如何使用安全规则防止用户伪造Firebase.ServerValue.TIMESTAMP？ [英] How do you use security rules to prevent a user from faking Firebase.ServerValue.TIMESTAMP?

问题描述

我的应用程序需要一个可靠的时间戳值来创建新的记录。我正在使用Firebase.ServerValue.TIMESTAMP来确保这一点。这里是我的代码：

  var ref = new Firebase（https://test-firebase-please-ignore.firebaseio.com / foo的）; 
 ref.set（Firebase.ServerValue.TIMESTAMP）; 
  

或在REST中：

  $ curl -X PUT -d'{foo：{。sv：timestamp}}'\ 
 https：// test-firebase-please-ignore。 firebaseio.com/.json 
  

如何防止滥用用户制作看起来合法的请求，但实际上是过去或未来的假时间戳？这里是他们可能使用的代码：

  var ref = new Firebase（https：//test-firebase-please-ignore.firebaseio .com / foo）; 
 ref.set（1408643272324）; //过去的时间戳
  

解决方案

您可以使用 .validate 规则和 now 建立在变量中。

这是一个安全规则这：

  {
rules：{
.read：true，
.write：true，
foo：{
.validate：newData.val（）== now

} 
 } 
  

您可以使用REST API和这些cURL命令来验证它。 / p>

  $ curl -X PUT -d'{foo：140863 8610143}'\ 
 https://test-firebase-please-ignore.firebaseio.com/.json 
 
 {
error：Permission denied
} 
  

然后是正面的情况：

  $ curl -X PUT -d'{foo：{。sv：timestamp}}'\ 
 https：// test- firebase-please-ignore.firebaseio.com/.json 
 
 {foo：1408638609500} 
  

My app requires a reliable timestamp value for the creation of new records. I'm using Firebase.ServerValue.TIMESTAMP to ensure this. Here's my code:

var ref = new Firebase("https://test-firebase-please-ignore.firebaseio.com/foo");
ref.set(Firebase.ServerValue.TIMESTAMP);

or in REST:

$ curl -X PUT -d '{"foo":{".sv":"timestamp"}}' \
  https://test-firebase-please-ignore.firebaseio.com/.json 

How do I prevent an abusive user from crafting a request that looks valid, but is actually a fake timestamp in the past or future? Here's code they might use:

var ref = new Firebase("https://test-firebase-please-ignore.firebaseio.com/foo);
ref.set(1408643272324); //A timestamp in the past

解决方案

You can enforce this using a .validate rule and the now built in variable.

Here's a security rule that does this:

{
    "rules": {
        ".read": true,
        ".write": true,
        "foo" : {
          ".validate": "newData.val() == now"
          }
    }
}

You can verify it using the REST API with these cURL commands. First, a negative case:

$ curl -X PUT -d '{"foo":"1408638610143"}' \
https://test-firebase-please-ignore.firebaseio.com/.json

{
  "error" : "Permission denied"
}

And then a positive case:

$  curl -X PUT -d '{"foo":{".sv":"timestamp"}}' \
https://test-firebase-please-ignore.firebaseio.com/.json

{"foo":1408638609500}

这篇关于如何使用安全规则防止用户伪造Firebase.ServerValue.TIMESTAMP？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！