How to work with "web-push" and "fcm-push" node packages simultaneously?

Question

I've been trying to set up a web push notification server/client architecture using Firebase Cloud Messaging and some node packages. After going through multiple tutorials, I'm really confused.

I tried the "web-push" node package but it requires gcm-key and as Google announced, GCM is shifting to FCM now. So, I looked upon another package called "fcm-push" but it doesn't support VAPID. I'm not even sure about why is VAPID needed separately. So, I'll just put up some direct questions here-

• Why are there two separate keys, i.e., for GCM/FCM and VAPID?
• Once I get the subscription keys from the client to the server, do I need to store those in a database? Is there any other method that can be used to save them?
• It looks like "fcm-push" package doesn't support VAPID keys and it's documentation only mentions it for iOS and Android.
• On the other hand, "web-push" package doesn't support FCM.

So, should I use both the packages simultaneously? And if yes, then on what package should I rely to do which function?

Answer 1

Why are there two separate keys, i.e., for GCM/FCM and VAPID?

GCM/FCM api keys are a legacy, non-standard method for authentication. For new projects you should use VAPID, which is a standard, automatic way of authenticating your web app with the push service (e.g. FCM, Mozilla autopush).

Basically with VAPID you associate a public key to the endpoint when you subscribe the user to push notifications. Then, when you want to send notifications to that endpoint, you must sign your message with the private key.

I work at Pushpad and we have migrated from GCM/FCM api keys to VAPID some months ago. Now Pushpad supports VAPID out of the box: this means that if you use Pushpad you don't need to configure VAPID manually because all the configuration for VAPID happens automatically. I strongly recommend to check it out.

Once I get the subscription keys from the client to the server, do I need to store those in a database? Is there any other method that can be used to save them?

Probably you are confusing two different kinds of keys:

• VAPID key pair: you generate it once on your server; then you associate the public key to all the endpoints when you subscribe users to web push notifications using Javascript; you keep the private key on your server and you use it to sign the notifications that you send
• keys used to sign the notification payload: these keys are different for each client and you need to store them on your server together with the endpoint; you only need these keys if you send a payload; otherwise you can just send a signal and then the service worker is responsible for downloading the unread notifications from your own application server

It looks like "fcm-push" package doesn't support VAPID keys and it's documentation only mentions it for iOS and Android.

FCM is also used for sending push notifications to native apps, but VAPID is a standard only for web push. Probably that gem is meant to be used with native apps and not with web push.

On the other hand, "web-push" package doesn't support FCM.

Yes, because you need to use VAPID, which is the standard. FCM supports VAPID too.

Note: as mentioned in other answers, the "web-push" package probably supports FCM too - however I wouldn't recommend to use FCM api keys for new projects (use VAPID, which is the IETF standard!)

you said that I need to associate the VAPID public key to all the endpoints when I subscribe users. What do you exactly mean by associating it?

You can read more about VAPID in these articles:

• Sending VAPID identified WebPush Notifications via Mozilla’s Push Service
• Web Push Interoperability Wins

Answer 2

web-push does support VAPID and FCM. It supports GCM too if you provide a GCM API key for older Chrome versions and browsers such as Opera and Samsung Internet Browser, but it isn't required, it is optional.