如何在Ionic 4应用程序中检查时间同步，以防止用户作弊/伪造时间? [英] How to check for time sync in Ionic 4 app to prevent time cheat/fake by user?

问题描述

我正在使用Angular在Ionic 4中开发一个应用程序，并且正在使用Firebase通过AngularFire来存储和检索数据.

I am developing an App in Ionic 4 using Angular and I am using Firebase to store and retrieve data using AngularFire.

我的应用程序"显示从当前时间开始超过两天的数据库中的事件列表，并具有用于注册事件的选项.过去开始时间和将来开始时间(从现在开始超过3天)的事件不会显示在应用程序中.当前，我正在使用客户端的系统时间，但问题是用户可以将设备时间更改为过去以查看过去的所有事件，而用户可以将时间更改为将来(从现在开始3天以上)以查看所有即将发生的事件.

My App displays list of events from database that span over two days from current time and has an option for registering for events. Events that had start time in past and start time in future(3+ days from now) are not shown in the App. Currently, I am using client's system time but the problem with this is user can change device time to past to see all the events in the past and user can change the time to future(3+ days from now) to see all upcoming events.

我考虑过使用Firebase Server Time

I thought of using Firebase Server Time using

firebase.firestore.FieldValue.serverTimestamp();

如此处所述 Firebase服务器时间. 这很耗时，因为我应该执行两个操作:写入服务器的时间戳，然后读取它，然后将读取的时间戳与用户设备的时间戳进行比较.而且，我无法用这种方法检查将来的时间.

As mentioned on here How can you get the server time from Firebase. This is time consuming since, I should perform two operations : write the timestamp of server and read it then compare the read timestamp with user device timestamp for past time. And also, I cannot check for future time with this approach.

还有其他方法可以防止时间作弊吗?

Any other approaches that can prevent time cheat/fake?

推荐答案

如果您确实想阻止不良客户端访问他们不应该访问的数据，那么您将需要使用

If you really want to prevent bad clients from accessing data they ought not access, then you will need to use security rules to enforce that. This is the only way to make a client play by your rules.

例如，为了防止客户端读取比当前时间更早的任何文档，并且您将时间戳记存储在文档中的"timestamp"字段中，该文档集称为"c":

For example to prevent clients from ever reading any document older than the current time, and you have a timestamp stored as a field called "timestamp" in the document in a collection called "c":

match /c/{id} {
    allow read: if resource.data.timestamp > request.time;
}

为了满足此查询，客户端必须仅查询时间戳大于firebase.firestore.FieldValue.serverTimestamp()的文档.针对集合"c"的所有其他查询将失败，并显示权限错误.

In order to satisfy this query, the client must only query for documents where timestamp is > firebase.firestore.FieldValue.serverTimestamp(). All other queries against the collection "c" will fail with a permission error.

在没有严格的安全规则或某些后端代码强制执行您要施加的约束的情况下，您应该假定客户端可以并且将访问数据，而无论其时钟或您的代码说什么.

Without strict security rules or some backend code enforcing the constraints you want to impose, you should assume that client can and will get access to data, regardless of what their clock or your code says.

这篇关于如何在Ionic 4应用程序中检查时间同步，以防止用户作弊/伪造时间?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！