Firebase Firestore update time field security issue

I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .

Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.

I have tried using cloud functions but it's taking too long lo send message..

edited Dec 2 '18 at 23:26

asked Nov 25 '18 at 23:39

Sankeerth

216

add a comment |

I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .

Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.

I have tried using cloud functions but it's taking too long lo send message..

edited Dec 2 '18 at 23:26

asked Nov 25 '18 at 23:39

Sankeerth

216

add a comment |

I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .

Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.

I have tried using cloud functions but it's taking too long lo send message..

edited Dec 2 '18 at 23:26

asked Nov 25 '18 at 23:39

Sankeerth

216

I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .

Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.

I have tried using cloud functions but it's taking too long lo send message..

firebase web google-cloud-firestore

edited Dec 2 '18 at 23:26

asked Nov 25 '18 at 23:39

Sankeerth

216

edited Dec 2 '18 at 23:26

asked Nov 25 '18 at 23:39

Sankeerth

216

edited Dec 2 '18 at 23:26

asked Nov 25 '18 at 23:39

Sankeerth

216

asked Nov 25 '18 at 23:39

Sankeerth

216

asked Nov 25 '18 at 23:39

Sankeerth

216

add a comment |

1 Answer
1

active

oldest

votes

You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.

Security Rules

allow create: if request.resource.data.messageTime == request.time && 

              // other rules for the message body

Client side JS code

const message = {

    text: 'Hello',

    messageTime: firebase.firestore.FieldValue.serverTimestamp();

}

answered Nov 25 '18 at 23:56

Jack Woodward

62149

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473108%2ffirebase-firestore-update-time-field-security-issue%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.

Security Rules

allow create: if request.resource.data.messageTime == request.time && 

              // other rules for the message body

Client side JS code

const message = {

    text: 'Hello',

    messageTime: firebase.firestore.FieldValue.serverTimestamp();

}

answered Nov 25 '18 at 23:56

Jack Woodward

62149

add a comment |

You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.

Security Rules

allow create: if request.resource.data.messageTime == request.time && 

              // other rules for the message body

Client side JS code

const message = {

    text: 'Hello',

    messageTime: firebase.firestore.FieldValue.serverTimestamp();

}

answered Nov 25 '18 at 23:56

Jack Woodward

62149

add a comment |

You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.

Security Rules

allow create: if request.resource.data.messageTime == request.time && 

              // other rules for the message body

Client side JS code

const message = {

    text: 'Hello',

    messageTime: firebase.firestore.FieldValue.serverTimestamp();

}

answered Nov 25 '18 at 23:56

Jack Woodward

62149

You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.

Security Rules

allow create: if request.resource.data.messageTime == request.time && 

              // other rules for the message body

Client side JS code

const message = {

    text: 'Hello',

    messageTime: firebase.firestore.FieldValue.serverTimestamp();

}

answered Nov 25 '18 at 23:56

Jack Woodward

62149

answered Nov 25 '18 at 23:56

Jack Woodward

62149

answered Nov 25 '18 at 23:56

Jack Woodward

62149

answered Nov 25 '18 at 23:56

Jack Woodward

62149

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Btukfyl