Firebase Realtime database structure best practice question









up vote
1
down vote

favorite












I am trying to figure out best practices for a Firebase Realtime database structure when securing data. I have read about how to secure the database using Firebase Realtime Database Rules.



For example:
A user adds "notes" and shares those "notes" with other users (members) who can then edit and comment those "notes".
Lets consider a storage structure like the one below:



-categories
 -uuid-cat1
 -data
 title: "my category 1"
 -members
 author: "uuid-user1"
-notes
 -uuid-note1
 -data
 title: "Hello World!"
 categoryId: "uuid-cat1"
 -comments
 -uuid-comment1
 title: "Can you explain?"
 author: "uuid-user2"
 -uuid-comment2
 title: "Certainly!"
 author: "uuid-user1"
 -members
 author: "uuid-user1"
 uuid-user2: "uuid-user2" //UPDATE 2 - This is another user with access to the note
 -uuid-note2
 -data
 title: "Hello Universe!"
 -categoryIds
 uuid-2: "uuid-cat2"
 -members
 author: "uuid-user2"
-users
 -uuid-user1
 name: "Jane"
 -uuid-user2
 name: "Jane"


Users only have access to notes or categories if they are listed as "members/author" or "members/user-id". This is enforced by Firebase Realtime database Rules.



Would this work in on a larger scale?
Let's say we store 200 000 notes.



When requesting to read all "notes" from the database, would this structure cause a performance issue in Firebase - since Firebase will have to loop thru all "notes" to determine access before returning the list?



Is there a better way (best practice) to structure the data?



UPDATE



My rules would look something along the lines of: 




 "rules": 
 "notes" : 
 //indexes
 ".indexOn": ["data/title", "members/author"],
 //access
 ".read": "
 auth.uid != null &&
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 ".write": "
 auth.uid != null && 
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 "$noteid": 
 "data": 
 "title": 
 ".validate": "newData.isString() && newData.val().length > 0"
 
 , 
 "members" : 
 ".read" : true, 
 ".write": true, 
 //validation
 ".validate": "newData.hasChildren([
 'author'
 ])",
 "author" :
 ".validate": "newData.isString()"
 
 
 
 ,
 "categories": 
 //The same type of rules as for "notes"
 ,
 "users": 
 "$userid": 
 ".read": "$userid === auth.uid",
 ".write": "$userid === auth.uid"



My code would look somethin along the lines of: 



const myUid = firebase.auth().currentUser.uid;
const ref = firebase.database().ref('notes');
ref.orderByChild('members/author').equalTo(myUid).on('value', (snapshot) => 
 console.log(snapshot.key)
 const notesArray = 

 snapshot.forEach( (childSnapshot) => 
 notesArray.push(
 id: childSnapshot.key,
 data: childSnapshot.val()
 );
 );

 console.log(notesArray);






firebase firebase-realtime-database firebase-security-rules







share|improve this question



















  • 1




    Please show the actual code and security rules that you're asking about. Without that, it is hard to answer any questions about their performance.
    – Frank van Puffelen
    Nov 10 at 15:26










  • Hello Frank, thank you for the reply! I have updated the post to show some conceptual example code. Not sure if the access rules are 100% correct though.
    – Kermit
    Nov 11 at 9:40






  • 1




    That query should work fine on a few hundred thousand child nodes. See stackoverflow.com/questions/28857905/…. But since you can only have one author per node, I'd recommend storing it in a /AuthorNodes/$uid: note1id: true, node2id: true format too.
    – Frank van Puffelen
    Nov 11 at 15:08










  • Hi Frank - Thank you for the prompt reply! I am actually planning on adding more editors alongside author, hence the structure. :) Glad to hear the query should work fine, even with large amounts of data! I have made an update to show editors alongside authors.
    – Kermit
    Nov 11 at 17:40















up vote
1
down vote

favorite












I am trying to figure out best practices for a Firebase Realtime database structure when securing data. I have read about how to secure the database using Firebase Realtime Database Rules.



