we are actually setting up a new firebase project for a small web project for max. 1.000 users, these users will be able to download some documents based on their roles and rights. No problems so far.
According to the firebase storage documentation we plan to create the download links via getDownloadUrl(). We have investigated that only the creation of the link is affected by the storage rules and the download link stays valid until revoked. This could give an potential attacker the possibility to run massive downloads against a system which scales almost infinitly - which might result in terrible high cost. In theory the same could happen with time-restricted signed Urls (which we would have to create server side via cloud functions using getSignedUrl), a couple of hours are more than enough to download tons of gigabytes.
Does anyone know if there are measures in place to avoid this scenario?
Best regards, Dietmar
