0

Problem Context I'm building a Firebase iOS app application where authenticated users can access their own documents. Each user has a dedicated document in Firestore with security rules like:

match /users/{userId} {
  allow read: if request.auth != null && request.auth.uid == userId;
}

The issue: Users can potentially spam .get() calls on their own documents, leading to excessive read operations and unexpected billing costs.

Current Security Setup

✅ Firestore security rules restricting access via request.auth.uid

✅ Firebase App Check enabled for client verification

✅ Authentication required for all operations

Attempted Solution I tried implementing rate limiting by storing a lastAccessed timestamp in each user document:

match /users/{userId} {
  allow read: if request.auth != null 
    && request.auth.uid == userId 
    && request.time > resource.data.lastAccessed + duration.value(10, 's');
  
  allow update: if request.auth != null 
    && request.auth.uid == userId
    && request.resource.data.keys().hasOnly(['lastAccessed'])
    && request.resource.data.lastAccessed == request.time;
}

Problems with this approach:

  1. I still require a cloud function to update the lastAccessed field . Malicious clients can skip the timestamp update
  2. Architecture seems inefficient : using a cloud function to do a simple read

How to implement secure rate limiting for authenticated users in Firebase Firestore?

  • I am just banking on the cache to protect me at this point
Improve this question
5
  • See stackoverflow.com/questions/56487578/…. I'm pretty sure that one is purely client-side and secure. Commented Jul 30 at 20:28
  • Hey , my security rule is about read and not write . The link you shared shows a write rule. Commented Jul 31 at 5:10
  • There is no way to rate limit reading through security rules. See stackoverflow.com/questions/58895225/… Commented Jul 31 at 14:38
  • @FrankvanPuffelen are we just sitting ducks to get spam request from users then . There has to be something wrong in my understanding ? I saw your comment about reaching out to firebase for support , but is there no other way to protect my application Commented Aug 1 at 17:24
  • 1
    If you've properly secured access to your data, ensuring that only the data that your app actually shows is readable for the user, then you overestimate the interest that folks have in spamming your database. If that happens (which is quite uncommon), Google will often catch it before you do - and if it gets though, just message Firebase/GCP support to let them know what's up. Commented Aug 1 at 21:33
Related questions
1
firebase rule for admin
1
How do we secure a Firebase Firestore without using Firestore Authentication? Or is it a must?
1
Detect authenticated users in Firestore security rules while using Firebase session cookies
Load 5 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.