How to limit documents in a collection in Firebase Firestore

Question

My users can create documents (let's say tasks) in a subcollection with a bunch of security rules checking for authentication, permissions and data validity. They can even select multiple tasks and copy them in the same collection. Now, a regular user will likely create at most a hundred tasks at once, but what if someone with bad intentions manage to obtain my database credentials, authenticate and try to create a huge number of valid documents programmatically? This will result in Firestore scaling without problems and an unexpected surprise in my Firebase billing. This is my first concern, but I'm also thinking about the possibility to limit a collection size for other reasons, and it would be at the same time a solution for the problem described.

I read about techniques to count documents in a collection described in the Firestore documentation, but I did not found a solution. Keeping a counter on a doc field updated with a transaction in a cloud function would be inefficient in my case. Distributed counters increase the complexity of my data model a bit, and also I would not know how to properly read those counters in security rules for every task creation, and even if that would be an efficient solution.

Does anyone has suggestions?

Also posted on https://groups.google.com/forum/#!topic/firebase-talk/51RynWGjcB8 — Frank van Puffelen, Jan 21 '19 at 16:42
Hi I was created an issue in firebase https://github.com/firebase/firebase-js-sdk/issues/1932 — Nexeuz, Jun 30 '19 at 22:56
Frank posted a Q&A on this at https://stackoverflow.com/a/56487579/4043295. You will probably find the answer helping your usecase here. — Bastian Stein, Dec 16 '20 at 22:57

MehranB · Answer 1 · 2020-12-10T22:41:34.203

I believe the way for a person to gain read/write access to your database would be to either to hack Google servers, in which case no one is safe and it doesn't really matter what you do, or to guess the exact name of your collections and documents.

As for the latter case, what I have done in my project is that for each collection and document I have used the name I wanted plus random 10-char Strings (including all kinds of chars and numbers. For example Users-x5NfaS1jCb) which kind of serve as independent, separate passwords every step of the way. This, at least, makes it difficult to guess the name of the collections and documents.
(Just like mentioned in the question) If using authentication does not cause any complications for you project, you can use it to further raise the security of your database by limiting access to users authenticating through your app only.
I guess (have never tried it) you can make use of Firebase Functions to limit the number of documents available in any given collection based on the criteria you want. This function will be invoked every time an event in created in the database.

If by "obtain my database credentials", you mean finding the username and password to your Firebase account, well it doesn't really matter what you do again. If they know what they are doing, they can take so many advantages that this particular issue will be the least of your problems.

All in all, if you ask me, your database is safe unless either someone guesses your collection and document names, or gains access to your Firebase account.

These are the only things I can think of for now. I'll try to update my answer later.

How to limit documents in a collection in Firebase Firestore

1 Answers1