Is it possible to ban an IP?

yes

like some extension?

Nope

All browsers have it

Could you please explain further what limits on executions you're trying to achieve client sided?

So I can guide you to achieve the same server side securely

Sure the only 2 limits I have are to check if the user plan has expired, if it is expired you cannot execute that function.

If it is not expired, then it checks if plan.userGeneratedCount >= plan.planGenerateLimit and if it is correct then it gives it a toast that says it has exceeded its limit

I think there are 2 things that could easily be put inside the function code

I think he definitely modified the code in the browser, I'm checking one of the 4000 executions of the function and it has things that only a plan.planType == "admin" could see and put in the payload of the function

Its crazy that someone can modify the client side code, even if I add those validations inside the function code, how can I prevent it from modifying the code in the browser for now?

How do you get or generate plan.status?

The "plan" is a document that each user has that is created at the time of registration and has an attribute called status and that attribute by default is active, however when a user purchases a plan and 30 days pass and does not renew, the status is now changed to expired

So there's no hard limit on the amount of executions in such period?

I think you should have a function that gets triggered by cron and changes status

I have not yet set a limit on the number of executions, it's bad for me not to have planned it that way, but right now I will do it

Yes, I think in your case you should do it to prevent abuse, and as said, changin status with a function instead of client sided

Continuing this case, I am creating functions for each operation that has to do with a post or patch request in my application to put validations within that function, to prevent a user from modifying the payload again so it has to go through extra server side validations

However, while testing, I noticed that if I modify the POST payload when creating an account and change the ID of unique() to a "1", for example, it is possible to register a user with the ID of 1, the ID shouldn't it be assigned automatically on the server side?

how can I prevent someone from creating an account with the ID they want? or do I also need to create a function that anyone can run that creates the user and assigns the ID on the server side?

Passing unique() is what causes appwrite to autogenerate the id. How does a custom id affect your functions/business logic?

You can perform the assign server sided with a function

As I said, to prevent it from being modified

I'm still genuinely curious about how custom ids are a security risk. The id of a user or document is pretty much public so whether it was custom or autogenerated an attacker can still find out the id.

It is public and I think it is not a security risk, even so, for my webapp I dont want anyone to be able to modify the payload of creating an account and give themselves IDs of "1" or "69" or whatever

I was thinking of also making a function for that, but within the appwrite docs, I can't find where accounts can be created. If I change to "Platform: NodeJS" the "create account" disappears, but if I put something like "Platform: Web" appears again

Is it possible to create accounts using node-appwrite?

Ok, got it. Then all you need to is have a function override the id field and set it to "unique()"

Accounts docs are for the client sdks for servers checkout the Users docs https://appwrite.io/docs/references/cloud/server-nodejs/users

thanks Ernest I'll take a look

With a server SDK, you would use use the user API