How to secure data using Firestore's rules.duration & rules.timestamp?

Question

JS / Node.js solution:

How to use Firestore's rules.duration and/or rules.timestamp or other Firestore rules to ensure that a document could be created daily?

Put another way, a user would create, for example a comment/remark/tweet, at most once daily? So how to enforce using Firestore security rules?

For instance, Monday (24 Dec 2018) I could write a new comment. Tuesday (25 Dec 2018) I could write another new comment. But if I were to write the 2nd new comments on Tuesday (25 Dec 2018) it would NOT allow.

The solution should be able to work for daily, weekly, monthly, or quarterly.

Answer 1

Security rules don't have a sense of time, other than the current moment in time that some access occurred, and other timestamps in other documents. So you will have to use timestamps in other documents to gate access.

The only way I can think of to achieve this is in conjunction with Cloud Functions. You could have a single document per user that acts as a write location for new post data. Rules on that document would check that the user is doing two things:

1. Writing the current time (servervalue timestamp) into a known field.
2. The current time is also not less than the allowed time since the last write of that field.

When the write is successful, a Cloud Function could trigger on that write, then copy the post data from other fields in that document into the final document where the post must live.

Or you could simplify things a bit, skip the security rules, and just have a Cloud Function that deletes incoming documents that don't satisfy your post frequency rules by querying for the most two recent posts from that user, and checking their timestamps.