Add a SHA1 hash header to the FCM request

Auth/fcm_receiver.py

@@ -29,12 +29,18 @@ def __init__(self):
         api_key = "AIzaSyD_gko3P392v6how2H7UpdeXQ0v2HLettc"
         message_sender_id = "289722593072"
 
+        # APK signing certificate SHA1
+        android_cert_sha1 = "38918a453d07199354f8b19af05ec6562ced5788"
+        bundle_id = "com.google.android.apps.adm"
+
         fcm_config = FcmRegisterConfig(
             project_id=project_id,
             app_id=app_id,
             api_key=api_key,
             messaging_sender_id=message_sender_id,
-            bundle_id="com.google.android.apps.adm",
+            bundle_id=bundle_id,
+            android_package=bundle_id,
+            android_cert_sha1=android_cert_sha1
         )
 
         self.credentials = get_cached_value('fcm_credentials')

Auth/firebase_messaging/fcmregister.py

@@ -79,11 +79,20 @@ class FcmRegisterConfig:
     persistend_ids: list[str] | None = None
     heartbeat_interval_ms: int = 5 * 60 * 1000  # 5 mins
 
+    android_package: str | None = None
+    android_cert_sha1: str | None = None
+
     def __postinit__(self) -> None:
         if self.persistend_ids is None:
             self.persistend_ids = []
 
 
+def _normalize_sha1_fingerprint(v: str) -> str:
+    h = v.replace(":", "").replace(" ", "").strip().lower()
+    if len(h) != 40 or any(c not in "0123456789abcdef" for c in h):
+        raise ValueError(f"Invalid SHA-1 fingerprint: {v!r}")
+    return h
+
 class FcmRegister:
     CLIENT_TIMEOUT = ClientTimeout(total=100)
 
@@ -285,6 +294,12 @@ async def gcm_register(
             _logger.error(errorstr)
         return None
 
+    def _add_android_restriction_headers(self, headers: dict[str, str]) -> None:
+        if self.config.android_package and self.config.android_cert_sha1:
+            headers["X-Android-Package"] = self.config.android_package
+            headers["X-Android-Cert"] = _normalize_sha1_fingerprint(self.config.android_cert_sha1)
+
+
     async def fcm_install_and_register(
         self, gcm_data: dict[str, Any], keys: dict[str, Any]
     ) -> dict[str, Any] | None:
@@ -309,6 +324,7 @@ async def fcm_install(self) -> dict | None:
             "x-firebase-client": hb_header,
             "x-goog-api-key": self.config.api_key,
         }
+        self._add_android_restriction_headers(headers) 
         payload = {
             "appId": self.config.app_id,
             "authVersion": AUTH_VERSION,
@@ -353,6 +369,7 @@ async def fcm_refresh_install_token(self) -> dict | None:
             "x-firebase-client": hb_header,
             "x-goog-api-key": self.config.api_key,
         }
+        self._add_android_restriction_headers(headers)
         payload = {
             "installation": {
                 "sdkVersion": SDK_VERSION,
@@ -417,6 +434,7 @@ async def fcm_register(
             "x-goog-api-key": self.config.api_key,
             "x-goog-firebase-installations-auth": installation["token"],
         }
+        self._add_android_restriction_headers(headers)
         # If vapid_key is the default do not send it here or it will error
         vapid_key = (
             self.config.vapid_key