0

I am developing a Chrome Extension which uses Firestore and I want to prevent malicious people from exceeding my Firestore quota. I already use Firebase Authentication and have my Firestore security rules like this:

  1. An authentication is needed to access Firestore
  2. Users can only access the collection with their UID.

This way non-users are prevented from doing that. However, this is not enough because we can't prevent already registered users from exceeding the quota. Since source code of chrome extensions' always exposed through CRX viewers, some registered users can alter it and send thousands of read/write requests.

I can obfuscate the code, but this does not completely solve the problem. Also, obfuscated code is not allowed in Chrome Web Store.

I found Firebase Cloud Functions and Firebase App Check while searching the Firebase documents. Can any of these two be used in a Chrome Extension, do they solve this problem? Also, since I am new to Firebase and developing Chrome Extensions, is there an example extension that uses these?

bhdrozgn
  • 167
  • 10
  • 1
    There's nothing obfuscated code can do. Anyone can directly use Firestore's REST API to make requests to your database. You can try implementing [rate limiting using security rules](https://stackoverflow.com/q/56487578/13130697). – Dharmaraj Apr 15 '22 at 13:44
  • In addition, there seem to be some good tutorials on [using Firebase in a Chrome extension](https://www.google.com/search?q=use+firebase+in+chrome+extension). – Frank van Puffelen Apr 15 '22 at 14:24
  • @FrankvanPuffelen Yes I couldn't find one for Cloud Functions – bhdrozgn Apr 15 '22 at 14:27
  • 1
    As suggested by Dharmaraj try implementing rate limiting using security rules, also check this [protect firebase cloud functions being called from intruders](https://stackoverflow.com/questions/61070121/is-there-a-way-to-protect-firebase-cloud-functions-being-called-from-intruders-w) – Sathi Aiswarya Apr 18 '22 at 08:17
  • Note that the link Frank suggested uses manifest version 2, which will no longer work in 2023. – FractalBob Jul 28 '22 at 15:06

0 Answers0