Firebase Best Practices
"Serverless" does not mean "limitless". It means "manage your quotas".
🎯 Selective Reading Rule
Read ONLY files relevant to the request!
| File | Description | When to Read |
|---|---|---|
firestore-patterns.md | Data modeling, querying, optimization | Database design/queries |
auth-patterns.md | Custom claims, Roles, Security Rules | Authentication/Authorization tasks |
functions-patterns.md | Triggers, Regions, VPC, Cold Starts | Cloud Functions development |
🧠 Core Philosophy for This Project
- •Region Consistency: ALWAYS use
southamerica-east1(Sao Paulo) for latency. - •Scalability First:
- •❌ NEVER fetch pure collections without
limit()orwhere(). - •❌ NEVER fetch ALL users to find ONE.
- •✅ Use Direct Lookups (IDs) whenever possible.
- •❌ NEVER fetch pure collections without
- •Security:
- •✅ Validate
context.authin every Callable Function. - •✅ Validate
request.authin every Security Rule. - •❌ NEVER trust client input.
- •✅ Validate
- •Cost Awareness:
- •Firestore reads cost money. Optimize for "Read Once, Render Many".
🛑 Common Anti-Patterns (Avoid These)
- •Looping Reads:
users.forEach(async u => await db.doc(u).get())→ 💣 USEgetAllorinqueries. - •Client-Side Admin: using generic
listUsersin client code without strict RLS. - •Region Mismatch: Calling
us-central1function fromsouthamerica-east1app key.