r/Firebase

Hey r/Firebase — solo dev. Shipped a real-time multiplayer party word game in late February, been running on Firebase for ~3 months. ~34 DAU right now, which is small but real: real spend, real player money flowing through Cloud Functions, real rules to get wrong. Wanted to write up what I learned because most multiplayer-on-Firestore content is either toy-scale tutorials or "we hit 10k DAU, here's how we sharded everything." This is the middle.

The stack

• Expo (React Native) clients
• Firestore for room + game state
• RTDB for presence (onDisconnect is the killer feature)
• Cloud Functions for ALL state mutations (joinRoom, submitVote, submitAnswer, advancePhase via Cloud Tasks)
• A separate humanbot Node.js service that spawns AI players to fill empty seats (the long tail of "real-time multiplayer" at 34 DAU is that most lobbies need bot fill)
• Anthropic + OpenAI for content generation

Decisions that aged well

• One room doc, denormalized. Each rooms/{roomCode} doc holds the entire room state — players, current round, current acronym, submissions, vote tallies. Clients listen to one doc. Simple, fast, no fan-out fanfare.
• Cloud Tasks for phase transitions. When the submit phase ends, a Cloud Task fires advancePhase exactly once. Killed every "who advances the phase first?" race condition you get with client-driven transitions.
• Server-only writes for currency. No client writes to gems. All charges go through Cloud Functions.

Things that broke

• Listener fan-out cost. Even at small scale, 8 players × 1 room listener × N reads per round adds up faster than you'd think. Cut by being aggressive about what triggers re-renders and which fields actually need to be in the room doc.
• Bot orchestration as a long-running service. Works fine until you need to restart it during active games — drops every bot mid-round. Now I poll for empty rooms before any restart.
• No rate-limits collection on day one. Players could spam reactions. Added a rate_limits collection with TTL to track per-uid action counts. Should have been there from the start.

Four security patterns I now apply to every new feature

Working through a security pass on this project — sharing because most multiplayer-on-Firestore tutorials skip these and they're the ones that bite:

1. Field-allowlist any user-owned doc. If users/{uid} has any field that touches money (gems, isSubscriber, anything purchasable) or stats that drive matchmaking, block client writes to those fields with a rule allowlist. The Cloud Function is the intended path; without the rule, it's not the only one.
2. Rate-limit every callable that mutates state. Even harmless-looking ones. I keep a tiny rate_limits collection with per-uid + per-key counters and a TTL. Helper at the top of every callable that costs anything (DB write, paid API call, currency change).
3. Cloud-Tasks-only callables need OIDC verification. If a function is supposed to be invoked only by Cloud Tasks (like a phase advancer), verify the Bearer token against Google's JWKS and check email matches the service account + the aud claim matches the function URL. onCall alone isn't enough — any signed-in user can hit it.
4. Server-side receipt validation for IAPs. RevenueCat's webhook + their REST API can verify on your backend. Don't trust the client SDK's "purchase successful" callback as the source of truth for entitlements.

The rule pattern for #1, since it's the most overlooked:

match /users/{uid} {
  allow read: if request.auth.uid == uid;
  // Block client writes to monetization/stats fields.
  // Those move server-side via Cloud Functions only.
  allow write: if request.auth.uid == uid
    && !request.resource.data.diff(resource.data).affectedKeys()
      .hasAny([
        'gems', 'isSubscriber', 'manualAdFree',
        'monthlyAiCalls', 'unlockedReactions', 'stats'
      ]);
}

The actual numbers

• ~34 DAU
• Firebase costs: under $10/mo (still mostly free tier)
• Expensive parts: AI API calls (~$126/mo recurring), not Firebase
• For solo-dev-scale games, Firebase is the cheapest infra you can buy. The "Firestore is too expensive" complaints usually come from apps that 100x'd overnight without re-architecting.

What I'd redesign

• Move chat history out of the room doc. The doc gets fat when chat is active and every player re-fetches it on every listener tick. Separate subcollection, paginate.
• Bot orchestration as Cloud Run jobs triggered by room creation, not a long-running VPS that hates restarts.
• Consider RTDB for the volatile per-round state (timer, current acronym, submissions-in-progress). Cheaper per write at small payloads, faster for ephemeral data. - Although I've found out that for realtime performance a VPS performs better in some cases.

