如何在 Ionic 4 应用程序中检查时间同步以防止用户时间欺骗/伪造? [英] How to check for time sync in Ionic 4 app to prevent time cheat/fake by user?

问题描述

我正在使用 Angular 在 Ionic 4 中开发一个应用程序，我正在使用 Firebase 使用 AngularFire 存储和检索数据.

I am developing an App in Ionic 4 using Angular and I am using Firebase to store and retrieve data using AngularFire.

我的应用程序显示从当前时间跨度超过两天的数据库中的事件列表，并提供注册事件的选项.应用程序中不显示过去开始时间和未来开始时间(从现在起 3 天以上)的事件.目前，我正在使用客户端的系统时间，但问题是用户可以将设备时间更改为过去以查看过去的所有事件，用户可以将时间更改为未来(从现在起 3 天以上)以查看所有即将发生的事件.

My App displays list of events from database that span over two days from current time and has an option for registering for events. Events that had start time in past and start time in future(3+ days from now) are not shown in the App. Currently, I am using client's system time but the problem with this is user can change device time to past to see all the events in the past and user can change the time to future(3+ days from now) to see all upcoming events.

我想到了使用 Firebase Server Time 使用

I thought of using Firebase Server Time using

firebase.firestore.FieldValue.serverTimestamp();

如此处所述 您如何获得来自 Firebase 的服务器时间.这很耗时，因为我应该执行两个操作:写入服务器的时间戳并读取它，然后将读取时间戳与过去时间的用户设备时间戳进行比较.而且，我无法使用这种方法检查未来的时间.

As mentioned on here How can you get the server time from Firebase. This is time consuming since, I should perform two operations : write the timestamp of server and read it then compare the read timestamp with user device timestamp for past time. And also, I cannot check for future time with this approach.

任何其他可以防止时间欺骗/伪造的方法?

Any other approaches that can prevent time cheat/fake?

推荐答案

如果你真的想阻止坏客户端访问他们不应该访问的数据，那么你需要使用 安全规则 来强制执行.这是让客户遵守您的规则的唯一方法.

If you really want to prevent bad clients from accessing data they ought not access, then you will need to use security rules to enforce that. This is the only way to make a client play by your rules.

例如，为了防止客户端读取任何早于当前时间的文档，您将时间戳存储为名为c"的集合中的名为timestamp"的字段:

For example to prevent clients from ever reading any document older than the current time, and you have a timestamp stored as a field called "timestamp" in the document in a collection called "c":

match /c/{id} {
    allow read: if resource.data.timestamp > request.time;
}

为了满足这个查询，客户端必须只查询时间戳 > firebase.firestore.FieldValue.serverTimestamp() 的文档.针对集合c"的所有其他查询都将失败并显示权限错误.

In order to satisfy this query, the client must only query for documents where timestamp is > firebase.firestore.FieldValue.serverTimestamp(). All other queries against the collection "c" will fail with a permission error.

如果没有严格的安全规则或一些后端代码强制执行您想要施加的约束，您应该假设客户端可以并且将会访问数据，而不管他们的时钟或您的代码是什么.

Without strict security rules or some backend code enforcing the constraints you want to impose, you should assume that client can and will get access to data, regardless of what their clock or your code says.

这篇关于如何在 Ionic 4 应用程序中检查时间同步以防止用户时间欺骗/伪造?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！