I'm splitting out my project into staging/prod, and am having trouble figuring out a good way to protect the app from external access while still maintaining as much parity as possible.
This document goes over some of the patterns, but I find them quite lacking.
I can't readily use security rules, since a lot of the website is intended to be browsable and intractable by unauthenticated users. Logging in all users would break parity pretty badly, making it hard to test the login/authentication logic, and I would need additional rules for staging (such as rejecting reads to public collections) that are not in prod, again breaking parity.
I could add basic auth to the publicly accessible cloud-functions, but again, that's another difference between staging/prod I would like to avoid.
Using the temporary URLs seems like a potential solution, but seems like a lot of overhead, and would prevent having a stable domain for colleges to use/use as demos. Also, the certificate for the domain would be discoverable, meaning people could infer the domain and access it, right? And domains are quite leaky, it would be easy to leak a domain and allow access to the environment publicly.
It's very frustrating that there isn't a solution to use a VPN or something and isolate the environment, and it seems really strange that there isn't more material online about this—surely this is a solved problem that many companies have dealt with?
Am I missing a good pattern here?