Happy to answer questions about any of this — the room state model, the Cloud Tasks pattern for advancePhase, the rate-limit helper, the humanbot orchestration, whatever. The app's at acrophobia.app if you want to poke around, but that's not the point of the post.

I am NOT asking for partners or consults or referrals directly here.

I have created a project using React Native, multiple Firebase products including authentication and Firestore, Resend, Stripe, and a few other products/APIs. I have a solid product but the concepts of the release process for App and Play Stores basically terrify me. It feels like the initial deployment is the most critical part of the entire process and I can't afford to screw it up with a ton of one star reviews, right?

I'm hoping someone can help me nail down a description of exactly what I AM looking for. If I were to make a job posting for this role, what would it look like? What's the name of the role? Release Manager is one I've seen that might fit.

Unless someone recommends otherwise I'm thinking of hiring via something like Upwork, Toptal, Freelancer, or similar.

Thanks!

Hi everyone,

Since this morning, my testers and I have been hitting a dead end with Firebase App Distribution. Whenever we click the download link for the latest Android release, the server returns a 403 error page.

https://preview.redd.it/1cv3seaos72h1.png?width=1428&format=png&auto=webp&s=58a4fa98914e0d1ec63a5464eb2ecf367cedef33

Thanks in advance!

Hey everyone,

I wanted to check in to see if anyone has got single-field array index's working in Firestore Enterprise edition. Whatever I do I can't seem to run a query without doing a full table scan.

I created the index like this in Terraform:

resource "google_firestore_index" "organization_user_ids" {
  collection = "organization"
  density = "SPARSE_ANY"


  fields {
    field_path = "userIds"
    array_config = "CONTAINS"
  }


  fields {
    field_path = "__name__"
    order = "ASCENDING"
  }
}

Then executed the following query which seems to always do a table scan (the index is green/ready):

db.pipeline().collection('organization').where(field('userIds').arrayContains('test'))

Execution:
 results returned: 0
 query id: xxxxxxx
 data bytes read: 60 MiB
 entity row scanned: 120,000

Billing:
 read units: 30,000

Tree:
• Compute
|  $out_1: map_set($record_1, "__name__", $__name___1, "__key__", unset)
|  is query result: true
|
|  Execution:
|   records returned: 0
|   latency: 336.47 ms (local <1 ms)
|
└── • Compute
    |  $__name___1: $__key___2
    |
    |  Execution:
    |   records returned: 0
    |   latency: 336.44 ms (local <1 ms)
    |
    └── • TableScan
           source: /organization
           order: UNDEFINED
           output record: $record_1
           filter: array_contains($userIds_1, "test")
           output bindings: {$__key___2=__key__, $userIds_1=userIds}
           output: [$record_1, $__key___2]

           Execution:
            records returned: 0
            latency: 336.43 ms
            post-filtered rows: 120,000
            records scanned: 120,000
            data bytes read: 60 MiB

Thanks!

Is Firestore Enterprise now what new (startup) projects should be building in?

Assuming documents are small and expensive queries have indexes, is there any reason NOT to choose Firestore Enterprise now when starting a new project?

This morning I received an email from Google cloud stating my project was immediately suspended. I can’t see anything other than the appeal page (which I submitted).

Firebase console seems normal but actual push notifications have been suspended as they just don’t work. I did some shell commands and basically states disabled=true billing reasons are the reason it gives.

I’ve read some other posts I get it, it will eventually be restored. But I have active users to answer to and push notifications are one of the bigger features we have.

Has anyone went through this? How long did it take? Will deleting unused and making the few keys I have left restricted verses being left in restrictive work for them to unsuspended? Does service just start working again?

https://preview.redd.it/enq3uzckct1h1.png?width=2504&format=png&auto=webp&s=cc16c2eaa94c4afa894a4e3a38fb7e154812c22a

It shows that whenever I try to input. I'm on Windows, though. How to fix that?

Seen a few reports of this here.

I've had the same issue due to creating a Gemini key in the same account as a firebase service account key. Neither exposed publicly as far as I can find, the firebase key was in a private repo.

No more Google services for me. I'm off 👋

Hello!

I have suspended the project because of "hijacking". The most sad part is that this key is most likely generated by Firebase itself and used in some AI features inside it. And hijacking happened because this key for some reason was equal to the app public key.

