Api Rate Abuse in Axum with Firestore
Api Rate Abuse in Axum with Firestore — how this specific combination creates or exposes the vulnerability
Rate abuse in an Axum service backed by Firestore occurs when an attacker sends many requests that each perform repeated reads or writes, exhausting backend capacity or triggering Firestore request-rate limits. Because Firestore has per-document and per-collection throughput limits, unbounded request bursts from a single IP or API key can degrade performance and increase costs. In Axum, without explicit per-route or per-identity rate limiting, each request is processed independently, and Firestore client instances may open many concurrent sessions, amplifying the impact.
The risk is compounded when endpoints perform operations such as collection("items").where(...).get() without constraints or pagination, because each query consumes read capacity. An authenticated or unauthenticated attacker can target high-frequency endpoints (e.g., leaderboard fetches or analytics) to induce latency, trigger quota errors, or cause spike-related throttling that affects legitimate users. Unlike stateless in-memory counters, Firestore does not provide built-in request throttling at the API layer; developers must enforce limits in application logic or through infrastructure controls.
Because middleBrick scans endpoints without authentication, it can detect missing rate-limiting controls on Axum routes that interact with Firestore. Findings include missing rate-limit headers, lack of token-bucket or sliding-window enforcement, and absence of per-identifier constraints that would mitigate burst traffic. Prioritized remediation guidance typically centers on introducing middleware that caps requests per time window and adds concurrency limits around Firestore calls, reducing the chance of hitting Firestore quotas and preventing denial-of-service conditions.
Firestore-Specific Remediation in Axum — concrete code fixes
To protect Axum routes that use Firestore, apply rate limiting at the framework level and add operational safeguards around Firestore usage. Below are concrete, idiomatic examples that demonstrate how to implement these protections.
1. Rate limiting with tower::limit
Use tower::limit to enforce request counts per time window. This sits between the HTTP layer and your Axum handlers, rejecting excess requests before they reach Firestore.
use axum::Router;
use tower_http::limit::RateLimitLayer;
use std::time::Duration;
let app = Router::new()
.route("/api/readings", axum::routing::get(get_readings))
.layer(
RateLimitLayer::new(100, Duration::from_secs(1)) // 100 requests per second
);
2. Token-bucket with per-identifier keys
For endpoints where abuse is more likely from specific users or API keys, use a per-identifier token bucket. Store state in a fast, external store (e.g., Redis) and evaluate before issuing Firestore calls.
use std::collections::HashMap;
use std::sync::{Arc, Mutex};
use axum::{extract::State, Json};
struct RateState {
tokens: f64,
last: std::time::Instant,
}
struct AppState {
buckets: Mutex>,
rate: f64,
capacity: f64,
interval: Duration,
}
async fn check_rate_limit(state: Arc<AppState>, key: String) -> bool {
let mut buckets = state.buckets.lock().unwrap();
let entry = buckets.entry(key).or_insert(RateState {
tokens: state.capacity,
last: std::time::Instant::now(),
});
let elapsed = entry.last.elapsed();
entry.tokens = (entry.tokens + state.rate * elapsed.as_secs_f64()).min(state.capacity);
entry.last = std::time::Instant::now();
if entry.tokens >= 1.0 {
entry.tokens -= 1.0;
true
} else {
false
}
}
async fn get_readings(
State(state): State<Arc<AppState>>,
axum::extract::Request(req): axum::extract::Request,
) -> Result<Json<serde_json::Value>, (StatusCode, String)> {
let ident = req.headers().get("X-User-Id")
.and_then(|v| v.to_str().ok())
.unwrap_or("anonymous");
if check_rate_limit(state, ident.to_string()).await {
let docs = get_firestore_data().await?;
Ok(Json(docs))
} else {
Err((StatusCode::TOO_MANY_REQUESTS, "Rate limit exceeded".into()))
}
}
3. Bounded concurrency with Firestore batch reads
Control parallelism by limiting concurrent Firestore operations. This avoids spikes in request units and helps stay within quotas.
use futures::stream::{self, StreamExt};
use firestore::FirestoreDb;
async fn get_firestore_data() -> Result<Vec<serde_json::Value>, (StatusCode, String)> {
let db = FirestoreDb::new("my-project").map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
let semaphore = Arc::new(tokio::sync::Semaphore::new(20)); // max 20 concurrent calls
let ids = vec!["a", "b", "c"];
let streams = ids.into_iter().map(|id| {
let permit = semaphore.clone().acquire_owned().await.unwrap();
async move {
let doc: serde_json::Value = db.get("items", id).await.map_err(|e| e.to_string())?;
drop(permit);
Ok(doc)
}
});
let results = stream::iter(streams).buffer_unzip(10).collect::>().await;
let mut data = Vec::new();
for r in results {
data.push(r?);
}
Ok(data)
}
4. Query constraints and pagination
Reduce Firestore load by using query limits and cursors. This lowers read consumption per request and prevents runaway result sets that amplify rate pressure.
use firestore::FirestoreDb;
async fn get_limited() -> Result<Vec<serde_json::Value>, (StatusCode, String)> {
let db = FirestoreDb::new("my-project").map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
let docs = db
.col("events")
.limit(10)
.order_by_desc("timestamp")
.get()
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
Ok(docs)
}
5. Middleware observability and rejection logging
Log rejected requests to understand patterns of abuse. Combine with response headers so clients can adapt (e.g., Retry-After).
use axum::response::IntoResponse;
async fn rate_rejection_handler() -> impl IntoResponse {
(StatusCode::TOO_MANY_REQUESTS, [("Retry-After", "1")], "Too many requests. Please retry later.")
}