1

I have authenticated users and would like to be able to protect myself from users spamming reads on a particular ref (thus driving up costs), how do you do this? I see the question here:

Firebase rate limiting in security rules?

That involves rate limiting writes by:

"The trick is to keep an audit of the last time a user posted a message" - Kato

Is there a way to determine the last time a user read, and then limit their next read to some time interval from their last read? Probably better is limiting the amount of reads in a certain timeframe (say n reads per hour)?

Thanks

Community
  • 1
  • 1
shell
  • 1,867
  • 4
  • 23
  • 39
  • 1
    I cannot see how this could be made possible via the security rules, as there is no last-read time in the security rules' [predefined variables](https://firebase.google.com/docs/database/security/securing-data#predefined_variables). – cartant Jan 29 '17 at 06:55
  • Does firebase have some inherent rate limiting for this? – shell Jan 29 '17 at 06:58
  • Not that I'm aware of, but that doesn't count for much. It will be interesting to see if there is some way of limiting it. – cartant Jan 29 '17 at 07:01
  • Yes, if not then anyone can simply spam reads in a loop forever. – shell Jan 29 '17 at 07:01
  • There is no built-in way to specify a rate-limit for your user's posting. That why Kato showed a way to implement such functionality on top of security rules. If you'd like to request that this functionality be added to Firebase, I suggest you [file a feature request](https://firebase.google.com/support/contact/bugs-features/). But until a feature is added, Kato's approach is the best known way to go. – Frank van Puffelen Jan 29 '17 at 07:50
  • 1
    Yes, but my question involves read operations, whereas Kato's question was about write operations. I am not sure you can apply his answer to read operations. – shell Jan 29 '17 at 07:58

2 Answers2

2

I just read that firebase uses a burstable billing plan, as seen here:

https://en.wikipedia.org/wiki/Burstable_billing

Such that you are not charged for spikes from a malicious user doing what I describe here or from a DDOS.

abagshaw
  • 6,162
  • 4
  • 38
  • 76
shell
  • 1,867
  • 4
  • 23
  • 39
0

How about this:

A structure:

posts
  post_id_0
    msg: "a post about posting"
  post_id_1
    msg: "a post about pizza"

and a users node

users
   uid_0
     name: "biff"
     post_activity
       post_id_0
          last_activity: "20170128100200"

pseudo-code since we don't know the platform

display a lists of posts in a table

   a post about posting
   a post about pizza

user taps or clicks 'a post about posting' in code, get the last activity, which was today at 10:02 am

lastActivity = uid_0/post_activity/post_id_0/last_activity

and then compare the last activity to the current time, and if it's been accessed less then a minute ago, don't allow them to read it again

let currentTimestamp = current time (say it's 10:04 am)
if currentTimestamp - lastActivity > 1 minute then
   show post details
   update the lastActivity node to current timestamp
else
   print("Posts can only be reviewed every minute")

In this case the last time the post was read 2 minutes ago, so allow it to be read again. If it was less than a minute it would be denied.

Also, if the user would tap/click post_id_1 the post activity would not be found which means the user has never viewed it before; in that case add it to the uid_0/post_activity node.

The same technique could be used with a counter instead of a time to limit the number of times the user reads a post.

Jay
  • 34,438
  • 18
  • 52
  • 81
  • Hi Jay thanks for the help. My issue with this is that there is nothing stopping a malicious user from updating the timestamp once, and then never updating it again, which leaves the user free to spam reads once 2 minutes elapse since the first update. Maybe I am wrong about this (I hope so)? – shell Jan 29 '17 at 19:59
  • @shell a malicious user would not have write access to the node with proper rules set up. Also, you could tie a rule in as well that compares the last activity to the current time. If just anyone could write to a node whenever they want then Firebase would have no security at all, right? This is a start, which will need refinement but it does work. – Jay Jan 30 '17 at 01:08