2

In my job, we needed to implement authentication because of security and we wanted the DB not to be completely open. We have implemented anonymous authentication because the app is not based on a user profile. It works well, but it is creating too many users (every time the app is uninstalled or the cache is cleared a new user is created). Although there isn't any limit for anonymous users, it is not good to have so many UIDs in the project.

Now I was thinking of creating one user in the console (email/password authentication), and all devices authenticate using such email and password.

Would there be a problem with that? Would Firebase limit the number of sessions with the same user?

My app has about 20 000 active users. Is it a problem with 20 000 sessions at the same time and also with so many requests to Firebase products with the same user? It's important to be completely sure that a limit problem will not occur before I make that migration from anonymous to email/password (unique user).

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
Luis
  • 59
  • 5

3 Answers3

2

Now I was thinking of creating one user in the console (email/password authentication), and all devices authenticate using such email and password.

While this approach might work, this is not how you should handle authentication. Why? Simply because when you're using a single account, a single UID will be generated. That means that 20k users will share the same UID, which is bad because you cannot write proper security rules. You might think, that you can find another way to differentiate one user from another, like an IP, a device ID, and so on, but unfortunately all these IDs might change. So you'll end up having trouble.

My app has about 20 000 active users. Is it a problem with 20 000 sessions at the same time and also with so many requests to Firebase products with the same user?

It's not about a limitation as it's about managing users and security. Besides that, in terms of app design, each user should have their own account. As also @Tim mentioned in his comment, the best option that you have is use continue using Firebase Anonymous Authentication and enable automatic clean-up. In this way, you'll have a database containing only active users, since unused accounts will be deleted after 30 days. That being said, since each user has their own account, you can link that anonymous account with email and password, and you'll have distinct accounts for your users, and the most important part is that you'll be able to secure your app properly.

Edit:

Given that my app and DB are not based on a user profile, such rules like auth.uid==$user.uid or $user.role=='admin' are useless.

Understanding that security isn't a concern, then you can ignore that and use a single account.

I just want to know and be sure that the approach of using a single user for all my devices will work and won't occur limit problems.

In most cases, folks are trying to limit access to the app on multiple devices, but if your application requires a single account, then you can go ahead with that. Regarding limitations, there are no limitations when it comes to how many users can access a single account, as there are no limitations when it comes to how many users can authenticate into your app.

Edit2:

Yes, the following limitation:

Operations per service account: 500 requests/second

Refers to the maximum number of operations that can be performed in a single second. But, that's a large number in my opinion, given the fact that a single user needs to authenticate only once since the auth state persists across application restarts. So the need for a user to sign in or out it's not so often. Besides that, I don't see any reason why a user should sign out.

So even if you have 20k users, it's hard to believe that more than 500 will try to perform an operation in exact same second. Even if that happens, you can catch the error and display a message to the user in which you can ask to try again in 5 seconds, for example.

Once all those 20k users are authenticated, I cannot see how you can reach that limit. I think that even Facebook doesn't have more than 500 new users that sign in to the application in a single second. Because if so, in a single minute they would have 30k new visitors, and in an hour would have 1.8 million new users. I let you do the math for a day. So it's quite impossible.

