Firebase

1---2name: firebase3description: Firebase gives you a complete backend in minutes - auth, database,4  storage, functions, hosting. But the ease of setup hides real complexity.5  Security rules are your last line of defense, and they're often wrong.6risk: unknown7source: vibeship-spawner-skills (Apache 2.0)8date_added: 2026-02-279---10 11# Firebase12 13Firebase gives you a complete backend in minutes - auth, database, storage,14functions, hosting. But the ease of setup hides real complexity. Security rules15are your last line of defense, and they're often wrong. Firestore queries are16limited, and you learn this after you've designed your data model.17 18This skill covers Firebase Authentication, Firestore, Realtime Database, Cloud19Functions, Cloud Storage, and Firebase Hosting. Key insight: Firebase is20optimized for read-heavy, denormalized data. If you're thinking relationally,21you're thinking wrong.22 232025 lesson: Firestore pricing can surprise you. Reads are cheap until they're24not. A poorly designed listener can cost more than a dedicated database. Plan25your data model for your query patterns, not your data relationships.26 27## Principles28 29- Design data for queries, not relationships30- Security rules are mandatory, not optional31- Denormalize aggressively - duplication is cheap, joins are expensive32- Batch writes and transactions for consistency33- Use offline persistence wisely - it's not free34- Cloud Functions for what clients shouldn't do35- Environment-based config, never hardcode keys in client36 37## Capabilities38 39- firebase-auth40- firestore41- firebase-realtime-database42- firebase-cloud-functions43- firebase-storage44- firebase-hosting45- firebase-security-rules46- firebase-admin-sdk47- firebase-emulators48 49## Scope50 51- general-backend-architecture -> backend52- payment-processing -> stripe53- email-sending -> email54- advanced-auth-flows -> authentication-oauth55- kubernetes-deployment -> devops56 57## Tooling58 59### Core60 61- firebase - When: Client-side SDK Note: Modular SDK - tree-shakeable62- firebase-admin - When: Server-side / Cloud Functions Note: Full access, bypasses security rules63- firebase-functions - When: Cloud Functions v2 Note: v2 functions are recommended64 65### Testing66 67- @firebase/rules-unit-testing - When: Testing security rules Note: Essential - rules bugs are security bugs68- firebase-tools - When: Emulator suite Note: Local development without hitting production69 70### Frameworks71 72- reactfire - When: React + Firebase Note: Hooks-based, handles subscriptions73- vuefire - When: Vue + Firebase Note: Vue-specific bindings74- angularfire - When: Angular + Firebase Note: Official Angular bindings75 76## Patterns77 78### Modular SDK Import79 80Import only what you need for smaller bundles81 82**When to use**: Client-side Firebase usage83 84# MODULAR IMPORTS:85 86"""87Firebase v9+ uses modular SDK. Import only what you need.88This enables tree-shaking and smaller bundles.89"""90 91// WRONG: v8-compat style (larger bundle)92import firebase from 'firebase/compat/app';93import 'firebase/compat/firestore';94const db = firebase.firestore();95 96// RIGHT: v9+ modular (tree-shakeable)97import { initializeApp } from 'firebase/app';98import { getFirestore, collection, doc, getDoc } from 'firebase/firestore';99 100const app = initializeApp(firebaseConfig);101const db = getFirestore(app);102 103// Get a document104const docRef = doc(db, 'users', 'userId');105const docSnap = await getDoc(docRef);106 107if (docSnap.exists()) {108  console.log(docSnap.data());109}110 111// Query with constraints112import { query, where, orderBy, limit } from 'firebase/firestore';113 114const q = query(115  collection(db, 'posts'),116  where('published', '==', true),117  orderBy('createdAt', 'desc'),118  limit(10)119);120 121### Security Rules Design122 123Secure your data with proper rules from day one124 125**When to use**: Any Firestore database126 127# FIRESTORE SECURITY RULES:128 129"""130Rules are your last line of defense. Every read and write131goes through them. Get them wrong, and your data is exposed.132"""133 134rules_version = '2';135service cloud.firestore {136  match /databases/{database}/documents {137 138    // Helper functions139    function isSignedIn() {140      return request.auth != null;141    }142 143    function isOwner(userId) {144      return request.auth.uid == userId;145    }146 147    function isAdmin() {148      return request.auth.token.admin == true;149    }150 151    // Users collection152    match /users/{userId} {153      // Anyone can read public profile154      allow read: if true;155 156      // Only owner can write their own data157      allow write: if isOwner(userId);158 159      // Private subcollection160      match /private/{document=**} {161        allow read, write: if isOwner(userId);162      }163    }164 165    // Posts collection166    match /posts/{postId} {167      // Anyone can read published posts168      allow read: if resource.data.published == true169                  || isOwner(resource.data.authorId);170 171      // Only authenticated users can create172      allow create: if isSignedIn()173                    && request.resource.data.authorId == request.auth.uid;174 175      // Only author can update/delete176      allow update, delete: if isOwner(resource.data.authorId);177    }178 179    // Admin-only collection180    match /admin/{document=**} {181      allow read, write: if isAdmin();182    }183  }184}185 186### Data Modeling for Queries187 188Design Firestore data structure around query patterns189 190**When to use**: Designing Firestore schema191 192# FIRESTORE DATA MODELING:193 194"""195Firestore is NOT relational. You can't JOIN.196Design your data for how you'll QUERY it, not how it relates.197"""198 199// WRONG: Normalized (SQL thinking)200// users/{userId}201// posts/{postId} with authorId field202// To get "posts by user" - need to query posts collection203 204// RIGHT: Denormalized for queries205// users/{userId}/posts/{postId} - subcollection206// OR207// posts/{postId} with embedded author data208 209// Document structure for a post210const post = {211  id: 'post123',212  title: 'My Post',213  content: '...',214 215  // Embed frequently-needed author data216  author: {217    id: 'user456',218    name: 'Jane Doe',219    avatarUrl: '...'220  },221 222  // Arrays for IN queries (max 30 items for 'in')223  tags: ['javascript', 'firebase'],224 225  // Maps for compound queries226  stats: {227    likes: 42,228    comments: 7,229    views: 1000230  },231 232  // Timestamps233  createdAt: serverTimestamp(),234  updatedAt: serverTimestamp(),235 236  // Booleans for filtering237  published: true,238  featured: false239};240 241// Query patterns this enables:242// - Get post with author info: 1 read (no join needed)243// - Posts by tag: where('tags', 'array-contains', 'javascript')244// - Featured posts: where('featured', '==', true)245// - Recent posts: orderBy('createdAt', 'desc')246 247// When author updates their name, update all their posts248// This is the tradeoff: writes are more complex, reads are fast249 250### Real-time Listeners251 252Subscribe to data changes with proper cleanup253 254**When to use**: Real-time features255 256# REAL-TIME LISTENERS:257 258"""259onSnapshot creates a persistent connection. Always unsubscribe260when component unmounts to prevent memory leaks and extra reads.261"""262 263// React hook for real-time document264function useDocument(path) {265  const [data, setData] = useState(null);266  const [loading, setLoading] = useState(true);267  const [error, setError] = useState(null);268 269  useEffect(() => {270    const docRef = doc(db, path);271 272    // Subscribe to document273    const unsubscribe = onSnapshot(274      docRef,275      (snapshot) => {276        if (snapshot.exists()) {277          setData({ id: snapshot.id, ...snapshot.data() });278        } else {279          setData(null);280        }281        setLoading(false);282      },283      (err) => {284        setError(err);285        setLoading(false);286      }287    );288 289    // Cleanup on unmount290    return () => unsubscribe();291  }, [path]);292 293  return { data, loading, error };294}295 296// Usage297function UserProfile({ userId }) {298  const { data: user, loading } = useDocument(`users/${userId}`);299 300  if (loading) return <Spinner />;301  return <div>{user?.name}</div>;302}303 304// Collection with query305function usePosts(limit = 10) {306  const [posts, setPosts] = useState([]);307 308  useEffect(() => {309    const q = query(310      collection(db, 'posts'),311      where('published', '==', true),312      orderBy('createdAt', 'desc'),313      limit(limit)314    );315 316    const unsubscribe = onSnapshot(q, (snapshot) => {317      const results = snapshot.docs.map(doc => ({318        id: doc.id,319        ...doc.data()320      }));321      setPosts(results);322    });323 324    return () => unsubscribe();325  }, [limit]);326 327  return posts;328}329 330### Cloud Functions Patterns331 332Server-side logic with Cloud Functions v2333 334**When to use**: Backend logic, triggers, scheduled tasks335 336# CLOUD FUNCTIONS V2:337 338"""339Cloud Functions run server-side code triggered by events.340V2 uses more standard Node.js patterns and better scaling.341"""342 343import { onRequest } from 'firebase-functions/v2/https';344import { onDocumentCreated } from 'firebase-functions/v2/firestore';345import { onSchedule } from 'firebase-functions/v2/scheduler';346import { getFirestore } from 'firebase-admin/firestore';347import { initializeApp } from 'firebase-admin/app';348 349initializeApp();350const db = getFirestore();351 352// HTTP function353export const api = onRequest(354  { cors: true, region: 'us-central1' },355  async (req, res) => {356    // Verify auth token357    const token = req.headers.authorization?.split('Bearer ')[1];358    if (!token) {359      res.status(401).json({ error: 'Unauthorized' });360      return;361    }362 363    try {364      const decoded = await getAuth().verifyIdToken(token);365      // Process request with decoded.uid366      res.json({ userId: decoded.uid });367    } catch (error) {368      res.status(401).json({ error: 'Invalid token' });369    }370  }371);372 373// Firestore trigger - on document create374export const onUserCreated = onDocumentCreated(375  'users/{userId}',376  async (event) => {377    const snapshot = event.data;378    const userId = event.params.userId;379 380    if (!snapshot) return;381 382    const userData = snapshot.data();383 384    // Send welcome email, create related documents, etc.385    await db.collection('notifications').add({386      userId,387      type: 'welcome',388      message: `Welcome, ${userData.name}!