I cannot find a way to rate limit reads in a way that users couldn't bypass. This concerns me because a malicious user could go into my app, and spam a zillion read requests and drive up my bill. It's weird that firebase doesn't seem to address this issue anywhere on their website so maybe this isn't a cause for concern? I'm not a cybersecurity expert so an explaination why this isn't a problem would be great. Or if this truly is a problem that could happen, what's the solution?
The only potential solutions I have found are:
Reach out to firebase support in the event that this type of spamming attack occurs. What could firebase support do?
Have a cloud function to handle read requests as opposed to letting the client make them, this seems to defeat the purpose of firestore if cloud functions need to handle all reads. If this really is the solution, this seems to be a massive flaw in firestore.
I haven't tried anything yet since I don't know how to solve this problem.
