Hey, hopefully, I can shed a little light on this.
If you are using anonymous authentication then you are correct that it would enable anyone to use your app-id to send requests to Realm, but that is kind of the point. If you want your application to allow users to make requests and navigate around on your page without setting up an account then by definition you are saying that any client should be able to send requests to Realm. This is also the reason that enabling anonymous authentication will give you a warning in the UI and think we document this.
If you want more stringent limitations on who can access your service, then you should be using more strict authentication providers such as:
- API Key Authentication: the client needs to know a specific API key in order to connect
- User-Password: user authenticates with a username and password
- Custom JWT
- Lots of others that you can find in the documentation
As for your examples above, hopefully, the description here explains that there are reasons to avoid anonymous auth when you want to guard against attacks like the above, but we also have app-level limits in place to prevent too many requests from saturating an application in any given hour. These are internal and we get alerts when applications get close to the limit and we can raise them (and we do that for many production applications).
We have discussed the idea of adding user-specific limits to realm requests, so I would be curious to hear if that is something you would be interested in and why? Additionally, what specific things would you want to be able to toggle? IE, would total requests per user be enough, or would you want to distinguish by service (graphql, sync, functions, etc)? Would you want to have specific limits for specific users and allow some users to eclipse those limits?
The other security measure is that we have permissions to prevent users’ from performing actions that they should not be able to do, but I don’t think that fully solves your problem which is mostly about preventing request spamming.