Correct approach to protect Firestore/Firebase from spam

Question

I'm currently developing a Website using Firestore. The project includes different categories, where each category contains several products as documents.

As for now I'm planning when and where I want to fetch the products and their details. For me, the best approach seems to be, to fetch the respective data just as soon as the user selects the category. - Let's say I have 10 products inside of this category, as a consequence 10 documents are being fetched (as far as I know).

What I'm wondering is, how can I protect my database from spam? Let's say the user stays on the category's page and reloads 100 times - this would mean 100 * 10 documents would be fetched. Since every fetched document in the end costs money, that could lead to a tremendous bill.

How can I prevent this from happening? Is there even a way to do so or do I have to choose a totally different approach (Firebase Realtime Database?)?

Answer 1

Once you open up your database to direct reads from web and mobile clients, that means the end user essentially has unlimited ability to read data, as long as those reads pass your security rules. Security rules don't have the capability to limit the volume of reads.

If you need to control access to reads to your database, your only option is to cut off direct access from the client app (no longer using the provided Firebase SDK), and require all requests to go through API endpoints that you control on a backend. Your backend can then determine if the client is allowed to read the data requested through the endpoint.

This is the nature of cloud hosted services. Any time you open up a service for consumption directly from the internet, there is always the possibility for abuse. Google has some generalize abuse prevention in its cloud services, but if you suspect something specific with Firebase services, you should report your findings to Firebase support directly.