`,389      createdAt: FieldValue.serverTimestamp()390    });391  }392);393 394// Scheduled function (every day at midnight)395export const dailyCleanup = onSchedule(396  { schedule: '0 0 * * *', timeZone: 'UTC' },397  async (event) => {398    const cutoff = new Date();399    cutoff.setDate(cutoff.getDate() - 30);400 401    // Delete old documents402    const oldDocs = await db.collection('logs')403      .where('createdAt', '<', cutoff)404      .limit(500)405      .get();406 407    const batch = db.batch();408    oldDocs.docs.forEach(doc => batch.delete(doc.ref));409    await batch.commit();410 411    console.log(`Deleted ${oldDocs.size} old logs`);412  }413);414 415### Batch Operations416 417Atomic writes and transactions for consistency418 419**When to use**: Multiple document updates that must succeed together420 421# BATCH WRITES AND TRANSACTIONS:422 423"""424Batches: Multiple writes that all succeed or all fail.425Transactions: Read-then-write operations with consistency.426Max 500 operations per batch/transaction.427"""428 429import {430  writeBatch, runTransaction, doc, getDoc,431  increment, serverTimestamp432} from 'firebase/firestore';433 434// Batch write - no reads, just writes435async function createPostWithTags(post, tags) {436  const batch = writeBatch(db);437 438  // Create post439  const postRef = doc(collection(db, 'posts'));440  batch.set(postRef, {441    ...post,442    createdAt: serverTimestamp()443  });444 445  // Update tag counts446  for (const tag of tags) {447    const tagRef = doc(db, 'tags', tag);448    batch.set(tagRef, {449      count: increment(1),450      lastUsed: serverTimestamp()451    }, { merge: true });452  }453 454  await batch.commit();455  return postRef.id;456}457 458// Transaction - read and write atomically459async function likePost(postId, userId) {460  return runTransaction(db, async (transaction) => {461    const postRef = doc(db, 'posts', postId);462    const likeRef = doc(db, 'posts', postId, 'likes', userId);463 464    const postSnap = await transaction.get(postRef);465    if (!postSnap.exists()) {466      throw new Error('Post not found');467    }468 469    const likeSnap = await transaction.get(likeRef);470    if (likeSnap.exists()) {471      throw new Error('Already liked');472    }473 474    // Increment like count and add like document475    transaction.update(postRef, {476      likeCount: increment(1)477    });478 479    transaction.set(likeRef, {480      userId,481      createdAt: serverTimestamp()482    });483 484    return postSnap.data().likeCount + 1;485  });486}487 488### Social Login (Google, GitHub, etc.)489 490OAuth provider setup and authentication flows491 492**When to use**: Social login implementation493 494# SOCIAL LOGIN WITH FIREBASE AUTH495 496import {497  getAuth, signInWithPopup, signInWithRedirect,498  GoogleAuthProvider, GithubAuthProvider, OAuthProvider499} from "firebase/auth";500 501const auth = getAuth();502 503// GOOGLE504const googleProvider = new GoogleAuthProvider();505googleProvider.addScope("email");506googleProvider.setCustomParameters({ prompt: "select_account" });507 508async function signInWithGoogle() {509  try {510    const result = await signInWithPopup(auth, googleProvider);511    return result.user;512  } catch (error) {513    if (error.code === "auth/account-exists-with-different-credential") {514      return handleAccountConflict(error);515    }516    throw error;517  }518}519 520// GITHUB521const githubProvider = new GithubAuthProvider();522githubProvider.addScope("read:user");523 524// APPLE (Required for iOS apps!)525const appleProvider = new OAuthProvider("apple.com");526appleProvider.addScope("email");527appleProvider.addScope("name");528 529### Popup vs Redirect Auth530 531When to use popup vs redirect for OAuth532 533**When to use**: Choosing authentication flow534 535# Popup: Desktop, SPA (simpler, can be blocked)536# Redirect: Mobile, iOS Safari (always works)537 538async function signIn(provider) {539  if (/iPhone|iPad|Android/i.test(navigator.userAgent)) {540    return signInWithRedirect(auth, provider);541  }542  try {543    return await signInWithPopup(auth, provider);544  } catch (e) {545    if (e.code === "auth/popup-blocked") {546      return signInWithRedirect(auth, provider);547    }548    throw e;549  }550}551 552// Check redirect result on page load553useEffect(() => {554  getRedirectResult(auth).then(r => r && setUser(r.user));555}, []);556 557### Account Linking558 559Link multiple providers to one account560 561**When to use**: User has accounts with different providers562 563import { fetchSignInMethodsForEmail, linkWithCredential } from "firebase/auth";564 565async function handleAccountConflict(error) {566  const email = error.customData?.email;567  const pendingCred = OAuthProvider.credentialFromError(error);568  const methods = await fetchSignInMethodsForEmail(auth, email);569 570  if (methods.includes("google.com")) {571    alert("Sign in with Google to link accounts");572    const result = await signInWithPopup(auth, new GoogleAuthProvider());573    await linkWithCredential(result.user, pendingCred);574    return result.user;575  }576}577 578// Link new provider579await linkWithPopup(auth.currentUser, new GithubAuthProvider());580 581// Unlink provider (keep at least one!)582await unlink(auth.currentUser, "github.com");583 584### Auth State Persistence585 586Control session lifetime587 588**When to use**: Managing user sessions589 590import { setPersistence, browserLocalPersistence, browserSessionPersistence } from "firebase/auth";591 592// LOCAL: survives browser close (default)593// SESSION: cleared on tab close594 595async function signInWithRememberMe(email, pass, remember) {596  await setPersistence(auth, remember ? browserLocalPersistence : browserSessionPersistence);597  return signInWithEmailAndPassword(auth, email, pass);598}599 600// React auth hook601function useAuth() {602  const [user, setUser] = useState(null);603  const [loading, setLoading] = useState(true);604  useEffect(() => onAuthStateChanged(auth, u => { setUser(u); setLoading(false); }), []);605  return { user, loading };606}607 608### Email Verification and Password Reset609 610Complete email auth flow611 612**When to use**: Email/password authentication613 614import { sendEmailVerification, sendPasswordResetEmail, reauthenticateWithCredential } from "firebase/auth";615 616// Sign up with verification617async function signUp(email, password) {618  const result = await createUserWithEmailAndPassword(auth, email, password);619  await sendEmailVerification(result.user);620  return result.user;621}622 623// Password reset624await sendPasswordResetEmail(auth, email);625 626// Change password (requires recent auth)627const cred = EmailAuthProvider.credential(user.email, currentPass);628await reauthenticateWithCredential(user, cred);629await updatePassword(user, newPass);630 631### Token Management for APIs632 633Handle ID tokens for backend calls634 635**When to use**: Authenticating with backend APIs636 637import { getIdToken, onIdTokenChanged } from "firebase/auth";638 639// Get token (auto-refreshes if expired)640const token = await getIdToken(auth.currentUser);641 642// API helper with auto-retry643async function apiCall(url, opts = {}) {644  const token = await getIdToken(auth.currentUser);645  const res = await fetch(url, {646    ...opts,647    headers: { ...opts.headers, Authorization: "Bearer " + token }648  });649  if (res.status === 401) {650    const newToken = await getIdToken(auth.currentUser, true);651    return fetch(url, { ...opts, headers: { ...opts.headers, Authorization: "Bearer " + newToken }});652  }653  return res;654}655 656// Sync to cookie for SSR657onIdTokenChanged(auth, async u => {658  document.cookie = u ? "__session=" + await u.getIdToken() : "__session=; max-age=0";659});660 661// Check admin claim662const { claims } = await auth.currentUser.getIdTokenResult();663const isAdmin = claims.admin === true;664 665## Collaboration666 667### Delegation Triggers668 669- user needs complex OAuth flow -> authentication-oauth (Firebase Auth handles basics, complex flows need OAuth skill)670- user needs payment integration -> stripe (Firebase + Stripe common pattern)671- user needs email functionality -> email (Firebase doesn't include email - use SendGrid, Resend, etc.)672- user needs container deployment -> devops (Beyond Firebase Hosting - Kubernetes, Docker)673- user needs relational data model -> postgres-wizard (Firestore is wrong choice for highly relational data)674- user needs full-text search -> elasticsearch-search (Firestore doesn't support full-text search - use Algolia/Elastic)675 676## Related Skills677 678Works well with: `nextjs-app-router`, `react-patterns`, `authentication-oauth`, `stripe`679 680## When to Use681- User mentions or implies: firebase682- User mentions or implies: firestore683- User mentions or implies: firebase auth684- User mentions or implies: cloud functions685- User mentions or implies: firebase storage686- User mentions or implies: realtime database687- User mentions or implies: firebase hosting688- User mentions or implies: firebase emulator689- User mentions or implies: security rules690- User mentions or implies: firebase admin691 692## Limitations693- Use this skill only when the task clearly matches the scope described above.694- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.695- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.