I'm working on a project made with NextJS and I'm using firebase services. When I started working on the authentication and security of the project I began using firebase security rules and I found out that they are really limited for the things I want to do. Also, the testing interface firebase provides is really poor which leads to wasting a lot of time in testing each rule.
That's why I thought of not using firebase security rules. Instead of that, I'd send every request from the client to the nextjs server, then the server sends the request using firebase admin SDK. The security rules operations are set to false so that the only way to make a request is through the server, and the server is the one that validates every request.
This approach works but I'm wondering if it's the best one, given that firebase was designed to be used with their security rules. I want to know if firebase security rules are in fact limited or I'm just not using them correctly. And, in case they are limited, I want to know if I'm taking a good path or maybe it's just better to not use firebase at all.
So you actually are using security rules, but not allowing any direct access from the client-side SDKs. That is a completely valid approach.