{
"padlock": {
"open": 1432206070000
},
"boxes": [
{"owner": "bob", "amount": 23},
{"owner": "luca", "amount": 13},
{"owner": "louise", "amount": 4},
{"owner": "anna", "amount": 34}
]
}
{
"rules": {
"boxes": {
".read": "auth !== null",
".write": "auth !== null && root.child('padlock').child('when').val() > now - 15000"
}
}
}
读取和写入框仅适用于经过身份验证的用户 仅在挂锁在15秒前打开时修改框值 要打开挂锁15秒,只需使用当前时间更新值。
如何使用第二个简单的身份验证层保护挂锁? (如客户端密码)
使用特权工作者的唯一方法是什么? Web客户端将pincode安全地发送给特权工作者。工作人员将检查代码并更新打开的时间戳。添加安全规则,只有工作者才能独占访问'open'
有什么想法吗?
答案 0 :(得分:0)
我认为我找到了一个只使用安全规则的解决方案
DATA
{
"boxes" : [
{"amount" : 23},
{"amount" : 11},
{"amount" : 34},
{"amount" : 3}
],
"key" : {
"oldPassword" : "xxxxxxx",
"password" : "xxxxxxx"
},
"lock" : {
"password" : "xxxxxxx",
"open" : 1432292525055
}
}
规则
{
"rules": {
"key": {
// nobody can read the key
".read": false,
// only people who know the key can change it
// if no key exists you can stil create it
".write": "data.child('password').val() === newData.child('oldPassword').val() || !data.exists()",
// password (string) must exists and be different than the old one
".validate": "newData.child('password').isString() && newData.child('oldPassword').isString() && newData.child('password').val() !== newData.child('oldPassword').val()"
},
"lock": {
// nobody can read the lock
".read": false,
// only people knowing the key can create the lock
// to prevent partial write (without the password), only create and delete are authorized (no data update)
".write": "(!data.exists() && root.child('key').child('password').val() === newData.child('password').val()) || !newData.exists()",
// open is the creation time
".validate": "newData.child('open').val() === now"
},
"boxes": {
".read": "true",
// write only allowed for 15 sec after the padlock is open
".write": "root.child('padlock').child('open').val() > now - 15000"
}
}
}