Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firestore Security Rules: request.time "undefined on object"

I'm trying to create a Security Rule based upon request.time as given in an example on AngularFirebase website.

My function is

function isThrottled() {
    return request.time < resource.data.lastUpdate + duration.value(1, 'm')
}

Where I'm trying to allow update: if isThrottled() == false

However, when I try to update a document with this rule, it fails due to time being not defined on the object.

Error: simulator.rules line [169], column [12]. Property time is undefined on object.

Shouldn't every request have a time or TimeStamp attached to it? Is this something to do with how I'm initializing my Cloud Functions or client app?

Screenshots below:

enter image description here enter image description here

EDIT

A snippet for the rest of the update security rules are:

service cloud.firestore {
  match /databases/{db}/documents {
    match /users/{userId} {
      match /username/{id} {
        allow update: if isSelf(userId)
                      && usernameAvailable(incomingData().username)
                      && incomingData().username is string
                      && incomingData().username.size() <= 25
                      && incomingFields().size() == 1
                      && isThrottled() == false;
      }
    }

    function incomingData() {
      return request.resource.data
    }
    function isThrottled() {
        return request.time < resource.data.lastUpdate + duration.value(1, 'm')
        }
    function incomingFields() {
        return incomingData().keys()
    }
    function isSelf(userId) {
        return userId == currentUser().uid;
    }
    function usernameAvailable(username) {
        return !exists(/databases/$(db)/documents/usernames/$(username));
    }


  }
}

The username collection is a subcollection under each user document (in the users root collection. Each username document only has 1 field called username that users can update).

like image 230
siefix Avatar asked Aug 21 '18 00:08

siefix


1 Answers

This might not be useful for your case in particular, but I had the same error when checking a custom claim on the token object.

Before accessing the field you can use in to check whether the property exists on the object. This code generates the error if agent is not defined:

allow write: if request.auth != null && request.auth.token.agent == true;

This code works fine if agent is not defined:

allow write: if request.auth != null && "agent" in request.auth.token && request.auth.token.agent == true;
like image 60
crysxd Avatar answered Oct 21 '22 13:10

crysxd