google-cloud-firestorefirebase-security

Firestore Rules Metrics


i have a smaller web-app build with firebase and I'm using firestore as my database. I secured different aspects of the app using rules.

Now when I view the firestore usage I'm confused by the metrics. I can see that I have 0 reads, 0 writes and 0 deletes in the viewed time frame. But at the same time I can see that rules get evaluate consistently.

Now how can it be, that I have no usage (reads, writes, deletes) on the firestore but rules get evaluated consistently? From my understanding, a rule would only be evaluated if an action on the firestore was triggered. Although there is to note, that i have some snapshot listeners and active connections, could they automatically cause some evaluated rules without read/write/delete?


Solution

  • to understand this , it is important to note that firestore rules evaluation is separate from these usage metrics. of course it will we more if read/write increases .

    Firestore rules are evaluated whenever a read, write, or delete operation is performed to determine if the operation is allowed or denied based on the defined rules. However, there are scenarios where rules can be evaluated even if there are no explicit read, write, or delete operations.

    One such case is when you have active snapshot listeners or connections to your Firestore database. snapshot listeners are real-time listeners that listen for changes in your data and automatically update whenever there is a change. These listeners can trigger rule evaluations even if there are no explicit read, write, or delete operations. Additionally, active connections to your Firestore database, such as client applications or backend services, can also trigger rule evaluations. These connections may perform internal operations or maintain a persistent connection to the database, which can result in rule evaluations even without explicit read, write, or delete operations.

    other aspect:

    also should consider that the reason for this behavior can be to prevent unauthorized access to your data. Even if a user does not explicitly attempt a read or write operation, Firebase still evaluates the security rules to determine if the user has the necessary permissions to access the data. This ensures that your data remains secure and protected at all times.

    For example, let's say you have a rule that allows only authenticated users to read a certain collection in Firestore. Even if a user does not explicitly attempt to read from that collection, Firebase will still evaluate the security rule to check if the user is authenticated. If the user is not authenticated, the read operation will be denied.

    This behavior is important because it prevents potential security vulnerabilities. By evaluating the security rules even without explicit read or write operations, Firebase ensures that unauthorized users cannot bypass the rules and gain access to your data.

    In conclusion, Firebase security rules are evaluated even without read or write operations to maintain the integrity and security of your data. It is a crucial aspect of Firebase's security mechanism to prevent unauthorized access and protect your data from potential threats.