This is one of a series of articles about Going serverless with Firebase. You many want to read about Firebase cloud functions and Custom domains and ssl with Firebase hosting before this article.

Rate limiting

So you’ve created your cloud function and have a firestore backend. There are abuse limits built into the Firebase platform, but you’ll probably want to limit usage to ensure you keep your hosting costs under control too. In this example, there are a number of rate limits and quotas to enforce, based on the level of subscription of an account.
Here’s an extract from an example configuration, with 2 plans and 4 limits per plan
Each limiter consists of properties like this – this means that in a window of 120 seconds a maximum of 60 operations are allowed – in other words 1 every 2 seconds, or 30 a minute on average

Firestore slotlimit document

Each account is associated with a particular plan, and has a firestore document like this, with a property corresponding to each of the limits that are being imposed. It also has an expiry date to clean up unused documents when no longer active.

Getting a slot

A slot is a window over which a rate is being measured. Calculating the current slot is simply a matter of dividing the current time by the size of the window, then each of the rates for the current slot can be checked to see if there is enough quota left to complete the proposed operation. Every operation starts with a fetch of the slot information for the current account
next we get the current time
look through each rate being checked
figure out the  slot based on the current time and the measurement window
update the slot if we’ve moved on to a new measurement window from the last operation
increment the slot with the volume (if it’s a quota type – for example no. of bytes written per day) or by one if it’s a rate limited operation, and report and error if the limit is exceeded
finish off the loop
If we get here without recording an error – we can go ahead and write the updated rate to firestore

otherwise report a quota violation

And that’s all there is to it.
The complete code for the cloud function available on github
For other articles on this topic see Going serverless with Firebase.  For more snippets, see Google Apps Scripts snippets