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
  • as i said my app is not based on a user profile there is no login ,there is no users etc , we implemented authentication just to improve the security rule which used to be read and write : true now it is auth!=null ,yes I know it is still insecure but it is better than it used to be – Luis Nov 14 '22 at 13:10
  • If you're only using `auth!=null` anybody in the world who is authenticated will be able to read and write in your database. So it's not very secure. Maybe this [resource](https://medium.com/firebase-tips-tricks/how-to-fix-firestore-error-permission-denied-missing-or-insufficient-permissions-777d591f404) will help you understand the concept better. See the last rules. – Alex Mamo Nov 14 '22 at 13:26
  • Hey Luis. Did my answer help you? Can I help you with other information? – Alex Mamo Nov 15 '22 at 07:25
  • I'm afraid no ,given that my app and db content are not based on a user profile , such rules like auth.uid==$user.uid or $user.role=='admin' are useless for me that's why i don't consider them .I just want to know and be sure that the approach of using a single user for all my devices will work and won't occur limit problems ,despite the fact that it is still insecure, what was reported was that it was possible to see the complete . json with the db url in a browser, in other words to stop using read,write :true – Luis Nov 15 '22 at 12:17
  • 1
    I understand. So please check my updated answer. Is it clear now? Can I help you with other information? – Alex Mamo Nov 15 '22 at 12:41
  • I really appreciate your help :) ,you say " there are no limitations when it comes to how many users can access a single account" ,which is fantastic , the other question would be request limits from the same user as all devices would be using the same user credential , i read https://firebase.google.com/docs/auth/limits#api_limits it says Operations per service account = 500 requests/second, my doubt is service account = user ? in that case it might be a problem given the 20K active users, I dont know exactly how likely that more than 500 devices will make a request at the same second is – Luis Nov 15 '22 at 13:35
  • "Once all those 20k users are authenticated, ... application in a single second. " my concern is about requests to firebase products( real time db , storage,etc) once all users are logged with the same credential they make requests to connect to firebase constantly during the day , there it is my concern , if there is a limit to access to firebase features from a single user ,I sent an email to firebase support , they replied they have some other limits that cannot be shared due to security,my concern is not about login requests whose limit seems to be the 500 per second – Luis Nov 15 '22 at 18:48
  • There are no specific limitations related to accessing firebase features from a single user other than the ones that are present in [Firestore](https://firebase.google.com/docs/firestore/quotas) or in the [Realtime Database](https://firebase.google.com/docs/database/usage/limits). As long as stay below those limits there is nothing you should worry about. – Alex Mamo Nov 15 '22 at 19:27
  • Many many thanks dear friend !! now i know that I can develop and take this approach without worrying that much,and sorry for the long time I took from you it is just this app is internal and used by the companny employees to perform the bussiness itself and an error would cost a lot of money and also my head – Luis Nov 15 '22 at 20:15
  • You're very welcome. Can I help you with other information? – Alex Mamo Nov 16 '22 at 06:55
0

Authentication is not attestation.

If you are using Anonymous Authentication and still serving data and only restricting the access of that data to whether a UID is present in the request, then anyone can still generate an anonymous user and access your database through a series of rest calls since generating an anonymous user has no barrier to it.

It sounds like what you really want to do is implement AppCheck. AppCheck will ensure that your users are only accessing your application and database through approved applications and not accessing it through REST calls or other service calls. What you could do is enable AppCheck on your project and then enable enforcement when all your users have migrated to the latest edition of your app. Your DB is still able to be accessed, but only if it has a valid AppCheck token which can only be provided through an attestation provider like SafetyNet or reCaptcha.

Alexander N.
  • 1,458
  • 14
  • 25
  • not responding my question about limits using a single user for all devices, by the way i tried appcheck but play integrity didnt work , I got invalid token , as for safety net , it works really well but it will stop working soon so there is no use implementing it – Luis Nov 11 '22 at 22:54
  • Is this just a straight java/kotlin app or flutter/react native? Play integrity worked really well for me, so maybe it's a configuration issue? – Alexander N. Nov 12 '22 at 02:18
  • Java native app , this app is internal so it is not published in Playstore, i posted another question about such problem with play integrity - > https://stackoverflow.com/questions/74214454/app-check-playintegrity-not-working-firebase-android – Luis Nov 12 '22 at 02:27
  • 1
    My concern with using a single account with every single user session is that it may look suspicious to the authentication servers. That's why I think having an attestation providers is important. Here are the docs if your are exclusively listed outside of Play : https://developer.android.com/google/play/integrity/setup#apps-exclusively-distributed-outside-google-play – Alexander N. Nov 12 '22 at 02:33
0

Firebase allows 50k monthly active users at the free tier but gets expensive very quickly after that. If you have Firebase Authentication with Identity Platform setup, you can enable automatic clean-up so stale accounts are removed if not used.

You could deploy a blocking function with Cloud Functions that triggers a beforeCreate event. First, you could log IP addresses when a new user is created, then could run a check to see if that IP is already in use with beforeCreate. Obviously, there are many reasons why that could fail but it would at least reduce the number of duplicates.

The best thing would be to force a real sign-in method after a user is anonymous for some period of time. You can easily link an existing anonymous account to a social provider or other method to reduce friction for the UX.

Tim
  • 385
  • 6
  • not responding my question Would there be a problem with that? Would Firebase limit the amount of sessions with a same user? Is it a problem with 20 000 sessions at the same time and also with so many requests to Firebase products with the same user? – Luis Nov 11 '22 at 22:54