I’ve recently considering various security issues of my Firebase services and faced an interesting issue related to the Firebase pricing. The question is simple as below:
If a set of security rules of realtime database read some data inside itself(rtdb) within the security rules’ validation process, are such server-reading for validating purpose subject to any part of rtdb billing? For example, if a line of rule needs a "role" data in the matching rtdb’s json tree, is such validation free from rtdb pricing of download fee($1/GB) or connection quota(Simultaneous connections of 200,000)? It might be true because the validation must read the data anyway to find out if the request is compliant with the rules.
If a set of security rules of cloud firestore read some data inside itself(firestore) within the security rules’ validations, are such data-reading for validation subject to read operation fee of firestore($0.036 per 100,000 documents in LA location)? For example, to validate a line
allow read if resource.data.visibility == 'public', the rule have to retrieve data just like a mobile client read such data without any security rule.
Hope this question reach gurus in the community! Thank you in advance [:
There is no charge for reads done inside Realtime Database security rules. They are also not counted as persistent connections.
Accessing the current
resourceor the future
request.resourcedata in your Firestore security rules are not charged. Additional document reads (with
existsAfter()) that you perform are charged.
For more on the latter, see the Firebase documentation on access calls and pricing in Firestore security rules.