Firebase Firestore update time field security issue
I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .
Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.
I have tried using cloud functions but it's taking too long lo send message..
firebase web google-cloud-firestore
add a comment |
I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .
Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.
I have tried using cloud functions but it's taking too long lo send message..
firebase web google-cloud-firestore
add a comment |
I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .
Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.
I have tried using cloud functions but it's taking too long lo send message..
firebase web google-cloud-firestore
I am developing a simple chat website using Firebase Firestore. And it obvious to store the message time .
Now the thing is that document is added from client side. So malcius user can add document with fake time. Is there any way avoid the scenario.
I have tried using cloud functions but it's taking too long lo send message..
firebase web google-cloud-firestore
firebase web google-cloud-firestore
edited Dec 2 '18 at 23:26
Sankeerth
asked Nov 25 '18 at 23:39
SankeerthSankeerth
216
216
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.
Security Rules
allow create: if request.resource.data.messageTime == request.time &&
// other rules for the message body
Client side JS code
const message = {
text: 'Hello',
messageTime: firebase.firestore.FieldValue.serverTimestamp();
}
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473108%2ffirebase-firestore-update-time-field-security-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.
Security Rules
allow create: if request.resource.data.messageTime == request.time &&
// other rules for the message body
Client side JS code
const message = {
text: 'Hello',
messageTime: firebase.firestore.FieldValue.serverTimestamp();
}
add a comment |
You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.
Security Rules
allow create: if request.resource.data.messageTime == request.time &&
// other rules for the message body
Client side JS code
const message = {
text: 'Hello',
messageTime: firebase.firestore.FieldValue.serverTimestamp();
}
add a comment |
You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.
Security Rules
allow create: if request.resource.data.messageTime == request.time &&
// other rules for the message body
Client side JS code
const message = {
text: 'Hello',
messageTime: firebase.firestore.FieldValue.serverTimestamp();
}
You want to set the message time property to equal Firebase Server timestamp which on submit will set it on the creation of the message using request.time you can validate it equals now.
Security Rules
allow create: if request.resource.data.messageTime == request.time &&
// other rules for the message body
Client side JS code
const message = {
text: 'Hello',
messageTime: firebase.firestore.FieldValue.serverTimestamp();
}
answered Nov 25 '18 at 23:56
Jack WoodwardJack Woodward
62149
62149
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473108%2ffirebase-firestore-update-time-field-security-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown