feat: reject token if it's not valid

src/controllers/token/index.ts

@@ -1,6 +1,11 @@
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { env } from "hono/adapter";
+import mapKeys from "lodash.mapkeys";
 
+import { Case, changeStringCase } from "~/libs/changeStringCase";
+import type { AdminSdkCredentials } from "~/libs/fcm/getGoogleAuthToken";
+import { verifyFcmToken } from "~/libs/fcm/verifyFcmToken";
+import { readEnvVariable } from "~/libs/readEnvVariable";
 import { saveToken } from "~/models/token";
 import type { Env } from "~/types/env";
 import {
@@ -51,8 +56,20 @@ app.openapi(route, async (c) => {
     await c.req.json<typeof SaveTokenRequest._type>();
 
   try {
+    const isValidToken = await verifyFcmToken(
+      token,
+      mapKeys(
+        readEnvVariable<AdminSdkCredentials>(c.env, "ADMIN_SDK_JSON"),
+        (_, key) => changeStringCase(key, Case.snake_case, Case.camelCase),
+      ) as unknown as AdminSdkCredentials,
+    );
+    if (!isValidToken) {
+      return c.json(ErrorResponse, 401);
+    }
+
     await saveToken(env(c, "workerd"), deviceId, token, username);
   } catch (error) {
+    // when token already exists in the database
     if (
       error.code === "SQLITE_CONSTRAINT" &&
       error.message.includes("device_tokens.token")