Firestore update rate limit

Published: November 18, 2019

This is how to prevent frequent updates to a Firestore document.

match /users/{document=**} {
  allow create: if hasTimestamp();
  allow update: if hasTimestamp() && isCalm();
  function hasTimestamp() {
    return request.resource.data.timestamp == request.time;
  }
  function isCalm() {
    return request.time > resource.data.timestamp + duration.value(5, 's');
  }
}

Remember that request is the future state of the document (incoming), while resource is the requested document (existing).

This works when using FieldValue.serverTimestamp() as the timestamp. That is now the only valid timestamp because of hasTimestamp() checks against request.time.

isCalm() now checks that the existing timestamp is less than before 5 seconds ago.

Thanks puf