I appealed more than a 20 days ago, but still no luck. Just no answer (although I deleted this key and rotated the Firebase key).

So the question is, has anyone migrated from GC in their Android apps while their GC project is suspended? Or, maybe, I need to wait while they answer the appeal?

I'm mostly scared because of possible consequences for the app, as the algorithm may think I'm trying to bypass the suspension. Although I want to migrate to my own, self-hosted auth/db mechanism.

I’m using the Gemini api on my app to create an sms chatbot . I use the firebase emulator with data from my live app, when using it there the model behaves properly with basically 0 hallucinations. The moment I deployed the app the model started to hallucinate from the examples it had in the prompts.
I’m using the Gemini 2.5 flash lite model.
Anyone have any idea why it happens and suggestions to fix it?

My project has been suspended because it was allegedly engaged in abusive activity consistent with hijacked resources.

When I log in to the Google Cloud Console for the project it redirects me to a Request An Appeal page. It says I should use GCP console to review my activity and use that information to appeal the suspension. However I can't do that because all I am apparently permitted to see is the Request an appeal page.

In Firebase I can basically only view the Auth section and the Usage and Billing Page but not much else. There is a sharp spike in usage of the Gemini Developer API yesterday which caused my bill to be about $60 (normally monthly cost is around $10). There is a possibility that the issue wasn't caused by a malicious actor but of course I can't be sure until I can investigate my logs.

The project was in daily active use by my business for ~ 6 years, and prior to this we've never had any issues.

Does anyone have any advice on how I can resolve this? There is a good chance that if the suspension persists we may lose a lot of clients.

https://preview.redd.it/67faxddr3x0h1.png?width=936&format=png&auto=webp&s=aeb1de4dbfd5d4d407155b7af29cf6478b7d4064

been stuck here
I'm using Gemini API(free tier) for now

• Followed everything on firebase docs
• App Check: Registered(Enforced)
• updated SPM version to 12.13.0
• Added com.apple.developer.devicecheck.appattest-environment
• <Debug> [AppCheckCore][I-GAC004004] Failed to exchange debug token to app check token: Error Domain=com.google.app_check_core Code=0 "The server responded with an error:

https://preview.redd.it/o1d5s27btp0h1.png?width=738&format=png&auto=webp&s=e0074de78358c5e45a63a06eee05f09a86017f12

I get that they would want to limit free tier users; that's great.

But what if I want to have 30/40/50 projects? It makes no sense to me that I have to manually request to be allowed to have more firebase projects? Technically, I could just run into the limit again and again.

I'd even pay for them for more projects. But they don't even allow that? I don't understand.

What am I missing here?

I just deployed my first firebase app hosting / backend. I had been using firestore and database a bit, so i thought i would try it. I usually use vercel or google cloud run, but wanted to try it out. I am using the firebase CLI.

I deployed the app, but then needed to setup a cron job. I can't find anything in firebase for scheduling. am i lost? i ended up using cloud scheduler in gcloud to do it.

And......I might be way late on this, but is firebase just a management layer on top of gcloud services?

One of the newer features seems to be preferCache and the documentation (Swift) says this:

/// default policy tries to fetch from cache if fetch is within the revalidationInterval.
/// If fetch is outside revalidationInterval it revalidates / refreshes from the server.
/// Throws if server revalidation fails   
/// Callers may call with `cacheOnly` policy to fetch data (if present) outside   
/// revalidationInterval from cache.   
/// revalidationInterval is specified as part of the query YAML config using   
/// `client-cache.revalidateAfter` key

I've searched the entire SQLConnect documentation and don't see extra details about where this query YAML goes exactly. If anyone can shed any light on this I'd be grateful.

"Building a global community platform expecting hundreds of thousands of users. Chat rooms, marketplace, user profiles, medical library. What would Firebase realistically cost at 5,000, 50,000, and 500,000 monthly active users? Looking for real numbers from people who have built at scale."

