问题
I am developing an App in Ionic 4 using Angular and I am using Firebase to store and retrieve data using AngularFire.
My App displays list of events from database that span over two days from current time and has an option for registering for events. Events that had start time in past and start time in future(3+ days from now) are not shown in the App. Currently, I am using client's system time but the problem with this is user can change device time to past to see all the events in the past and user can change the time to future(3+ days from now) to see all upcoming events.
I thought of using Firebase Server Time using
firebase.firestore.FieldValue.serverTimestamp();
As mentioned on here How can you get the server time from Firebase. This is time consuming since, I should perform two operations : write the timestamp of server and read it then compare the read timestamp with user device timestamp for past time. And also, I cannot check for future time with this approach.
Any other approaches that can prevent time cheat/fake?
回答1:
If you really want to prevent bad clients from accessing data they ought not access, then you will need to use security rules to enforce that. This is the only way to make a client play by your rules.
For example to prevent clients from ever reading any document older than the current time, and you have a timestamp stored as a field called "timestamp" in the document in a collection called "c":
match /c/{id} {
allow read: if resource.data.timestamp > request.time;
}
In order to satisfy this query, the client must only query for documents where timestamp is > firebase.firestore.FieldValue.serverTimestamp(). All other queries against the collection "c" will fail with a permission error.
Without strict security rules or some backend code enforcing the constraints you want to impose, you should assume that client can and will get access to data, regardless of what their clock or your code says.
来源:https://stackoverflow.com/questions/60024385/how-to-check-for-time-sync-in-ionic-4-app-to-prevent-time-cheat-fake-by-user