r/Firebase

Would you pay for a hands-on Firebase workshop? (Seeking feedback)

Hi everyone,

I've been building web applications using Firebase for some time and I'm considering running a live, hands-on Firebase workshop for beginners and intermediate developers.

The idea is to teach Firebase by building a real project instead of just explaining the documentation.

Potential topics include:

\- Firebase Authentication

\- Firestore & Realtime Database

\- Firebase Storage

\- Security Rules

\- Hosting & Deployment

\- Building a complete CRUD application

\- Common mistakes and best practices

The workshop would be live, interactive, and paid, with plenty of time for Q&A and practical exercises.

Before I finalize everything, I'd love to get your feedback:

\- Is this something you'd be interested in?

\- What Firebase topics do you struggle with the most?

\- What duration would you prefer (2–3 hours, half-day, or full-day)?

\- What price would you consider reasonable?

I'm not promoting registrations yet- I just want to understand whether there's genuine interest and design a workshop that provides real value.

Thanks in advance for your feedback!

reddit.com
u/Infamous-Smile2604 — 1 day ago

The login page was easy. Roles and permissions are what I'm stuck on.

Built the frontend of my client portal in Cursor + Claude. Login screen, dashboard, file upload, all the screens look right. The problem is I have three roles: admin, client user, regular user, and I have no clue how to actually wire that up. What I want:

  • admin can see everything, edit users, change settings - client user only sees their own projects + invoices - regular user gets a stripped down view i keep starting and getting stuck on the same questions:
  • is the role check something I do in routing, in middleware, or in the database itself with row level security? - if a regular user types the admin url do I just redirect, or hide the routes entirely? - do you store role as a column on the user, split it into a separate table, or let the auth provider handle it? i'm checking a few builders, including Enter, mostly because the docs talk about auth/database/backend pieces in the same product world. but the pattern is what I am trying to learn first. if you've done this with an ai-built app, what did you pick and why.
reddit.com
u/InfluenceConfident42 — 2 days ago

~$55k Gemini API bill from Firebase iOS key abuse. What can I do now?

I’m in a pretty bad Google Cloud situation and looking for advice from people who have dealt with billing or API key abuse cases.

My normal Google Cloud bill is usually around $200/month. This month my project got hit with an unexpected Gemini / Generative Language API bill of around $55k USD. The billing report shows the spike was almost entirely Gemini API usage, not normal Firebase or app traffic.

I pulled Cloud Monitoring data and it shows about 2.2 million Gemini API requests during the incident window. The traffic was tied to one API key UID. That key maps back to a Firebase generated public iOS client key used in my mobile app config, not a Gemini key that I intentionally created or used.

I found out from a Google billing anomaly email. At the time I received the alert, the visible bill was around $2k. Within about 2 hours, I disabled the Generative Language API, restricted the key, deleted it, and later verified that Gemini usage stopped.

The problem is that the bill kept ramping up after that because of billing/reporting delays, and eventually landed around $55k.

Google declined the request to adjust the charges, saying the usage was considered valid because it came through my project/API key.

Original Post

reddit.com
u/No-Setting8925 — 6 days ago

Claude Code skips Firebase token verification in middleware every time

I've been scanning projects built with Claude Code and found a pattern that keeps showing up:

export function middleware(request) {
  const token = request.cookies.get('session')
  if (!token) return NextResponse.redirect('/login')
  // proceeds — token presence checked, but never verified
}

The token is never passed to admin.auth().verifySessionCookie(). So any value in that cookie including a forged or expired one gets through. Works perfectly in dev. No errors.

The correct version calls verifySessionCookie(token, true) and handles the rejection. Claude never adds this step unless you explicitly ask, and sometimes not even then.

becareful in prompting out there devs

reddit.com
u/reubenzz_dev — 6 days ago
▲ 1 r/Firebase+3 crossposts

If you built your app with a no-code or AI tool, it might be leaking your database. Free check.

No-code and AI builders are great for shipping fast, but they make it really easy to accidentally leave your database open or put a secret key where anyone can grab it. Most people never find out until something goes wrong.

