I’ve recently considering various security issues of my Firebase services and faced an interesting issue related to the Firebase pricing. The question is simple as below:

1. If a set of security rules of realtime database read some data inside itself(rtdb) within the security rules’ validation process, are such server-reading for validating purpose subject to any part of rtdb billing? For example, if a line of rule needs a "role" data in the matching rtdb’s json tree, is such validation free from rtdb pricing of download fee($1/GB) or connection quota(Simultaneous connections of 200,000)? It might be true because the validation must read the data anyway to find out if the request is compliant with the rules.

2. If a set of security rules of cloud firestore read some data inside itself(firestore) within the security rules’ validations, are such data-reading for validation subject to read operation fee of firestore($0.036 per 100,000 documents in LA location)? For example, to validate a line allow read if resource.data.visibility == 'public', the rule have to retrieve data just like a mobile client read such data without any security rule.

Hope this question reach gurus in the community! Thank you in advance [:

>Solution :

firebaser here

1. There is no charge for reads done inside Realtime Database security rules. They are also not counted as persistent connections.

2. Accessing the current resource or the future request.resource data in your Firestore security rules are not charged. Additional document reads (with get(), getAfter(), exists() and existsAfter()) that you perform are charged.

For more on the latter, see the Firebase documentation on access calls and pricing in Firestore security rules.