Issues discovered during troubleshooting "http error status: 403; reason: sender id does not match regisration token; code: mismatched-credential; details: The caller does not have permission" with Firebase support

[chiangGlu]

[READ] Step 1: Are you in the right place?

• For issues or feature requests related to the code in this repository file a GitHub issue.

  • If this is a feature request make sure the issue title starts with "FR:".

• For general technical questions, post a question on StackOverflow with the firebase tag.

• For general Firebase discussion, use the firebase-talk google group.

• For help troubleshooting your application that does not fall under one of the above categories, reach out to the personalized Firebase support channel. Was told by FireBase support to file a ticket here.

  [REQUIRED] Step 2: Describe your environment

• Operating System version: 1.11.10-gke.6

• Firebase SDK version: Version 3.9.0

• Library version: cloud.google.com/go v0.40.0

• Firebase Product: cloud messaging

[REQUIRED] Step 3: Describe the problem

Problems noticed during on going support interactions:

1. FCM Push Notification work on one node and not the next (the troubleshooting issue), using same service and call
2. Support Tech discovered error messages due FCM Push Notification started to show up on July 26th, 2020 in another environment, with the "same" configuration but we have received FCM Push Notification from

Steps to reproduce:

Currently cannot reproduce, but error causes us to pause before issue is resolved. What happened? How can we make the problem occur? Not sure what is different with the GKE pods, since they should be setup exactly the same. Troubleshooting is a bit hard since it is hard to test all dynamically generated pod and identify which pod the error is from. This could be a description, log/console output, etc. error returned to us and we display: http error status: 403; reason: sender id does not match regisration token; code: mismatched-credential; details: The caller does not have permission

Relevant Code:

response, err := svc.firebaseClient.SendAll(ctx, batch) ... for _, r := range response.Responses { if !r.Success { svc.logger.Error("error sending push message", zap.Error(r.Error), zap.String("message_id", r.MessageID)) } }

// TODO(you): code here to reproduce the problem

n/a

[hiranya911]

This error generally means the target registration token doesn't belong to the same Firebase project as the one the sender (i.e. the Go SDK) is authorized as: https://firebase.google.com/docs/reference/admin/error-handling#firebase-cloud-messaging

In other words, your sender code is authorized for project A, but it's attempting to send notifications to a device token from project B.