For example:
A user adds "notes" and shares those "notes" with other users (members) who can then edit and comment those "notes".
Lets consider a storage structure like the one below:



-categories
 -uuid-cat1
 -data
 title: "my category 1"
 -members
 author: "uuid-user1"
-notes
 -uuid-note1
 -data
 title: "Hello World!"
 categoryId: "uuid-cat1"
 -comments
 -uuid-comment1
 title: "Can you explain?"
 author: "uuid-user2"
 -uuid-comment2
 title: "Certainly!"
 author: "uuid-user1"
 -members
 author: "uuid-user1"
 uuid-user2: "uuid-user2" //UPDATE 2 - This is another user with access to the note
 -uuid-note2
 -data
 title: "Hello Universe!"
 -categoryIds
 uuid-2: "uuid-cat2"
 -members
 author: "uuid-user2"
-users
 -uuid-user1
 name: "Jane"
 -uuid-user2
 name: "Jane"


Users only have access to notes or categories if they are listed as "members/author" or "members/user-id". This is enforced by Firebase Realtime database Rules.



Would this work in on a larger scale?
Let's say we store 200 000 notes.



When requesting to read all "notes" from the database, would this structure cause a performance issue in Firebase - since Firebase will have to loop thru all "notes" to determine access before returning the list?



Is there a better way (best practice) to structure the data?



UPDATE



My rules would look something along the lines of: 




 "rules": 
 "notes" : 
 //indexes
 ".indexOn": ["data/title", "members/author"],
 //access
 ".read": "
 auth.uid != null &&
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 ".write": "
 auth.uid != null && 
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 "$noteid": 
 "data": 
 "title": 
 ".validate": "newData.isString() && newData.val().length > 0"
 
 , 
 "members" : 
 ".read" : true, 
 ".write": true, 
 //validation
 ".validate": "newData.hasChildren([
 'author'
 ])",
 "author" :
 ".validate": "newData.isString()"
 
 
 
 ,
 "categories": 
 //The same type of rules as for "notes"
 ,
 "users": 
 "$userid": 
 ".read": "$userid === auth.uid",
 ".write": "$userid === auth.uid"



My code would look somethin along the lines of: 



const myUid = firebase.auth().currentUser.uid;
const ref = firebase.database().ref('notes');
ref.orderByChild('members/author').equalTo(myUid).on('value', (snapshot) => 
 console.log(snapshot.key)
 const notesArray = 

 snapshot.forEach( (childSnapshot) => 
 notesArray.push(
 id: childSnapshot.key,
 data: childSnapshot.val()
 );
 );

 console.log(notesArray);






firebase firebase-realtime-database firebase-security-rules







share|improve this question



















  • 1




    Please show the actual code and security rules that you're asking about. Without that, it is hard to answer any questions about their performance.
    – Frank van Puffelen
    Nov 10 at 15:26










  • Hello Frank, thank you for the reply! I have updated the post to show some conceptual example code. Not sure if the access rules are 100% correct though.
    – Kermit
    Nov 11 at 9:40






  • 1




    That query should work fine on a few hundred thousand child nodes. See stackoverflow.com/questions/28857905/…. But since you can only have one author per node, I'd recommend storing it in a /AuthorNodes/$uid: note1id: true, node2id: true format too.
    – Frank van Puffelen
    Nov 11 at 15:08










  • Hi Frank - Thank you for the prompt reply! I am actually planning on adding more editors alongside author, hence the structure. :) Glad to hear the query should work fine, even with large amounts of data! I have made an update to show editors alongside authors.
    – Kermit
    Nov 11 at 17:40













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I am trying to figure out best practices for a Firebase Realtime database structure when securing data. I have read about how to secure the database using Firebase Realtime Database Rules.



