I am creating a website where a user can order a taxi. Now to order one there needs to be an active driver. I am taking measures on the front end to hide the actual order form but if someone passes that and is able to use the form regardless to send a write request to the "orders" document, this will then read the firestore database for an "active driver". So while the writing to the database can be easily restricted with the rules, this still runs a read from the database to get any active drivers. So my question is what kind of measures can/should I implement so that the user can't just keep reading for active drivers by sending the write request to the "order" document? Can I "lock" the user if they do x amount of requests in a certain time frame for example? I am still fairly new firebase user and I am somewhat worried about the security and quota limits of the project.
Asked
Active
Viewed 105 times
0
-
Can you clarify how the read for "active driver" is connected to the write to "orders"? Even if the write is denied... – l1b3rty Jul 14 '20 at 21:01
-
The write will be denied if there are no active drivers, so the read for active driver needs to happen. – Tuomas Jul 15 '20 at 07:08
3 Answers
0
What you can do is do navigation guards for the particular order form. You need to make sure that once the user tries to send a request to the server you have a variable that checks the number of times somebody has requested for the operation. Then deny accordingly.
David Innocent
- 606
- 5
- 16
0
I've looked into this a bit, and I don't think it is possible with Firestore right now. A potential attacker can run a form of DoS attack resulting in a lot of reads. Since you're charged per DB read this would probably result in a large bill from Google (but I'm not 100% sure on the ToS, it might be not so bad).
I suppose you could add some sort of circuit breaker that disables Firestore based on request rates or billing amount.
Tommos
- 820
- 5
- 14
