8

I am learning Firebase and I might use it in production. I can not find how to prevent a logged in user to edit javascript code and trigger thousands of reads per day automatically and that I will have to pay for. As far as I know, any user who would like to increase my firebase bill could set a timer by editing javascript code and read and write every 4 seconds where he can in the firestore database. How can you prevent a user read rate per day or hour?

jwtrees
  • 109
  • 7
  • Have you ever found a solution for this? Even if it involves cloud functions, better than nothing. – cheesus Aug 21 '20 at 13:48
  • No! But I realised Firebase caches reads if same user reads same document but it does not seem to be well documented. – jwtrees Aug 22 '20 at 18:03
  • Not sure if that protects you from a malicious user, as they could send the requests in a way that does not involve the cache. – cheesus Aug 22 '20 at 20:02
  • Thats right! It is not perfect in my opinion. – jwtrees Aug 23 '20 at 23:30

1 Answers1

3

There is no way to set a read limit on Cloud Firestore.

You can implement a write limit in security rules as shown in this answer: How do I implement a write rate limit in Cloud Firestore security rules?. Alternatively you can pass all writes through Cloud Functions, where you can control the rate through your own code.

If you've set your security rules to limit users to the minimum data they need to be able to access, and think you're being abused, reach out to Firebase support for personalized help in troubleshooting.

Frank van Puffelen
  • 418,229
  • 62
  • 649
  • 645
  • Thank you for your rapid answer. The only way I see I could set reads limit is by using cloud functions only to read the firestore database and log the reads per user somewhere. Firestore would then loose realtime fonctionnalities. Please tell me if there any way to trigger a cloud function when a document is read by a user! That would let us log users reads without loosing realtime fonctionnality. Or is that a functionnality that is on the way being developped? – jwtrees Nov 20 '19 at 11:01
  • "Please tell me if there any way to trigger a cloud function when a document is read by a user" Nope, that doesn't exist. See https://stackoverflow.com/questions/46617690/how-to-trigger-firebase-cloud-function-on-read-event – Frank van Puffelen Nov 20 '19 at 15:58
  • Thank you for your answer. Do you know if Firebase will detect uncommon repetitive reads on the same unchanged firestore document by a malicious user editing javascript and trying to increase my firebase bill and stop him? Because it seems I can not find out this user activity by myself in any way. – jwtrees Nov 20 '19 at 16:39
  • If you're suspecting active abuse, [reach out to Firebase support](https://firebase.google.com/support/contact/troubleshooting/) for personalized help in troubleshooting. – Frank van Puffelen Nov 20 '19 at 18:08