/Sub on success).
Therefore I've deployed my 2nd function as having a HTTP trigger. I've then tried
to configure the push subscription in the GCP console to this
endpoint URL. Of course, this isn't working because the
https://[cloud-subdomain].cloudfunctions.net/ isn't a verified
domain.
I guess it's just not possible to do what I'm trying to and instead need to create my 2nd microservice in app engine or elsewhere where i can verify a domain.
Thanks in advance!
Site Verification using HTML tag method
Not just domain registrar based verification, you can verify your site using any of the methods listed here. I agree most of these will not work with Cloud Functions, but it is possible to get HTML Tag based verification working in matter of minutes with Cloud functions.
You will need to add the given meta attribute in the HTML response just before the body attribute.
Example:
<meta name="google-site-verification" content="VERIFICATION_TAG" />
Also, Google verifies the domain periodically (even after initial success) and hence you will have to continue returning this response as long as you want to have the URL verified.
How long does verification last?
Google periodically checks if your verification is valid in a way
appropriate to your verification method (for example, by checking for
the presence of an HTML tag on your site). If verification can no
longer be confirmed, your permissions on that property will expire
after a certain grace period.
Implement retry mechanism within your Cloud function
This is same as the option explained in the other answer you linked, and IMO simpler. Take currentRetryAttempt as one parameter of the request and increment this value every time you queue up a retry request recursively back to the same function when you're timing out. You will need to check currentRetryAttempt against a maxRetriesAllowed value before queuing up a new retry request.
It does not impose any restrictions on the responses from your Cloud function unlike the previous option.
I published a detailed description of how to send messages from a pubsub topic in project A to a cloud function in project B. Including push endpoint configuration, domain verification and a python code example. This can be found in the following stackoverflow post:
Google pubsub into HTTP triggered cloud function?

Amazon SNS: "Platform credentials are invalid" when re-entering a GCM API key that previously worked

We have been using Amazon SNS to send Android push notifications since April this year.
Pushes have sent with no problem, however there has never been any record of calls to the Cloud Messaging API in the Cloud Console (seems odd?).
Today I created a new API key for the Static Map service (unrelated) and renamed our Cloud Messaging API key (only the name, the key is the same). From this point no pushes have been sent, and trying to create a new platform application (or update the existing one) in AWS results in:
Invalid parameter: Attributes Reason: Platform credentials are invalid (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:)
I have also tried manually making calls to the https://gcm-http.googleapis.com/gcm/send endpoint using the key which results in Unauthorized (401).
Interestingly, I can make calls to the above endpoint using the key I created today, however they fail on MismatchSenderId.
I can't see a lot of the previous options that the Cloud Console had (server / browser keys, etc) within the API Manager?
For those who are facing this in 2017, here goes a tip:
1 - Go to your firebase console (https://console.firebase.google.com/) click on your project (which you want to use for push notifications)
2 - Click on the "three dots" on the right side of your project name and click on "Settings"
3 - Click on "CLOUD MESSAGING" on the header tabs
4 - Copy the "Server Key" (this one is bigger than your API key)
5 - Paste on the "API Key" input of the AWS Form for "Create platform application"
PS: Note that this is valid only for GCM Push Notifications.
API Key management for GCM has been moved to Firebase Console.
You can create a new Firebase Project (or import an existing cloud project) and you should obtain a new Server Key for Cloud Messaging.
see the updated documentation:
https://developers.google.com/cloud-messaging/android/client#create-an-api-project
and the stack overflow question: Where can I find the API KEY for Firebase Cloud Messaging?
if you still have problems please contact:
https://firebase.google.com/support/contact/troubleshooting
I have been getting the same error when creating Amazon SNS platform application:
Invalid parameter: Attributes Reason: Platform credentials are invalid (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:)
After reaching out to the Firebase support as suggested by Diego, this is the response I got from Google:
Hope you're doing well and thanks for reaching out to us.
I'm not really familiar with Amazon SNS and looks like their integration is still with GCM, not FCM. If your app implementation is still GCM, then you need to migrate with FCM in order to use the server key in the console. See the instructions here.
Also, Firebase has upgraded the server keys to a new version. We'd recommend to use the server key instead of the legacy server key.
I hope this helps. Let me know if you have any other concerns. Thank you.
This indicates that we'll have to change our app code. We were able to make this work for another app in out organization by creating a new firebase project and using the Legacy server key with Amazon SNS.
At some point we'll definitely upgrade to using FCM but at the moment we have a tight deadline.
Update:
So finally what worked for us is using the 'Server Key' under Project Settings --> Cloud Messaging . The app still uses the GCM implementation. Amazon SNS is happy with this key and generated a GCM platform push application. The pushes work !
Still confused about why the 'Legacy Server Key' does not work for one app but is ok for the other. But I am not digging into it any further.
For those starting a new project and wondering why it is still invalid, make sure the application Key restriction is set to Android apps. In my case, it was at only set to None and when I switched to Android apps, it worked after 5 to 10min after updating it. You'll need to add your package name and SHA-1 certificate fingerprint.

Confusion migrating Parse push to AWS SNS

I am a little confused about this migration path, as described in a recent aws blog post, and its aftermath:
It seems like quite a bit of trouble to have to rely on all my users to update in a timely fashion so that GCMSenderIDs can be attached to my existing parse data along with modified/valid device tokens.
Also, what happens to new installations after the migration is complete? In the guide it says no changes need to be made to client side code, but doesn't this require that the SNS sdk is installed so that new installations can be added to the client list?
Considering all this, wouldn't it make a lot more sense to simply forget about the old parse data and just push a client/app update that works solely with SNS and reregister all the devices that way? Why go through all the trouble to integrate with Parse when we are getting rid of it anyways?
AllTheTime,
Your existing Android user push tokens on Parse.com will no longer be valid after January 28, 2017 as Parse owns the API Server Key associated with the Sender ID that was granted the token. If you wish to reach those existing users via Push Notifications after January, you must update the existing Parse.com client app with your own Sender ID and have the app generate a new registration Id (token) associated with your Sender ID. There is no other way for you to convert the existing tokens over to SNS or any another 3rd party.
The SNS SDK is not required for the migration but it would make sense to integrate the SNS SDK when you update the app to retrieve new tokens using your Sender ID. At the time of token registration, the app can update the Parse.com database with the newly issued token AND also create a new Platform Endpoint with SNS.
As for post Parse Push migration and handling the new app installations, my suggestion is to build an after-save “webhook” on the _Installation class on Parse.com. The “webhook” would trigger any http endpoint when a row is created or updated in the _Installation class. The hook could trigger an API Gateway http endpoint that takes the newly generated or updated token and creates a new SNS platform endpoint. At this point, if you haven’t fully migrated from Parse.com, you can either publish to those tokens via Parse.com or SNS. By the time Jan 28, 2017 rolls around, nearly all your existing users would have launched the updated app and generated a new token or they no longer use your app.
Starting over with just SNS is another option but if you need to reach any of the users who have not updated the app then you would need to continue sending push notifications through Parse.com for those legacy users who have not updated the app AND you would then continue to send push notifications via SNS to those new app installs.
I hope this clarifies the migration for you.
Check out my other SO post regarding the Parse.com GCM Sender ID:
How to migrate off Parse to different SENDER_ID
-Dennis