For queued offline requests, when is request.time populated? At the time it is added to the local queue or at the time it hits the server?

huangapple go评论52阅读模式
英文:

For queued offline requests, when is request.time populated? At the time it is added to the local queue or at the time it hits the server?

问题

I'm writing validation rules around creating users in the database. The user db document includes a dateCreated field populated with a firestore timestamp which is set on the client.

I want to allow user creation only if this dateCreated field is not some unreasonable value. (It should not be valid to create a user whose dateCreated field is for last year or last month.) I was thinking I'd verify this by comparison with request.time, perhaps as follows:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {

    // VALIDATE USER
    // Allow create if request is authenticated, and the uid and docId of the user being
    // created matches the auth uid
      allow create: if request.auth != null 
      	&& request.auth.uid == request.resource.data.userId 
      	&& request.auth.uid == request.resource.id 
        // VALIDATE FIELDS
        && request.resource.data.keys().hasAny(["dateCreated"])
        && resource.data.dateCreated <= request.time 
        && resource.data.dateCreated + duration.value(60, 'm') >= request.time;
      
    }
}

But I want to allow offline use of the database.

So. Say someone is in airplane mode and performs an action that creates a user. My understanding is this creation request gets queued on the device automatically and, when they land and exit airplane mode, the queued request is sent to the server.

Will request.time be the time the person created the request on the device? Or will request.time be the time they landed several hours later, in which case the dateCreated will be several hours different from request.time so my security rule will not work?

英文:

I'm writing validation rules around creating users in the database. The user db document includes a dateCreated field populated with a firestore timestamp which is set on the client.

I want to allow user creation only if this dateCreated field is not some unreasonable value. (It should not be valid to create a user whose dateCreated field is for last year or last month.) I was thinking I'd verify this by comparison with request.time, perhaps as follows:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {

    // VALIDATE USER
    // Allow create if request is authenticated, and the uid and docId of the user being
    // created matches the auth uid
      allow create: if request.auth != null 
      	&& request.auth.uid == request.resource.data.userId 
      	&& request.auth.uid == request.resource.id 
        // VALIDATE FIELDS
        && request.resource.data.keys().hasAny(["dateCreated"])
        && resource.data.dateCreated <= request.time 
        && resource.data.dateCreated + duration.value(60, 'm') >= request.time;
      
    }
}

But I want to allow offline use of the database.

So. Say someone is in airplane mode and performs an action that creates a user. My understanding is this creation request gets queued on the device automatically and, when they land and exit airplane mode, the queued request is sent to the server.

Will request.time be the time the person created the request on the device? Or will request.time be the time they landed several hours later, in which case the dateCreated will be several hours different from request.time so my security rule will not work?

答案1

得分: 1

会是如文档中指定的服务器时间:

当请求被服务端接收时。

对于包括服务器端时间戳的Firestore写入操作,这个时间将等同于服务器时间。

你也可以通过离线发出请求,然后在5分钟后再次在线验证它。

顺便问一下,为什么需要在客户端创建时间戳呢?使用内置的服务器时间戳功能不是更好吗?

英文:

It will be the time it hits the server as specified in the doc:

> When the request was received by the service.
>
> For Firestore write operations that include server-side timestamps,
> this time will be equal to the server timestamp.

You can also just verify it by yourself by making a request offline and getting back online 5mins later.

Why would you need a timestamp created on the client btw? Wouldn't it be better to use the server time with the built-in server timestamp function?

huangapple
  • 本文由 发表于 2023年3月4日 03:32:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/75631197.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定