如何使用安全规则防止用户伪造Firebase.ServerValue.TIMESTAMP? [英] How do you use security rules to prevent a user from faking Firebase.ServerValue.TIMESTAMP?
问题描述
var ref = new Firebase(https://test-firebase-please-ignore.firebaseio.com / foo的);
ref.set(Firebase.ServerValue.TIMESTAMP);
或在REST中:
$ curl -X PUT -d'{foo:{。sv:timestamp}}'\
https:// test-firebase-please-ignore。 firebaseio.com/.json
如何防止滥用用户制作看起来合法的请求,但实际上是过去或未来的假时间戳?这里是他们可能使用的代码:
var ref = new Firebase(https://test-firebase-please-ignore.firebaseio .com / foo);
ref.set(1408643272324); //过去的时间戳
您可以使用 .validate
规则和 now
建立在变量中。
这是一个安全规则这:
{
rules:{
.read:true,
.write:true,
foo:{
.validate:newData.val()== now
}
}
您可以使用REST API和这些cURL命令来验证它。 / p>
$ curl -X PUT -d'{foo:140863 8610143}'\
https://test-firebase-please-ignore.firebaseio.com/.json
{
error:Permission denied
}
然后是正面的情况:
$ curl -X PUT -d'{foo:{。sv:timestamp}}'\
https:// test- firebase-please-ignore.firebaseio.com/.json
{foo:1408638609500}
My app requires a reliable timestamp value for the creation of new records. I'm using Firebase.ServerValue.TIMESTAMP to ensure this. Here's my code:
var ref = new Firebase("https://test-firebase-please-ignore.firebaseio.com/foo");
ref.set(Firebase.ServerValue.TIMESTAMP);
or in REST:
$ curl -X PUT -d '{"foo":{".sv":"timestamp"}}' \
https://test-firebase-please-ignore.firebaseio.com/.json
How do I prevent an abusive user from crafting a request that looks valid, but is actually a fake timestamp in the past or future? Here's code they might use:
var ref = new Firebase("https://test-firebase-please-ignore.firebaseio.com/foo);
ref.set(1408643272324); //A timestamp in the past
You can enforce this using a .validate
rule and the now
built in variable.
Here's a security rule that does this:
{
"rules": {
".read": true,
".write": true,
"foo" : {
".validate": "newData.val() == now"
}
}
}
You can verify it using the REST API with these cURL commands. First, a negative case:
$ curl -X PUT -d '{"foo":"1408638610143"}' \
https://test-firebase-please-ignore.firebaseio.com/.json
{
"error" : "Permission denied"
}
And then a positive case:
$ curl -X PUT -d '{"foo":{".sv":"timestamp"}}' \
https://test-firebase-please-ignore.firebaseio.com/.json
{"foo":1408638609500}
这篇关于如何使用安全规则防止用户伪造Firebase.ServerValue.TIMESTAMP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!