I made a free tool that checks for you. You paste your app link and it shows, in plain English, what your live app is exposing to any visitor. No login, it just looks at what your app already shows the world.

task-bounty.com/scan if you want to try it on your own app. Glad to explain anything it flags.

u/elidanipipe — 5 days ago

Force users to update their version of my app using Firebase Remote Config

Hi Firebase users! I wanted to force my users to update their version of the app using Firebase Remote Config that every version would fetch and decides if it should update itself. But I don't know what strategy to use: according to this article there are 3 strategies available to me:

  • The first strategy is excluded because showing a blocking screen after the user has already start using the app is a big UI/UX impact
  • The second strategy consists of basically waiting to show the app UI and hiding the loading behind a loading screen, which might be the best strategy if the user has a good internet
  • The third strategy consists of downloading the data for the next startup and ignoring them for the current session, this strategy is also excluded because if the user didn't open the app for a big time like a month, it would not show the blocking screen if needed.

I then thought of a hybrid strategy between 2 and 3:

  • I first check the cache, if that says that I have an obsolete version I immediately block the user,
  • If the cache let me pass, I fetch and I block the user if needed in a 5 seconds window after the internet request.
  • After that 5 seconds window I let the user pass, but I continue to fetch in background for the next startup.

What do you think of my hybrid strategy? Should I use it or do you suggest me another approach? How did you do in your app? Let me know down the comments!

EDIT: I'm asking about loading strategies to use in an android app

Note: if you want to give code samples I would like them in Kotlin, using compose for the UI. Thanks!

reddit.com
u/Western_Office3092 — 7 days ago

Need help in my project with an alternative could storage platform, or using firebase storage itself

So i was following a project on Google drive clone using react and firebase, but its using firestore for database, which i am all ok using, but the real problem is using firebase storage for storing the actual files, i cant use firebase storage, as it requires blaze plan, which is not free, what to do??

reddit.com
u/trashplanetearth — 7 days ago

SMS pumping issue

Welp I got hit on a completely sidelined project with SMS pumping this week. Over 1k in charges. The crazy thing is that the app has been off the app store since february, and the fraud just now took place this month. The firebase was still active because there was a solid userbase who enjoyed the app and the cost was about $0.40 a month so I just left is up as a courtesy and now this. I cant even understand how this would be possible. Its been escalated and the charges have already been disputed on my CC as fraud so the money is less of an issue, but I use google ads for other business ventures and I would like to amicably resolve this without telling Google to pound sand and risk compromising those ad accounts. My question is, has anyone gotten this resolved?

As a side note, the firebase was under a fake alias and burner email account. The billing account was different and on a different email than the one that I use for google ads, but they had the same CC hooked up. Wondering if anybody knows if my dispute on this billing account will leak over to the other. Any insight is very much appreciated.

reddit.com
u/Ok-Active4887 — 6 days ago

Firebase CLI Login not working

Hello fellow Firebase users,
I am trying to login using the "firebase login" command but it keeps failing. I also tried logging out and logging in, using "firebase login --reauth", using "firebase login --no-localhost" but nothing is working. I have included a screenshot of the error page below.

I was originally trying to run "firebase deploy --only hosting: [target]" when I encountered this error.

https://preview.redd.it/gxo1g6txj6ah1.png?width=1920&format=png&auto=webp&s=a3b42b1332284ba0497cce94596f973564b9dee6

reddit.com
u/South-Assistance-739 — 7 days ago

.NET FirebaseAdmin v3.5.0 403 forbidden when try to verify id token on server

Hi guys! Maybe someone has a similar issue with OAuth token verification? Please let me know how you fix that issue.
Error message: Your client does not have permission to get URL /robot/v1/metadata/x509/securetoken@system.gserviceaccount.com from this server. That’s all we know.

reddit.com
u/Whole_Cardiologist52 — 11 days ago

firebase deploy failed, cant not deploy now

I use firebase deploy for many years, 

I only use 1 times today, not many times, the first times today, but this happend

I dont know what happen

Please help, because my website cant not update now

Seems like, maybe it is not my problem.

u/Melodic_Big2581 — 12 days ago

Setting up new account problem

I set up a new Firebase account with email and went to initialize the project but when I run the command Firebase login and try to authenticate it always fails. I have tried the localhost flag and it still doesn’t work. Anyone know of a workaround? Thanks

reddit.com
u/CriticalCommand6115 — 12 days ago

getting this error 429 quota / resource exhausted

using Firebase Blaze plan with Gemini 2.5 Flash and Vertex AI though firebase. I’m the only one testing the app and it’s not even released publicly yet.

I already added billing in Google Cloud, but I still get this error:

ServerException: Resource exhausted. Please try again later

https://cloud.google.com/vertex-ai/generative-ai/docs/error-code-429

So basically it’s a 429 quota / resource exhausted issue. How can I solve this?

u/Fimaljo — 10 days ago