For example:
A user adds "notes" and shares those "notes" with other users (members) who can then edit and comment those "notes".
Lets consider a storage structure like the one below:



-categories
 -uuid-cat1
 -data
 title: "my category 1"
 -members
 author: "uuid-user1"
-notes
 -uuid-note1
 -data
 title: "Hello World!"
 categoryId: "uuid-cat1"
 -comments
 -uuid-comment1
 title: "Can you explain?"
 author: "uuid-user2"
 -uuid-comment2
 title: "Certainly!"
 author: "uuid-user1"
 -members
 author: "uuid-user1"
 uuid-user2: "uuid-user2" //UPDATE 2 - This is another user with access to the note
 -uuid-note2
 -data
 title: "Hello Universe!"
 -categoryIds
 uuid-2: "uuid-cat2"
 -members
 author: "uuid-user2"
-users
 -uuid-user1
 name: "Jane"
 -uuid-user2
 name: "Jane"


Users only have access to notes or categories if they are listed as "members/author" or "members/user-id". This is enforced by Firebase Realtime database Rules.



Would this work in on a larger scale?
Let's say we store 200 000 notes.



When requesting to read all "notes" from the database, would this structure cause a performance issue in Firebase - since Firebase will have to loop thru all "notes" to determine access before returning the list?



Is there a better way (best practice) to structure the data?



UPDATE



My rules would look something along the lines of: 




 "rules": 
 "notes" : 
 //indexes
 ".indexOn": ["data/title", "members/author"],
 //access
 ".read": "
 auth.uid != null &&
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 ".write": "
 auth.uid != null && 
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 "$noteid": 
 "data": 
 "title": 
 ".validate": "newData.isString() && newData.val().length > 0"
 
 , 
 "members" : 
 ".read" : true, 
 ".write": true, 
 //validation
 ".validate": "newData.hasChildren([
 'author'
 ])",
 "author" :
 ".validate": "newData.isString()"
 
 
 
 ,
 "categories": 
 //The same type of rules as for "notes"
 ,
 "users": 
 "$userid": 
 ".read": "$userid === auth.uid",
 ".write": "$userid === auth.uid"



My code would look somethin along the lines of: 



const myUid = firebase.auth().currentUser.uid;
const ref = firebase.database().ref('notes');
ref.orderByChild('members/author').equalTo(myUid).on('value', (snapshot) => 
 console.log(snapshot.key)
 const notesArray = 

 snapshot.forEach( (childSnapshot) => 
 notesArray.push(
 id: childSnapshot.key,
 data: childSnapshot.val()
 );
 );

 console.log(notesArray);






firebase firebase-realtime-database firebase-security-rules







share|improve this question















I am trying to figure out best practices for a Firebase Realtime database structure when securing data. I have read about how to secure the database using Firebase Realtime Database Rules.



For example:
A user adds "notes" and shares those "notes" with other users (members) who can then edit and comment those "notes".
Lets consider a storage structure like the one below:



-categories
 -uuid-cat1
 -data
 title: "my category 1"
 -members
 author: "uuid-user1"
-notes
 -uuid-note1
 -data
 title: "Hello World!"
 categoryId: "uuid-cat1"
 -comments
 -uuid-comment1
 title: "Can you explain?"
 author: "uuid-user2"
 -uuid-comment2
 title: "Certainly!"
 author: "uuid-user1"
 -members
 author: "uuid-user1"
 uuid-user2: "uuid-user2" //UPDATE 2 - This is another user with access to the note
 -uuid-note2
 -data
 title: "Hello Universe!"
 -categoryIds
 uuid-2: "uuid-cat2"
 -members
 author: "uuid-user2"
-users
 -uuid-user1
 name: "Jane"
 -uuid-user2
 name: "Jane"


Users only have access to notes or categories if they are listed as "members/author" or "members/user-id". This is enforced by Firebase Realtime database Rules.



Would this work in on a larger scale?
Let's say we store 200 000 notes.



When requesting to read all "notes" from the database, would this structure cause a performance issue in Firebase - since Firebase will have to loop thru all "notes" to determine access before returning the list?



Is there a better way (best practice) to structure the data?



