My app supports only login via Email/Password, Google, and Facebook using Firebase Authentication.
Inside the Authentication -> Settings tab, Firebase said to me "Upgrade to Firebase Auth with Identity platform to access this feature."
I upgraded successfully because I want to disable create a new account on the client side and disable delete account. These features are only what I want.
If you interested to know why I want to disable creating a new account on the client side? Please check my question here to know why.
Today I opened Firebase Pricing and I found there are changes in Firebase Authentication, Firebase added 2 new rows in the last as you can see.
I was not charged in Phone verifications because I don't use this provider. I only charged for Firebase Realtime Database and Firebase Storage.
Here are my questions:
Identity Platform Pricing Monthly active users (excluding SAML/OIDC) => If there were 83,000 daily active users (83,000 * 30 = 2,490,000), At the end of the month how much I'll be charged approximately?
Monthly active users - SAML/OIDC => As I said above my app supports only login via Email/Password, Google, and Facebook, Does that mean I'll not be charged about SAML and OIDC?
I hope everything is clear. Thank you.
If you have 83K monthly active users then you won't be charged for 50K users as it falls in the free tier. But you'll be charged for the next 33K users as per the pricing mentioned in Google Cloud Documentation:
From the documentation,
Any account that has signed in within a given month is considered an active user. Inactive users are stored at no cost.
For the given example, you bill would be:
0.0055*33000 = $181.5 / month
my app supports only login via Email/Password, Google, and Facebook, Does that mean I'll not be charged about SAML and OIDC?
Yes, if you are not using SAML/OIDC (Tier 2 providers) then you'll be charged based on Tier 1 pricing mentioned above only.
If you use any Tier 2 provider then you only have up to 50 free MAU and $0.015 / MAU / month thereafter.
Related
Firebase Auth provides a REST API to create/delete/edit auth users. As API Keys are not private, anybody can use the API.
The endpoint e.g. to create new users is publicly available and can't AFAIK not be disabled.
This is in my opinion a bad situation as e.g. an attacker could create via this endpoint lots of users which are no valid users for our system. An attacker could block valid email addresses of customers which are then not able to create their valid accounts.
If an attacker knows a userID he could even delete auth users.
We added user claims (which can only be set via the Admin API and not via the public API) to ensure only users created by us are allowed to access our systems but it would mean a lot of effort on our side to regularily delete users not created via our system.
Is it planned to protect FirebaseAuth also via AppCheck to allow only verified apps to access the auth api?
At this point, I would say it's unlikely as this type of abuse is considered a low risk in comparison to the APIs that app check is protecting.
The public-facing Firebase Auth APIs are rate-limited and the web APIs in particular must come from your permitted auth domains. However, one of the platform's key selling points is the ability to handle many concurrent users.
100 accounts/IP address/hour can be created
10 accounts/second can be deleted
Can handle 1000 requests/second, 10 million requests/day for public APIs across a project
The per-IP address limits are bypassed by using the Admin SDKs (subject to a 500 requests/second limit). You can also boost these limits temporarily from the Firebase Console if you are expecting a spike in demand (e.g. you offer a Black Friday sale).
Only the Firebase Auth API for creating users is "exposed", but limited as detailed above.
Editing, deleting, updating a user's details both metadata and the account itself are privileged actions - you must be appropriately authenticated to make changes. In the case of a user account connecting from a client device, you must have signed in within about 5 minutes to be able update/delete your own account. When using an Admin SDK, the requests are authenticated with a service account's credentials which authorizes it to make changes on behalf of users or the system.
If your system were to abused in such a fashion, reaching out to Firebase Support would be your point of call.
I'm building a flutter app that will allow users to subscribe. I'm using this plugin: in_app_purchase 0.5.2
So, my question is: I have to log my users in, and I do this using firebase Auth. But, how can I check which user is logged to deliver them the right purchase? I mean, using the firebase Auth, where or must I check if the current user has purchased something?
You can use a database like firestore to store all the purchase information.
Ex:
Users/Auth-id
then retrieve it whenever needed. you can also get the previous purchases with the API
Ex:
final QueryPurchaseDetailsResponse response = await InAppPurchaseConnection.instance.queryPastPurchases(); //returns previous purchases
Note that the App Store does not have any APIs for querying consumable products, and Google Play considers consumable products to no longer be owned once they're marked as consumed and fails to return them here. For restoring these across devices you'll need to persist them on your own server and query that as well.
Does updating user details such as name, password or adding/deleting Custom Claims in firebase authentication also cost charge ?
Suppose if I have 1 million users in my app with using firebase authentication and if I update password of all the users or add custom claims to all the user using firebase Admin SDK. Does this process cost any charge ?
Does updating user details such as name, password or adding/deleting Custom Claims in firebase authentication also cost charge ?
No.
Suppose if I have 1 million users in my app with using firebase authentication and if I update password of all the users or add custom claims to all the user using firebase Admin SDK. Does this process cost any charge ?
No.
I suggest reviewing the pricing information in the documentation. Firebase Auth has no charges except for phone auth. What you are describing is covered by "Other Authentication services" which are not billed.
There are limits to the rate at which you may make API calls, which you should also review.
If you have further questions about billing that are not covered in the documentation, you should send those directly to Firebase support.
I'm currently using Firebase for an online Android game in Kotlin (school project) to authenticate/register users. We're going to release our first version for testing, and I would like to set a limit of people that are able to sign up with Firebase (20 to be specific). Is this possible? Thank you in advance.
There is no way to limit the number of people that can sign in to Firebase Authentication. All authentication does is allowing you to say (and prove) that "I am Max", and there is no way to restrict in Firebase Authentication who can do that (beyond creating your own custom identity provider).
But you can limit what these users can do in the rest of your app. If you're for example using the Firebase Realtime Database or Cloud Firestore, you'd restrict the users who can access the database with their respective server-side security rules (Realtime Database, Cloud Firestore).
If you have your own backend servers, you'll want to pass the ID token from the user to that server, and verify the token there to allow who can access what resources.
I love firebase.
I'm building a android app where customers have to login with a unique account credential (email/password) provided by an admin.
Is there any limit for multiple connections by the same account at the same time?
Thanks for loving Firebase.
There are no inherent restrictions on how many connections a user may have with any of the Firebase products.