英文:
For queued offline requests, when is request.time populated? At the time it is added to the local queue or at the time it hits the server?
问题
I'm writing validation rules around creating users in the database. The user db document includes a dateCreated field populated with a firestore timestamp which is set on the client.
I want to allow user creation only if this dateCreated field is not some unreasonable value. (It should not be valid to create a user whose dateCreated field is for last year or last month.) I was thinking I'd verify this by comparison with request.time, perhaps as follows:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
// VALIDATE USER
// Allow create if request is authenticated, and the uid and docId of the user being
// created matches the auth uid
allow create: if request.auth != null
&& request.auth.uid == request.resource.data.userId
&& request.auth.uid == request.resource.id
// VALIDATE FIELDS
&& request.resource.data.keys().hasAny(["dateCreated"])
&& resource.data.dateCreated <= request.time
&& resource.data.dateCreated + duration.value(60, 'm') >= request.time;
}
}
But I want to allow offline use of the database.
So. Say someone is in airplane mode and performs an action that creates a user. My understanding is this creation request gets queued on the device automatically and, when they land and exit airplane mode, the queued request is sent to the server.
Will request.time be the time the person created the request on the device? Or will request.time be the time they landed several hours later, in which case the dateCreated will be several hours different from request.time so my security rule will not work?
英文:
I'm writing validation rules around creating users in the database. The user db document includes a dateCreated field populated with a firestore timestamp which is set on the client.
I want to allow user creation only if this dateCreated field is not some unreasonable value. (It should not be valid to create a user whose dateCreated field is for last year or last month.) I was thinking I'd verify this by comparison with request.time, perhaps as follows:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
// VALIDATE USER
// Allow create if request is authenticated, and the uid and docId of the user being
// created matches the auth uid
allow create: if request.auth != null
&& request.auth.uid == request.resource.data.userId
&& request.auth.uid == request.resource.id
// VALIDATE FIELDS
&& request.resource.data.keys().hasAny(["dateCreated"])
&& resource.data.dateCreated <= request.time
&& resource.data.dateCreated + duration.value(60, 'm') >= request.time;
}
}
But I want to allow offline use of the database.
So. Say someone is in airplane mode and performs an action that creates a user. My understanding is this creation request gets queued on the device automatically and, when they land and exit airplane mode, the queued request is sent to the server.
Will request.time be the time the person created the request on the device? Or will request.time be the time they landed several hours later, in which case the dateCreated will be several hours different from request.time so my security rule will not work?
答案1
得分: 1
会是如文档中指定的服务器时间:
当请求被服务端接收时。
对于包括服务器端时间戳的Firestore写入操作,这个时间将等同于服务器时间。
你也可以通过离线发出请求,然后在5分钟后再次在线验证它。
顺便问一下,为什么需要在客户端创建时间戳呢?使用内置的服务器时间戳功能不是更好吗?
英文:
It will be the time it hits the server as specified in the doc:
> When the request was received by the service.
>
> For Firestore write operations that include server-side timestamps,
> this time will be equal to the server timestamp.
You can also just verify it by yourself by making a request offline and getting back online 5mins later.
Why would you need a timestamp created on the client btw? Wouldn't it be better to use the server time with the built-in server timestamp function?
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论