UPDATE



My rules would look something along the lines of: 




 "rules": 
 "notes" : 
 //indexes
 ".indexOn": ["data/title", "members/author"],
 //access
 ".read": "
 auth.uid != null &&
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 ".write": "
 auth.uid != null && 
 query.orderByChild == 'members/author' && query.equalTo == auth.uid
 ",
 "$noteid": 
 "data": 
 "title": 
 ".validate": "newData.isString() && newData.val().length > 0"
 
 , 
 "members" : 
 ".read" : true, 
 ".write": true, 
 //validation
 ".validate": "newData.hasChildren([
 'author'
 ])",
 "author" :
 ".validate": "newData.isString()"
 
 
 
 ,
 "categories": 
 //The same type of rules as for "notes"
 ,
 "users": 
 "$userid": 
 ".read": "$userid === auth.uid",
 ".write": "$userid === auth.uid"



My code would look somethin along the lines of: 



const myUid = firebase.auth().currentUser.uid;
const ref = firebase.database().ref('notes');
ref.orderByChild('members/author').equalTo(myUid).on('value', (snapshot) => 
 console.log(snapshot.key)
 const notesArray = 

 snapshot.forEach( (childSnapshot) => 
 notesArray.push(
 id: childSnapshot.key,
 data: childSnapshot.val()
 );
 );

 console.log(notesArray);






firebase firebase-realtime-database firebase-security-rules




firebase firebase-realtime-database firebase-security-rules






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 11 at 17:43

























asked Nov 10 at 12:36









Kermit

85114




85114







  • 1




    Please show the actual code and security rules that you're asking about. Without that, it is hard to answer any questions about their performance.
    – Frank van Puffelen
    Nov 10 at 15:26










  • Hello Frank, thank you for the reply! I have updated the post to show some conceptual example code. Not sure if the access rules are 100% correct though.
    – Kermit
    Nov 11 at 9:40






  • 1




    That query should work fine on a few hundred thousand child nodes. See stackoverflow.com/questions/28857905/…. But since you can only have one author per node, I'd recommend storing it in a /AuthorNodes/$uid: note1id: true, node2id: true format too.
    – Frank van Puffelen
    Nov 11 at 15:08










  • Hi Frank - Thank you for the prompt reply! I am actually planning on adding more editors alongside author, hence the structure. :) Glad to hear the query should work fine, even with large amounts of data! I have made an update to show editors alongside authors.
    – Kermit
    Nov 11 at 17:40













  • 1




    Please show the actual code and security rules that you're asking about. Without that, it is hard to answer any questions about their performance.
    – Frank van Puffelen
    Nov 10 at 15:26










  • Hello Frank, thank you for the reply! I have updated the post to show some conceptual example code. Not sure if the access rules are 100% correct though.
    – Kermit
    Nov 11 at 9:40






  • 1




    That query should work fine on a few hundred thousand child nodes. See stackoverflow.com/questions/28857905/…. But since you can only have one author per node, I'd recommend storing it in a /AuthorNodes/$uid: note1id: true, node2id: true format too.
    – Frank van Puffelen
    Nov 11 at 15:08










  • Hi Frank - Thank you for the prompt reply! I am actually planning on adding more editors alongside author, hence the structure. :) Glad to hear the query should work fine, even with large amounts of data! I have made an update to show editors alongside authors.
    – Kermit
    Nov 11 at 17:40








1




1




Please show the actual code and security rules that you're asking about. Without that, it is hard to answer any questions about their performance.
– Frank van Puffelen
Nov 10 at 15:26




Please show the actual code and security rules that you're asking about. Without that, it is hard to answer any questions about their performance.
– Frank van Puffelen
Nov 10 at 15:26












Hello Frank, thank you for the reply! I have updated the post to show some conceptual example code. Not sure if the access rules are 100% correct though.
– Kermit
Nov 11 at 9:40




Hello Frank, thank you for the reply! I have updated the post to show some conceptual example code. Not sure if the access rules are 100% correct though.
– Kermit
Nov 11 at 9:40




1




1




That query should work fine on a few hundred thousand child nodes. See stackoverflow.com/questions/28857905/…. But since you can only have one author per node, I'd recommend storing it in a /AuthorNodes/$uid: note1id: true, node2id: true format too.
– Frank van Puffelen
Nov 11 at 15:08




