How do you use security rules to prevent a user from faking Firebase.ServerValue.TIMESTAMP?

Question

My app requires a reliable timestamp value for the creation of new records. I'm using Firebase.ServerValue.TIMESTAMP to ensure this. Here's my code:

var ref = new Firebase("https://test-firebase-please-ignore.firebaseio.com/foo");
ref.set(Firebase.ServerValue.TIMESTAMP);

or in REST:

$ curl -X PUT -d '{"foo":{".sv":"timestamp"}}' \
  https://test-firebase-please-ignore.firebaseio.com/.json 

How do I prevent an abusive user from crafting a request that looks valid, but is actually a fake timestamp in the past or future? Here's code they might use:

var ref = new Firebase("https://test-firebase-please-ignore.firebaseio.com/foo);
ref.set(1408643272324); //A timestamp in the past

Answer 1

You can enforce this using a .validate rule and the now built in variable.

Here's a security rule that does this:

{
    "rules": {
        ".read": true,
        ".write": true,
        "foo" : {
          ".validate": "newData.val() == now"
          }
    }
}

You can verify it using the REST API with these cURL commands. First, a negative case:

$ curl -X PUT -d '{"foo":"1408638610143"}' \
https://test-firebase-please-ignore.firebaseio.com/.json

{
  "error" : "Permission denied"
}

And then a positive case:

$  curl -X PUT -d '{"foo":{".sv":"timestamp"}}' \
https://test-firebase-please-ignore.firebaseio.com/.json

{"foo":1408638609500}