**TL;DR:** I picked 77 random Firebase project IDs from public GitHub repos this morning and probed each anonymously for publicly readable Firestore collections. **17 of them — 22.1% — returned data with zero auth.** Built a free open-source auditor so you can check your own project.The repo: github.com/Perufitlife/firebase-security-skill---## What the leak distribution looks like23 collections leaked across the 17 projects:- `users` — 11 projects- `posts` — 4- `products` — 3- `messages` — 1- `profiles` — 1- `orders` — 1- + 2 moreThese are not theoretical "your rules might leak." These are HTTPS GETs against `firestore.googleapis.com` returning real document data with no auth header.## Why this happens (the boring honest answer)Firebase config is **never secret**. `projectId` is in your JS bundle. Every public app's project ID is one View Source away. The actual security boundary is your `firestore.rules` file.Three patterns I saw repeated across the 17 projects:**1. Test-mode never replaced**```match /{document=**} { allow read, write: if request.time < timestamp.date(2099, 1, 1);```Someone changed the date from 30-day default to "way in the future." Years later, still wide open.**2. Auth-only without ownership check**```match /users/{uid} { allow read: if request.auth != null;```Anyone signed in (even from a different app on the same Firebase project) reads every user record.**3. Public-read storage buckets**```match /b/{bucket}/o { allow read: if true;```Profile pics + receipts + uploaded docs, all anonymously enumerable.## The auditor`npx u/perufitlife5 minutes, no subscription, MIT licensed.If you want a cross-BaaS take I shipped equivalents for Supabase, PocketBase, Appwrite, Hasura/Nhost — every one of those ecosystems has the same "default rules ship open + nobody replaces them" pattern.Happy to take feedback, especially on the rule fixtures (`test-fixtures/` in the repo) — if there's a leak pattern I'm missing, I want to add it./firebase-security@latest` against your project ID + a service account read-only key. Probes the same patterns above, plus 8 more. Generates an HTML report with the exact rule snippets to copy-paste into `firestore.rules` to fix each finding.TL;DR: I picked 77 random Firebase project IDs from public GitHub repos this morning and probed each anonymously for publicly readable Firestore collections. 17 of them - 22.1% - returned data with zero auth. Built a free open-source auditor so you can check your own project.

Repo: github.com/Perufitlife/firebase-security-skill

What the leak distribution looks like:

23 collections leaked across the 17 projects.

• users: 11 projects
• posts: 4
• products: 3
• messages: 1
• profiles: 1
• orders: 1
• 2 more

These are not theoretical warnings. These are HTTPS GETs against firestore.googleapis.com returning real document data with no auth header.

Three patterns I saw repeated across the 17 projects:

1. Test-mode never replaced. Someone changed the default 30-day date to "way in the future" (timestamp.date(2099, 1, 1)). Years later, still wide open.

2. Auth-only without ownership check. allow read: if request.auth != null. Anyone signed in (even from a different app on the same Firebase project) reads every user record.

3. Public-read storage buckets. allow read: if true. Profile pics, receipts, uploaded docs all anonymously enumerable.

The auditor: npx firebase-security@latest against your project ID + a service account read-only key. Probes the same patterns above, plus 8 more. Generates an HTML report with the exact rule snippets to copy-paste into firestore.rules to fix each finding. 5 minutes, no subscription, MIT licensed.

I shipped equivalents for Supabase, PocketBase, Appwrite, Hasura/Nhost too. Every one of those ecosystems has the same "default rules ship open + nobody replaces them" pattern.

Happy to take feedback - especially on the rule fixtures (test-fixtures/ in the repo). If there is a leak pattern I am missing, I want to add it.

I'm working on a Firebase project that has a Flutter mobile app and static website (that uses Firebase Hosting), and it uses services such as Cloud Functions, Firebase Auth, and Cloud Firestore. Currently, I have two separate GitHub repos for this, one for the app, and one for the website. But now, as I'm starting to write my Cloud Firestore rules, I'm realizing that this may not be the best idea, as updating the rules on both the app and website is annoying - and while I could create a third repo that only contains the Firestore rules or a GitHub action, this feels wrong for some reason. Alternatively, I could create a monorepo that contained the app and the website together with all of the backend and Firestore logic as well. What is the best way to do this to ensure I don't get into any messy situations?

Update: I migrated everything to one repo, and it definitely makes things feel less messy and my git history look nicer -- however, the Flutter app is complaining a little bit, because firebase.json is in my root directory...and the Flutter app is in ./apps/mobile...is there any way to configure it so that I can use the firebase.json from my root directory (it has both the web and the flutter config in it)?