Firebase Baas

# 2.3.1 Firebase Baas

This skill defines the architectural patterns for leveraging Firebase as a complete Backend-as-a-Service across all projects, with emphasis on cost efficiency for indie/bootstrapped applications.

1. Firebase Authentication

**Goal:** Frictionless, secure user identity management.

* **Anonymous Auth:** Always implement `signInAnonymously()` as the default on first launch. This enables immediate usage without barriers while creating a persistent UID for data association.

* **Account Linking:** When the user is ready to commit (after value delivery), use `linkWithCredential()` to upgrade their anonymous account to Google OAuth, Apple Sign-In, or Email/Password. All their existing data travels with them — zero data loss.

* **Provider Priority:** Google OAuth first (highest conversion on Android), Apple Sign-In (required by Apple for apps with third-party login), Email/Password as fallback.

* **Security:** Enable Email Enumeration Protection in Firebase Console. Set session duration appropriately. Implement multi-factor authentication (MFA) for admin/sensitive flows.

2. Firestore Data Modeling

**Goal:** Schema design optimized for read performance, cost, and real-time sync.

* **Denormalization:** Firestore is not a relational database. Duplicate data across documents to avoid joins. A user's display name should exist in every document that renders it — not fetched via a reference.

* **Collection Structure:** Use top-level collections for primary entities (`users`, `games`, `sessions`). Use subcollections for owned data (`users/{uid}/tickets`, `games/{gameId}/players`).

* **Document Size:** Keep documents under 20KB for fast reads and real-time sync efficiency. Move large blobs (images, audio) to Cloud Storage and store only the URL reference.

* **Indexes:** Create composite indexes proactively for any query combining `where()` clauses on different fields with `orderBy()`. Monitor the Firestore console for auto-suggested indexes.

* **Reads Optimization:** Use `getDoc()` for one-time reads, `onSnapshot()` only when real-time updates are needed. Implement pagination with `startAfter()` and `limit()` to cap reads.

3. Firestore Security Rules

**Goal:** Zero-trust security enforced at the database level.

* **Default Deny:** Start every ruleset with `allow read, write: if false;` and open access incrementally.

* **Authentication Check:** Every rule must verify `request.auth != null` before granting any access.

* **Ownership Enforcement:** Users can only read/write their own documents: `allow read, write: if request.auth.uid == resource.data.userId;`

* **Data Validation:** Use `request.resource.data` to validate incoming writes: check field types, string lengths, required fields, and value ranges.

* **Rate Limiting:** Combine rules with Cloud Functions for write-heavy operations. Rules alone cannot rate-limit, but they can reject obviously invalid payloads.

4. Cloud Functions

**Goal:** Server-side logic without managing infrastructure.

* **Triggers:** Use Firestore triggers (`onCreate`, `onUpdate`, `onDelete`) for reactive backend logic (e.g., recalculating leaderboards on score write). Use HTTPS callable functions for client-initiated server actions.

* **Cold Start Mitigation:** Set `minInstances: 1` for latency-critical functions. Keep function packages lean — avoid importing the entire Firebase Admin SDK when you only need Firestore.

* **Idempotency:** All functions must be idempotent. Firestore triggers can fire multiple times. Use transaction-based writes and check for existing state before mutating.

* **Environment Config:** Store secrets in Secret Manager (not environment variables). Access via `defineSecret()` in Firebase Functions v2.

5. Firebase Cloud Messaging (FCM)

**Goal:** Contextual, behavior-driven push notifications.

* **Token Management:** Request notification permission after user demonstrates engagement (never on first load). Store the FCM t