I'm implementing the approach of registering the device in the Azure Notification Hub via the backend as stated here: https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-registration-management#registration-management-from-a-backend . My application is a non-authenticated app that may subscribe to push notifications to certain events.
I would like to validate whether a registration ID / Instance ID / handle is legit so that I don't keep registering in Azure Notification Hub fake device ids. I was looking at the Firebase Admin SDK: https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-registration-management#registration-management-from-a-backend to see if they offer any kind of option to double-check if a specific token exists / is valid but all I found has to do with JWT / OAuth tokens.
I was thinking in implementing RateLimiting but that does not solve the potential issue. Captcha is simply not a solution for this use-case and the only option I thought of was email validation so that I would have to "request" the user email upon app installation for that, or sending a "test push notification" to verify, but that can increase costs in the scenario of an DDoS/flood attack, for instance.
Is there any other way to verify the authenticity of the device Id that I can double check from the backend?
UPDATE
Apparently you can use the Firebase Admin SDK in a way so that you can send "test" messages to a device using the "dry-run" mode of the send message: https://firebase.google.com/docs/reference/fcm/rest/v1/projects.messages/send