Reputation: 3705
Firebase: Protect creation_date property of a document
I'm planning to use firebase, but I have security related question.
My documents have creation_date property and it is filled with ServerValue.TIMESTAMP when document created.
Can I be sure that user will not reverse engineer my webapp to somehow insert fake date? And protect this field from future edits.
Upvotes: 0
Views: 189
Answers (1)
Reputation: 599571
You can use the request.time variable in the security rules for validating the value of the timestamp. From the reference documentation:
The
timevariable contains a timestamp representing the current server time a request is being evaluated at. You can use this to provide time-based access to files, such as: only allowing files to be uploaded until a certain date, or only allowing files to be read up to an hour after they were uploaded.// Allow a read if the file was created less than one hour ago allow read: if request.time < resource.data.timeCreated + duration.value(1, 'h'); Many functions are provided to write rules using timestamps and durations.
Upvotes: 1
Related Questions
- Could I get 'creationTime' when I create a new document in Firestore (instead of using 'documentRef.get()' after creation and thus avoid that reading?
- Managing createdAt timestamp in Firestore
- Using a date as Firestore Document Id?
- Firebase: Store server timestamp when document created
- Timestamp validation Firestore
- Document creation timestamp (server-time) in Firestore
- Securing specific Document fields in Firestore
- Firebase firestore timestamp based security rules
- how to set my field in my document to be timestamp or null in security rules?
- Firestore security rule to prevent writing arbitrary fields in documents