Protection from repeated cloud function endpoint call abuse on the web (App Check?)
63 views
Skip to first unread message
nw...@cornell.edu
Jul 27, 2021, 1:05:20 PM7/27/21
to Firebase Google Group
Hi,
I'm trying to protect against users repeatedly calling certain endpoints on the web and am wondering if App Check (for the web in this case) is the right solution.
From my understanding, App Check only guarantees that requests are made "from my app". So in this case, it would stop someone abusing the endpoint via CURL for example, but it wouldn't stop someone from writing some Javascript and running "as the app". Is this understanding correct?
An easier question to digest would be to say that if my system could be used by pressing a button rapidly -- then does App Check protect against this? This being someone who wrote a script to press the button rapidly.
Or even someone more advanced could grab reCaptcha site-key, grab my public firebase config, and simply makes calls via the a crafted javascript script.
I partially bring this up since I know that App Check on the web uses reCaptcha v3. So I'm wondering if it's perhaps advanced enough to detect bot users sending these types of requests or is the only advantage today of App Check on the web is to see that the requests are "coming from the app".
I'm trying to protect against users repeatedly calling certain endpoints on the web and am wondering if App Check (for the web in this case) is the right solution.
From my understanding, App Check only guarantees that requests are made "from my app". So in this case, it would stop someone abusing the endpoint via CURL for example, but it wouldn't stop someone from writing some Javascript and running "as the app". Is this understanding correct?
An easier question to digest would be to say that if my system could be used by pressing a button rapidly -- then does App Check protect against this? This being someone who wrote a script to press the button rapidly.
Or even someone more advanced could grab reCaptcha site-key, grab my public firebase config, and simply makes calls via the a crafted javascript script.
I partially bring this up since I know that App Check on the web uses reCaptcha v3. So I'm wondering if it's perhaps advanced enough to detect bot users sending these types of requests or is the only advantage today of App Check on the web is to see that the requests are "coming from the app".
Reply all
Reply to author
Forward
0 new messages