1

I am building a firebase app that uses the realtime database. Using developer tools users can read that when they press a button their input is written in the "post" child of the database:

document.getElementById("sub").addEventListener("click", function() {
    var postText = document.getElementById("postbox").value;
    var firebaseRef = firebase.database().ref();
    firebaseRef.child("post").set(postText);
});

Suppose the user modifies the javascript file with a loop and writes authomatically lots of time whatever they want once they press the submit button:

document.getElementById("sub").addEventListener("click", function() {
     for (let i = 0; i < 100000000000000000000000; i++) {
     var firebaseRef = firebase.database().ref();
     firebaseRef.child("post").set("I have hacked u");
     }
});

If this happens I wuold end up with a huge bill if I am not careful + other issues with the website not properly working.
How do I prevent symilar uncontrolable writing events from occouring? Also authenticated users can do this trick if they know some coding...are cloud functions the only option to secure my database?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
blu potatos
  • 175
  • 9
  • You would need to add some rate limiting (which I believe is enabled by Firebase by default). Additionally, you may want to limit what unauthenticated users can do. Allowing blind POST requests is dangerous. At least with an email association you can blacklist them. – Obsidian Age Nov 14 '21 at 23:00
  • If you are deeply concerned about this, you should force all database access through a backend you control. The backend can decide if the write should happen. You will also then need to implement rate limiting on the backend API endpoint itself somehow. It is not simple. Public endpoints are, well, public and there is always going to be the potential for abuse. – Doug Stevenson Nov 14 '21 at 23:17

0 Answers0