Asked 1 month ago by CosmicRanger213
How can I track Firestore user data access solely from the backend?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I am using Firebase Auth, and my users must be authenticated to access the app.
I need an overview of my (web) app usage that doesn’t rely on client-side tracking, since clients can be hacked or have HTTP calls blocked. Specifically, if a user accesses data from Firestore secured by rules (bypassing any callable functions), is there a backend method to see which users have read or written specific data?
I currently log user activity via callable functions, but this does not capture all direct Firestore accesses. For example:
JAVASCRIPTexports.addmessage = onCall((request) => { const uid = request.auth.uid; // store this });
What options are available for tracking user activity purely on the backend without relying on client-side implementations?
0
Comments 0
•Answers 2
•Views 30
2 Answers
Answer by 
TychoAI Agent • 1 month ago
0
Firebase currently does not provide a built‐in way to audit user reads (or even writes) to Firestore at the database rules level. While you can trigger Cloud Functions for writes and then capture information via functions (or even use Firestore triggers), this does not cover direct client reads from Firestore.
What’s Logged
-
Callable Functions & Write Operations:
When a write comes through a Cloud Function (for example, via an HTTPS callable), you can log the user’s identity because you control that request. Similarly, Firestore triggers (onWrite, onCreate, onDelete) provide snapshots of the changed data, and you can capture some details about the user if you include that in your data.JAVASCRIPTexports.addmessage = functions.https.onCall((data, context) => { const uid = context.auth.uid; // log or process uid here // logging usage or saving audit data }); -
Direct Firestore Access:
When the client reads data directly from Firestore using the client SDK, the request goes directly from the client to Firestore. Authentication is enforced by security rules, but these operations are not routed through your Cloud Functions and therefore they are not available for you to log.
Audit Logs and Cloud Audit Logging
Cloud Audit Logs can record some administrative operations on Firestore, but they do not capture every data read or secure rule evaluation triggered by client operations. In short, audit logs do not provide per-user access logs for reads or even for security rule evaluations.
Options for Tracking Usage
-
Client-side Logging (with Caveats):
Although you prefer not to rely on the client, adding analytics or tracking calls from the client may be the only way to capture read events reliably. Tools like Google Analytics or even custom logging through Cloud Functions (if you wrap your Firestore SDK calls) can help here, but they run client-side. -
Proxies or API Gateways:
Instead of allowing direct Firestore access from the client, you could create a tier in your backend to proxy all read (and write) operations through Cloud Functions or an API layer. This lets you log the activity, but it introduces an extra layer of complexity and potential performance issues. -
Usage of Firestore Security Rules & Data Modeling:
You might consider embedding audit trails in your data model (for example, recording a last-read timestamp or storing a log entry when sensitive data is modified), but this does not cover reads and adds complexity to your data.
Conclusion
There is currently no Firebase-native way to capture user data access (especially reads) entirely on the backend if clients access Firestore directly. To achieve a comprehensive audit of user activity, you would need to route all interactions through a backend service or augment your solution with client-based analytics. Each approach has trade-offs between security, complexity, and user experience.
For more details on Cloud Functions triggers and security context handling, consider the documentation on functions triggers and authentication contexts in Firebase.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by NovaDiscoverer810 • 1 month ago
0
If you want to know what data is accessed in your Firestore database, you can enable its data access audit logging. From the documentation:
Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources.
Administrative access is always logged, while you can enable data access logging yourself on a project. When enabled, Firestore creates extensive logging information for each data access event in Cloud Logging.
You can then either export the data, or (what I typically do) query it through BigQuery.
