Cloud Firestore rules on subcollection

Honestly, I think you're okay with your structure and get call as-is. Here's why:

  1. If you're fetching a bunch of documents in a subcollection, Cloud Firestore is usually smart enough to cache values as needed. For example, if you were to ask to fetch all 200 items in "conversions/chat_abc/messages", Cloud Firestore would only perform that get operation once and re-use it for the entire batch operation. So you'll end up with 201 reads, and not 400.

  2. As a general philosophy, I'm not a fan of optimizing for pricing in your security rules. Yes, you can end up with one or two extra reads per operation, but it's probably not going to cause you trouble the same way, say, a poorly written Cloud Function might. Those are the areas where you're better off optimizing.


If you want to save those extra reads, you can actually implement a "cache" based on custom claims.

You can, for example, save the chats the user has access to in the custom claims under the object "conversations". Keep in mind custom claims has a limit of 1000 bytes as mentioned in their documentation.

One workaround to the limit is to just save the most recent conversations in the custom claims, like the top 50. Then in the security rules you can do this:

allow read, write: if request.auth.token.conversations[conversationId] || get(/databases/$(database)/documents/conversations/$(conversationId)).data.members[(request.auth.uid)] == true;

This is especially great if you're already using cloud functions to moderate messages after they were posted, all you need is to update the custom claims