Firebase Ecosystem - Security and Cost - firebase

In the Firebase ecosystem, for example in Cloud-Firestore, financial cost is highly dependent on factors such as document reads.
Is there anything protecting us from hostiles sending large numbers of read requests directly to our Firestore (circumventing our app) in order to drive our cost up?
Does the Firebase platform somehow recognise this and filter it out, or would we simply have to pay if this happened to us?
Clarification: Let's assume our Firestore security rules are such, that there are certain read requests which can be performed by anyone (allow read;). Consider for example a HackerNews type application, where anyone can list posts (no authentication required).

Cloud Firestore is designed to enable you to scale without experiencing an outage due to overload. We do enable you to set daily spending caps using the App Engine daily spending limit which can help prevent unexpected runaway costs.
There are a few other strategies to help control for this as well, such as using Firebase Auth and requiring users to sign-in, or doing server-side rendering of read-only results.

Related

Monitoring reads (per user) in Firebase

I have thought about monitoring reads for users in Firebase.
Let's say that a user makes a lot of "reads", then I will monitor these "reads" by writing to a counter in a separate document. Once the user has reached 104 reads I will tell the user that they have reached their daily quota. In such a case I also want to disable them from making any further reads (for a day), is this possible in Firebase?
No, that's not currently possible. At least not in any secure way that would prevent the user from manipulating the value.
Your best solution at present would be to use Firestore or RTDB as a non-public database and then create an API behind the API Gateway to handle your rate limiting. Then reads go through your API giving you much more control but of course involves losing realtime updates.

Does Firestore have an api that allows me to check daily reads/writes so I know when I'm over a certain amount?

I know that I could implement a counter in my application but using an api would still be a cleaner solution - if one exists?
Basically, Firestore has Spark free tier limits (think 50,000 reads/day) that I don't want to exceed. So whenever my app was going to do firestore reads, I would like a way to simply ask firestore whether I'm over a certain number.
I'm also reading that Google intentionally got rid of Firebase spending limits.. which seems really sketchy... Impossible to set the Cloud Firebase daily spending limit
There is no such API as part of Firebase. The ways to monitor usage are documented here, but none of them is an API.
You might be able to get some data through the Cloud Monitoring API. But this API isn't made for client-side access though, so you'll have to wrap it yourself.
A final alternative would be to look at a service like https://firerun.io/ who automate a lot of this.

Is there a Google API answering about Firestore database either Metrics or Health Checks or Current Active Connectios or Exceptions or Performance

Context: I am total Google Cloud begginer and I have just convinced my company headers to use Firestore Realtime Database for pushing transaction status to our mobile application. We have around 4 millions users that will use significantly our application for small money transfers. Now-a-days we use the concept of polling from Android/IOS to our Microservice endpoints and it will replaced by Firebase SDK imported to our Mobile app which will listen/observe to our Firestore Collection following few Firestore Rules. Since all money transfer will be confirmed/denied in short time (from few seconds to 1 or 2 minutes) the idea of replacing polling by a real reactive approach straigh from Firestore sounded and is already ongoing coding.
The issue: Firstly I don't what to compare solutions. It is just my reality: the prodution support operators must look after our internal Dashboard. Isn't allowed to them look at Google Dashboard Console (please accept this for this question). I need get on demand metrics of our FIrestore. It is nothing to do with Google pricing. It is just our demand: they want to see metrics like:
how many users listening at the same time now
how many users took some exception during connection
is there any user holding connection for more than X minute
when was the connection pick this morning
any exception of any type surrounding our Firestore database
I read Code Samples carefully follow the sample step-by-step trying to figure out some idea if there is some API providing the answers I am looking for.
So, my straight question is: is there such type of Google API providing metrics about my Firestore Database? Maybe following the same idea we found in Performance Monitor which works on Mobile side also some similar aproach on Firestore side.
*** Edited
Future readers may find worth read also about a way to get Firestore metrics info striagh from curl/postman
A couple of things: You mentioned both Firestore and Realtime Database; just wanted to make sure that you are aware that those are two different databases offered under the Firebase umbrella.
how many users listening at the same time now
is there any user holding connection for more than X minute
Yes, there's a dashboard: https://support.google.com/firebase/answer/6317517?hl=en. Including lots of options, like users active in the last 30 mins.
how many users took some exception during connection
any exception of any type surrounding our Firestore database
Yes, you can track errors and other logging via Stack Driver logging. These can give you reports on your cloud functions.
https://cloud.google.com/functions/docs/monitoring
Where can I find Stackdriver in Firebase console?
when was the connection pick this morning
For this one, I'm not sure if you mean A. when did somebody log on in the morning, or B. what was the time that there was the peak \ most usage. If B see 1. If A,
Real-time database has the concept of presence, which lets you know if a user is currently logged in or not. See examples here from the official documentation:
https://firebase.google.com/docs/firestore/solutions/presence
and this post
How to make user presence mechanism using Firebase?
Also applies to your
is there any user holding connection for more than X minute
..............
Edit in response to comments: I believe you are experiencing the XY problem https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem where you are focused on a particular solution, even though your problem has other solutions. User metrics, database events, and errors are all accessible through both dashboards and cloud functions. You can cURL cloud functions if you wish, or set up cron functions to auto report, or set up database trigger functions to log errors. So, while the exact way you want this to work may not exist, you just need to connect existing tools to get the result you want.

SaaS application using firestore's offline cache

I have created an ionic4 firestore mobile app. It's a SaaS application it has monthly subscription payments. My problem is how could I sell the app using firestore's offline capabilities? I mean making the app work offline adds value to my product but the users can use it for ever, with just offline caching. How can I stop users from using it after a month? Thank you.
If you wanted the opposite (allowing the user to continue using the app offline, but not online, after their subscription expires), you could do so by modeling this in the server-side security rules of your database.
But security rules are not applied while the client is offline. So there's no way to use security rules to reject users without a subscription.
This means you'll have to find a way to lock them out of your app itself, typically by storing (in the offline cache) until when their subscription is valid, and then refusing to start the app if that date is in the past.
A malicious user might be able to work around this, and access the data without your app. Since you're not paying for any database services at this point, that seems a decent trade-off. But if you don't think so, you can start looking at encrypting the data, which makes it harder for users to access the cache without your app. At this point you're pretty much in an arms race with malicious users though, so I'd seriously consider if the loss in potential revenue is worth the effort.

Firebase debugging tools

Is there any way to debug firebase instance like number of reads / writes / live connections etc.
We have hit the firebase outage many times and it is only firebase support tell us about these metrics.
Are there tools available which if I run on instance let me know all above information ?
Thanks
You can use the Firebase Profiler tool to get an idea of your bandwidth consumption but as stated by the doc, it's not a tool to estimate your billing. Many other factors affect your billing, such as protocol overhead, ssh overhead etc. You can read more on the Understand Realtime Database Billing here.
The Firebase profiler can however helps you to see potential issues with your database, and potential heavy listeners that sync too many data. Keep in mind that every time you write a on listener, firebase will download all the initial data at this node, each time, thus increasing bandwidth usage.

Resources