I wrote up one example of this in my article Counting document reads per user in Firestore. From that article:
-
An example of the JSON data from the audit log from that article:
JSON{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": {}, "authenticationInfo": { "principalEmail": "service-942941060459@firebase-rules.iam.gserviceaccount.com", "thirdPartyPrincipal": { "@type": "type.googleapis.com/google.cloud.audit.ThirdPartyJwt", "payload": { "payload": { "sign_in_provider": "anonymous", "identities": {} }, "iss": "https://securetoken.google.com/nanochat-20241022-mw8qu9", "iat": 1731091820, "aud": "nanochat-20241022-mw8qu9", "provider_id": "anonymous", "sub": "mzi2JtP9p1fxavXdVvuk2qMyIWB3", "auth_time": 1731007799, "user_id": "mzi2JtP9p1fxavXdVvuk2qMyIWB3", "exp": 1731095420 }, "header": { "typ": "JWT", "alg": "RS256", "kid": "b8cac95b4a5acde0b96572dee8c8c95eee48cccd" } } }, "requestMetadata": { "callerIp": "157.131.245.100", "callerSuppliedUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)\", "requestAttributes": { "time": "2024-11-08T19:14:57.226501Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "firestore.googleapis.com", "methodName": "google.firestore.v1.Firestore.Listen", "authorizationInfo": [ { "resource": "projects/nanochat-20241022-mw8qu9/databases/(default)", "permission": "datastore.entities.get", "granted": true, "resourceAttributes": { "service": "firestore.googleapis.com", "name": "projects/nanochat-20241022-mw8qu9/databases/(default)", "type": "firestore.googleapis.com/Database" }, "permissionType": "DATA_READ" }, { "resource": "projects/nanochat-20241022-mw8qu9/databases/(default)", "permission": "datastore.entities.list", "granted": true, "resourceAttributes": { "service": "firestore.googleapis.com", "name": "projects/nanochat-20241022-mw8qu9/databases/(default)", "type": "firestore.googleapis.com/Database" }, "permissionType": "DATA_READ" } ], "resourceName": "projects/nanochat-20241022-mw8qu9/databases/(default)", "numResponseItems": "10", "request": { "@type": "type.googleapis.com/google.firestore.v1.ListenRequest", "addTarget": { "targetId": 102, "query": { "parent": "projects/nanochat-20241022-mw8qu9/databases/(default)/documents", "structuredQuery": { "limit": 10, "from": [ { "collectionId": "chat" } ], "orderBy": [ { "direction": "DESCENDING", "field": { "fieldPath": "timestamp" } }, { "direction": "DESCENDING", "field": { "fieldPath": "__name__" } } ] } } } }, "metadata": { "@type": "type.googleapis.com/google.cloud.audit.DatastoreServiceData" } }, "insertId": "-itd58hf2gzijg", "resource": { "type": "audited_resource", "labels": { "project_id": "nanochat-20241022-mw8qu9", "service": "firestore.googleapis.com", "method": "google.firestore.v1.Firestore.Listen" } }, "timestamp": "2024-11-08T19:14:57.217715Z", "severity": "INFO", "logName": "projects/nanochat-20241022-mw8qu9/logs/cloudaudit.googleapis.com%2Fdata_access", "operation": { "id": "3c9374e7-6d46-4619-ad12-a0bfbfac16b1", "producer": "firestore.googleapis.com", "last": true }, "receiveTimestamp": "2024-11-08T19:14:57.639965123Z" } -
The chart I generate there of reads-per-user-per-day:
-
And the BigQuery SQL I used to generate this:
SQLSELECT JSON_VALUE(proto_payload.audit_log.authentication_info.third_party_principal.payload.user_id) as uid, TIMESTAMP_TRUNC(timestamp, DAY) as day, SUM(proto_payload.audit_log.num_response_items) as read_count FROM `nanochat-20241022.mw8qu9.global._Default._AllLogs` WHERE proto_payload.audit_log.authorization_info[0].permission_type IN ('DATA_READ', 'DATA_WRITE') AND proto_payload.audit_log.method_name LIKE 'google.firestore.v1.Firestore%' GROUP BY JSON_VALUE(proto_payload.audit_log.authentication_info.third_party_principal.payload.user_id), TIMESTAMP_TRUNC(timestamp, DAY)
No comments yet.
Discussion
No comments yet.