Reputation: 484
Does Firebase Firestore have measures to stop malicious requests?
Since Firebase Firestore is priced per operation (read, write, delete), my biggest concern is someone may get their hands on a valid endpoint, to either read, write, or delete a document, and just perform this operation numerous times outside the expected scope of its use.
Are there any measures that prevent malicious requests? Like if an operation occurred 10,000 times per minute, does the user then experience some kind of lock-out or would these requests be considered legal?
I understand there are database security rules, but they seem insufficient. Sure, I can check if a user is authenticated, etc, but what is to stop a malicious user from getting authenticated, figuring out where the valid and permitted endpoints to read, write, or delete documents, and just creating a script to do that on repeat?
I also understand that I can set daily spending limits. But that would just limit the amount of money I was spending, not a malicious user who could potentially use up those limits and cause the database to stop working.
EDIT: My question is not concerned solely with billing. It is concerned with malicious users who MAY HAVE access to read/write a document AND abuse this right by writing a script that drives up the number of operations with the intent of abuse. Does Firebase have any measures to stop this or not?
And if the response is "There exists security rules" then please tell me how these security rules can be written to not allow more than 100 requests per minute from the same user or something along those lines.
Upvotes: 14
Views: 1398
Answers (1)
Reputation: 11691
First, I feel the need to clarify that I love Firebase. But... this is probably one of the most annoying aspects of it. I feel this should come solved out of the box in the form of a configurable threshold per user.
With that said. IMHO you have only 2 viable options:
Option 1: Cloud Function
This is the easy answer and it defeats the main advantages of Firestore. So I wont dig deep here. Just know that it would be a valid option to create a cloud function endpoint and validate or block requests based on your backend logic.
Option 2: Firestore Rules
The only way (that I could discover) to solve malicious user behavior is to keep a counter of operations by user.
- First you need to setup a cloud function that listens to write operations on the collection you want to protect.
- Then create a private document for the user, counting write actions performed on the collection.
- Write a rule that will block users with high amounts of writes in the past hour for example.
This will obviously incur in extra costs for the cloud function, the extra writes to keep the counters and the extra reads used to get the private document with the counter in the security rules validation.
Upvotes: 4
Related Questions
- firestore security rules for server side requests
- Firestore prevent malicious user to add more data than wanted
- How to stop bots from racking up your firebase bill on a web app?
- How to prevent a malicious user from pushing data into a document in Firebase?
- Does Firestore have internal mechanism to protect app from excessive $ charge from DDOS requests?
- How to block firestore REST API access
- Firestore security rules: evaluating incoming requests against other documents in the database
- Correct approach to protect Firestore/Firebase from spam
- Protect Firestore database from attack
- Firestore: prevent abuse from public apiKey