Reputation: 21
Can firestore reads be implemented in the client side with no worries?
I am developing an app in React Native using Firebase, where every single write to firestore is handled in the backend, but reads are not. I implement the reads in the client side, and I am afraid that a user will modify my code and start reading millions of documents, resulting a big bill.
Should firestore reads be implemented in the backend too?
Pd: Right now, my security rules only allow to read logged users.
I would really appreciate any feedback.
Thank you.
Upvotes: 2
Views: 1443
Answers (1)
Reputation: 1494
It's ok to read or even to write into Firestore on the client side, but your application should be prepared for that.
The best way to secure your Firestore application is by using the Firebase Authentication along with Security Rules.
I recommend you to give a look into this document, although it seems a little bit extensive, it can be resumed in the next paragraph:
Use your security rules to make sure that you're only retrieving the documents that a user should have access to.
It could seem a little bit trivial but it's the foundation of how to avoid unexpected reads from a malicious user. For example you can use security rules to limit reads only to authenticated users where the "author" field matches the authentication id:
service cloud.firestore {
match /databases/{database}/documents {
match /stories/{storyid} {
// Only the authenticated user who authored the document can read or write
allow read: if request.auth != null && request.auth.uid == resource.data.author;
}
}
}
This way the user can't retrieve thousand of documents even if he changes your code on the client side, since he has only access to a limited number of resources.
This article has many other examples that can be useful and will help you to understand how to secure your data.
There's also a limit on document access calls per rule set evaluation as mentioned here:
Exceeding either limit results in a permission denied error.
So you can be sure that even if the malicious user wants to call many times the same document it will be blocked by Firestore after reaching said limit or will end using the cache rather than calling directly your database.
One more thing that I would like to mention is that it's possible get alerts or limit your budget regarding your billing so you don't have to worry about unexpected charges, this answer explains it better:
(On Google Cloud Platform console) you can set up billing alert for your Firebase project, so that you are alerted when the usage reaches a certain level. While you can't configure it to switch off the project at some point, the alert should typically be quite good for alerting you to unusual usage patterns
The GCP documentation now also has a section on capping (disabling) billing to stop usage.
Upvotes: 3
Related Questions
- Can I lock read and write operations from Firestore of client side?
- Can you access firestore client-side without firebase auth?
- Can firestore data be examined at client by app users?
- firebase Firestore document read
- How secure is Firestore if you let anyone read the data, but not write
- Can you send data with a firestore read request?
- Can Firestore experience any sort of hotspotting from reads?
- Can someone access my Firestore database by somehow manipulating client app?
- Reading and writing in firestore only through cloud functions
- What counts as a read operation in Firestore?