[Anduia]

Firestore's quick setup uses "test mode", which is free and unrestricted. The "locked mode" recommended for production blocks all reads and writes until you set up the rules.

So I don't know if they had the site in test mode, or they simply set a rule to allow everything (I've seen that happen) instead handling access based on user permissions.

[pfg_]

In this case they had permissiona set up - but your application status was stored in the same object as the rest of the info you could modify, and you were allowed to read and write to it.

[ForTheKidz]

Wait, firebase allows full access to http connections accessible from a browser? Wtf? Why would you want to give the user direct access to a database to begin with? Is firebase built around the idea of not running your own servers or something?

[sunbum]

Firebase is not a db, its an entire platform as a service. So you don't really create much a backend, it handles it all for you.

[johnecheck]

Pretty much. Google manages everything. It handles Auth, which ties into the rules for accessing Firestore (the db), and you've got Functions for any code that needs to run server-side.

All with libraries in a lot of languages to make it easy. Pretty solid product with a cohesive experience and a generous free tier.

Naturally, you'll pay an exorbitant amount once you start to scale and realize you've been locked in.

[ForTheKidz]

Huh! I just spent an hour diving in and I see now.

Crazy giving up that much control of your product to a third party. I can definitely see the appeal to spike realtime/chat projects, though—they really leaned into that api design well. Selling out to google was a mistake.

[koakuma-chan]

Aren't firebase apps notorious for having really stupid vulnerabilities?

[johnecheck]

Wouldn't surprise me, but this isn't really google's fault.

As a product with a ton of appeal to the least experienced developers, lots of mistakes happen.

My understanding is that (assuming you trust google) there's no reason you can't build a secure application on firebase.

[reportgunner]

Yeah you can't really run it on-site so you just debug in the open.