protect firebase database listeners from the web DOS attack and abuse plain credentials

Question

Firebase makes so much sense on the phone. but not for the web, everyone does know that

1. I use firebase
2. They know the database URL
3. They do see how the database is structured for the parts I allow them to read
4. DOS attack can happen by opening many listeners to the database

I want to implement the listener on the news feeds, bookmarked posts and post drafts so that user can continue editing from the phone for example. Yes, I know that security rules do protect the database so no one can read other users data. But It doesn't protect me from abuse.

Is there is another way to make use of real-time sync without sacrifice in security? besides using cloud functions to check link every minute or on click.

Answer 1

I came across the same issues and figured out a solution to at least effectively restrict the length of publicly writeable data in firebase.

say you have an chatbox database that serves to save name and message of users.

service cloud.firestore {
  match /databases/{database}/documents {
    match /chatroom/{document=**} {
      allow read: if true;
      allow  write: if resource.data.message.length <= 260 && resource.data.name.length <= 20;
    }
  }
}

using this restrictions i can at least effectively drop requests that attempt to flood the database with requests. (Note this does not restrict the length of what is written but drops the attempts) See: How to limit string length in firebase

for DOS by only data-reading over man listeners, i think this does not pose a big vector as attacking will be about equaly expensive in terms of network traffic and computation as being the victim.

Basically most of the resiliency of Firebase comes from setting up good accesrules. Nowadays every bigger app requires you to authenticate in some form, so if you simply require some auth, lets say googleauth, to read/write into your database, you probably never have to worry about DOS.