That query should work fine on a few hundred thousand child nodes. See stackoverflow.com/questions/28857905/…. But since you can only have one author per node, I'd recommend storing it in a /AuthorNodes/$uid: note1id: true, node2id: true format too.
– Frank van Puffelen
Nov 11 at 15:08












Hi Frank - Thank you for the prompt reply! I am actually planning on adding more editors alongside author, hence the structure. :) Glad to hear the query should work fine, even with large amounts of data! I have made an update to show editors alongside authors.
– Kermit
Nov 11 at 17:40





Hi Frank - Thank you for the prompt reply! I am actually planning on adding more editors alongside author, hence the structure. :) Glad to hear the query should work fine, even with large amounts of data! I have made an update to show editors alongside authors.
– Kermit
Nov 11 at 17:40


















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53239019%2ffirebase-realtime-database-structure-best-practice-question%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53239019%2ffirebase-realtime-database-structure-best-practice-question%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Top Tejano songwriter Luis Silva dead of heart attack at 64

Image
Ramiro Burr's New Blog - to go back: www.ramiroburr.com From Latin rock to reggaeton, boleros to blues,Tex-Mex to Tejano, conjunto to corridos and beyond, Ramiro Burr has it covered. If you have a new CD release, a trivia question or are looking for tour info, post a message here or e-mail Ramiro directly at: musicreporter@gmail.com Top Tejano songwriter Luis Silva dead of heart attack at 64 By Ramiro Burr on October 23, 2008 8:40 AM | Permalink | Comments (12) | TrackBacks (0) UPDATE: Luis Silva Funeral Service details released Visitation 4-9 p.m. Saturday, Rosary service 6 p.m. Saturday at Porter Loring, 1101 McCullough Ave Funeral Service 10:30 a.m. Monday St. Anthony De Padua Catholic Church, Burial Service at Chapel Hills, 7735 Gibbs Sprawl Road. Porter Loring (210) 227-8221 Related New Flash: Irma Laura Lopez: long time record promoter killed in accident NewsFlash: 9:02 a.m. (New comments below) Luis Silva , one of the most well-known and prolif
Read more

ReactJS Fetched API data displays live - need Data displayed static

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box; 0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, browser gets not responding because it gets a lot of requests. What I need just get a first snapshot of live data. Same goes for: var date = new Date; return (<p>date.toLacaleString()</p>) It gets live time (ticking every second) :D I just need date and time at that moment when it gets requested (snapshot). reactjs date time static axios share | improve this question edited Nov 16 '18 at 16:18 Sung M. Kim 17.9k 33 112 165 asked Nov 16 '18 at 13:39 Laurynas Žilinskas Laurynas Žilinskas 8 4 add a comment  |  0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, brow
Read more

Evgeni Malkin

Image
Evgeni Malkin From Wikipedia, the free encyclopedia Jump to navigation Jump to search This name uses Eastern Slavic naming customs; the patronymic is Vladimirovich and the family name is Malkin . Evgeni Malkin Malkin during the 2017 Stanley Cup Finals Born ( 1986-07-31 ) 31 July 1986 (age 32) Magnitogorsk, Russian SFSR, Soviet Union Height 6 ft 3 in (191 cm) Weight 195 [1]  lb (88 kg; 13 st 13 lb) Position Centre Shoots Left NHL team Former teams Pittsburgh Penguins Metallurg Magnitogorsk National team   Russia NHL Draft 2nd overall, 2004 Pittsburgh Penguins Playing career 2003–present Website http://malkin71.com Yevgeni Vladimirovich "Geno" Malkin (Russian: Евге́ний Влади́мирович Ма́лкин , IPA:  [jɪvˈɡʲenʲɪj ˈmaɫkʲɪn] ; [2] [3] born 31 July 1986) is a Russian professional ice hockey centre and alternate captain for the Pittsburgh Penguins of the National Hockey League (NHL). Malkin began his career with his hometown club Me
Read more