mmcknett
commented
1 year ago Quotas have been updated, and I added a write-up to docs explaining what was done.
Closed mmcknett closed 1 year ago
mmcknett
commented
1 year ago Quotas have been updated, and I added a write-up to docs explaining what was done.
Although it's not necessary to protect the firebase API key (unlike most API keys), Google recommends adding quotas to limit the rate at which the key can be used. For this project, that means following the advice of this document: Tighten quota if you use password-based Authentication. Eureka Surveys produced a writeup explaining how too-permissive an API quota can invite a brute force attack on user credentials.
The defaults currently allow significant volume. E.g. queries per minute on the Identity API of 180k. That's 30k queries per second. There's also a query per minute per user quota limit of 30k, which seems overly high.