Timing and location of ID creation during push()

Question

The documentation for push led me to this little experiment:

var FB = new Firebase(MYURL);
var ref = FB.push({test: 'push'}, function() { console.log('callback completed'); });
console.log(ref.name());

I see that calling ref.name() immediately returns an ID even before the asynchronous callback is invoked. Does this mean that the ID is created on the client without consulting the server? I assume so, which raised a curiosity:

How would the server handle a conflict if two clients sent the same ID? Would the second overwrite the first?

I'm not assuming here that two clients would create clashing IDs, but rather that a malicious client might spoof an ID and overwrite existing records. Is this a valid concern I'll need to watch out for when configuring rules for the upcoming security?

More importantly, I'm very curious to understand how IDs are getting created so I can ensure I use them properly.

Answer 1

The ID's created by push are created at the time push is called. We do this so that you can have a very responsive client that doesn't have to wait for network latency, and also so your client can work in offline mode.

The ID generating algorithm is based on timestamp (so that the ID's remain in order) and a random suffix (there's a bit more to it than that, but that's the basics). The algorithm is designed so that no two non-malicious clients will ever choose the same key in our lifetimes (or even in millions of years).

Malicious clients could overwrite others' ID's if no security is enforced (though they would have a tough time guessing the IDs that were going to be generated by other clients beforehand), and yes you'll need to provide security protection to these locations if you want to prevent that. I don't think "push()" IDs have any unique security needs that the other locations don't though.