Firestore: Query clause where current date is less than due date doesn't work with rule that performs the same check

Question

I have a collection elements with documents that contain start date (timestamp data type) and end date (timestamp data type). If I want to get all elements which end date is greater than today, I do:

firebase.firestore().collection('elements').where('end', '>', new Date()).get();

This works perfectly. Now I want to add a rule with the same check on firestore, to prevent that a malicious user could perform this request with new Date() containing a past date and return expired documents.

I added the following rule to firestore:

match /elements/{document=**} {
  allow read: resource.data.end > request.time
}

Now all the queries return FirebaseError: Missing or insufficient permissions and I can't understand why. The query is requesting for all elements that end date is greater than today's date, and the rule is verifying that document's end date is greater than server time. In my mind this should work.

Answer 1

The problem is almost certainly that the client machine's clock does not match the Google server's clock. If the client clock is running even slightly faster than Google's clock, the rule will deny the query.

You could try adding some padding from the date to add a reasonable offset from the current time:

// add 10 seconds from current time so as not to undershoot the end
.where('end', '>', new Date(Date.now() + 10000))

While this might work OK for clients whose clocks are reasonably in sync with world standards, it could still fail if the client's clock is still way off.