I have some concerns about auth/too-many-requests error/prevention

6,721 views
Skip to first unread message

Vincent Bergeron

unread,
Jun 3, 2017, 11:33:09 AM6/3/17
to Firebase Google Group
Hi!

A little background here...

My customer have two differents Web Apps that connects to the same Firebase DB. One app is for in-house use (using e-mail/password authentication) and the other is for their customers. Lets call this last app the end-user app.

The end-user app uses Anonymous Authentication. As soon as the user goes to the page, I do an anonymous auth.

Today, my customer had a big sale He wanted to know if his products was appearing correctly in the end-user side. So he clicked on each product and opens it on another Browser tab...

Detail here: Each tab create a distinct Firebase anonymous auth connection... I did it this way.

So, after a little time, he got this error:
"auth/too-many-requests"
message: "We have blocked all requests from this device due to unusual activity. Try again later."

At first, I thought that it was a good thing to prevent a wiz-kid to flood the website or something like this...

But after some thought.. What if some student in a College or University or some collegues in a medium-big organisation wants to buy from my customer? They will likely have the same IP address and within 60 minutes, they can only be 15 new sign-ups... Whoh! That's a big concern...

I saw the "Manage sign-ups" option in the Authentication part of Firebase that allows me to change the quota for a certain period of time. That's ok, but I'm not always aware of my customer sales activity, big sales date ou what ever. So if he have a big sale and a this error occurs, it will be too-late to change the quota, as the end-user might already be gone elsewhere.

So... I think it's a problem. Desactivating this option is, at my opinion, not a good idea... But having to manually change the quota after I got informed from my customer is also not a way to go.

Any thoughts? Suggestions? Lets's debate a little! ;-)

Thanks

VB

Michael Bleigh

unread,
Jun 3, 2017, 3:36:29 PM6/3/17
to Firebase Google Group

Why are you creating a *new* anonymous session for each tab? Doesn't that defeat the purpose? I would think the solution here is to reuse the existing anonymous session.


--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c483df06-bc1c-4069-9713-9c870481a360%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Bassam

unread,
Jun 3, 2017, 7:38:08 PM6/3/17
to Firebase Google Group
Hey Vincent, for the majority of the situations, the current set up works quite well between sign up throttling and the self managed quota for exceptions. Your example is a very rare edge case that we have not seen yet, when there is a sudden unexpected spike in sign up from the same IP address at the same time. 
That said, we are looking into other signals for handling abuse for password sign up. 

Best regards,
Bassam

Vincent Bergeron

unread,
Jun 4, 2017, 1:49:47 PM6/4/17
to Firebase Google Group
@Michael I was just explaining how I discovered the issue. It would be a little bit complicated to explain why I need separate session, but I need it this way.

Vincent Bergeron

unread,
Jun 4, 2017, 2:00:43 PM6/4/17
to Firebase Google Group
@Bassam What do you consider a sudden spike of signup? 15 within an hour is a spike?

Can you be more precise about under what conditions the error will occur?

Maybe my example is a very rare edge case, but my customer had this error, he will surely get it again. And the fictious scenario I described in my previous post is not a crazy one. In my business case, it's very plausible.

Kato Richardson

unread,
Jun 5, 2017, 8:04:09 PM6/5/17
to Firebase Google Group
Hi Vincent,

The limits are based on IP address, so several dozen signups from the same IP/device in an hour might be throttled (15 sounds a bit low based on what I've heard in the past).

If you need to support an edge case where dozens of requests are sent from the same source, then you might need to sign your own auth tokens to make this work. 

☼, Kato


--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/2424af48-436b-49be-acd3-05cd8c73a2b8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Kato Richardson | Developer Programs Eng | kato...@google.com | 775-235-8398

Reply all
Reply to author
Forward
0 new messages