-9

How can I implement device level rate limits for Firebase Phone Auth? (something like no more than 5 SMS requests per hour for a mobile device)

Firebase Phone Auth mobile docs say:

To use phone number authentication, Firebase must be able to verify that phone number sign-in requests are coming from your app.

I have implemented this via Play Integrity API attestation, which should ensure that requests are coming from authorized apps. However, I would like to implement an additional mechanism to limit the number of phone auth SMS requests that can be generated from the same device running the app.

How can I implement device level rate limits for phone auth on mobile?

khelwood
  • 55,782
  • 14
  • 81
  • 108
Pier1 Sys
  • 1,250
  • 2
  • 12
  • 21
  • 6
    The question is a bit vague which may be why it's not getting any answers. It sounds like your asking us for code to limit the number of attempts to read data. We are not a code-writing service and can only help with existing code; that's because without understanding the full use case, anything presented would just be a guess. There are a wide number of solutions from incrementing a counter from the device, to a cloud function. Do you have existing code you've attempted we can see? Please review [How to create a Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve) – Jay Aug 27 '23 at 14:14
  • @Jay I hear you. At the same time, I see questions like [this](https://stackoverflow.com/questions/76992683/location-based-geofire-queries-how-to-load-the-documents-in-batches) on this forum that are very similar in nature without the negative reaction this question has drawn from the moderators. I actually have been wondering if it has more to do with the changes that Firebase is implementing as described in one of their answers [here](https://stackoverflow.com/questions/76819331/unknown-otp-requests-from-lebanon-in-firebase-auth/76832523#76832523) – Pier1 Sys Aug 28 '23 at 16:38
  • 1
    For clarity, downvotes (negative reaction) are not from moderators; those are from other users like you and I. They generally happen when a question is unclear (which leads to guessing at answers - see below answer) or there's no attempted code included (a MCV example). I am not sure the question linked in your comment is related to what's being asked here. That question references loading 'chunks' of data using a technique called 'Paginating'. I think you're wanting to count the number of requests and limit it via some mechanic. If that's the case, my suggestions above would be valid options. – Jay Aug 28 '23 at 18:55

1 Answers1

0

Supposing you're using react-native:

I would store a unique ID in user device on first app launch. Using expo-secure-store and react-native-uuid you can achieve this easily.

Now, when your app requests an SMS code you can also create a function that will use firestore database to store how many requests have been made based on this unique device ID you've created and based on current request timestamp.

When requesting a new code your function will first recieve how many requests have already been made and if it's above your defined limit it will block requests from a limited time or any other blocking way you like.

I also would do these validations in a cloud function because it's not a good practice (and also a very big security breach) to handle these validations in client side.

You can also use ttl to handle auto deletion of this stored request data after a determinated time so user can request SMS codes starting from 0 again:

- devices
  - device_unique_id
    - request = 1
    - ttl = Timestamp.fromMillis(
      // this will be auto deleted in 30 minutes
      now + 1000 * 60 * 30
    )
khelwood
  • 55,782
  • 14
  • 81
  • 108
NoNam4
  • 786
  • 4
  • 15