Vibe Coding Starter

Gelo 0

Vibe Coding Starter (Zero-Knowledge)

One default path • deploy fallback • security rules • privacy tests • key safety
Vibe Coding tutorial
Start Glossary Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Appendix Checklist

Start here: Vibe coding that doesn’t break

This is a true beginner tutorial. You will copy prompts, click buttons, and ship a tiny app without needing to “know programming” first.

The rule: Small change → run → verify → checkpoint → deploy.

The one default path (no choosing)

  • Build: Next.js app inside Firebase Studio
  • Publish (default): Firebase Studio → Publish → App Hosting
  • Publish (Plan B fallback): Firebase CLI → App Hosting (see Appendix)
  • Data: Firebase Auth + Firestore
  • AI: Gemini API via a backend endpoint
Cost/billing reality: Publishing a full-stack app (with backend endpoints like /api/summarize) usually requires the Blaze plan (pay-as-you-go). You can keep costs tiny by setting budget alerts and limiting usage.

What you’ll have at the end

  • A working public URL you can open on your phone
  • Login + saved items + AI summarizer
  • Secure Firestore rules (users can’t see each other’s data)
  • A reusable 2-account privacy test for every app you build

Quick orientation (10 minutes)

  1. Open studio.firebase.google.com in your browser.
  2. Sign in with your Google account.
  3. Create a workspace (choose a web template if offered).
  4. Find a Preview panel and start it.
Non-negotiable: Don’t skip Lesson 5. That’s where you prevent data leaks.

How to use this page

  • Each lesson has step checkboxes. They save locally in your browser (so you can return later).
  • Prompts are copy-ready. Paste them into your vibe coding AI chat inside Firebase Studio.
  • If a button name differs, use Ctrl/Cmd+F and search for words like Publish, Deploy, or Hosting.
1) Glossary (terms explained once) 2) Lesson 1 — Create & publish (plus Deploy Plan B) 3) Lesson 2 — Add login 4) Lesson 3 — Save data 5) Lesson 4 — Add AI summarization (Key Safety) 6) Lesson 5 — Secure rules + 2-account privacy test + ship safely 7) Appendix — Deploy Plan B + rules + privacy tests 8) Printable checklist

Glossary (read once)

Every important term is defined once here. In lessons, terms link back to this section.

Tip: Don’t memorize. Scroll back here when you forget a term.
Term Meaning
App A program people use. Here it runs in a web browser.
Micro-SaaS A small paid software product that solves one specific problem.
Feature One capability you add, like “login” or “save notes”.
Stack The set of tools used to build and run the app.
Next.js A web framework that lets you build pages (frontend) and server endpoints (backend) in one project.
Firebase Studio A browser-based coding workspace from Firebase with AI help. You can run and publish apps from it.
Firebase Console The control panel where you enable Auth/Firestore and edit security rules.
Frontend The screens/buttons the user sees.
Backend Server code that handles logic and talks to the database and external APIs.
API endpoint A URL your app calls to do backend work. Example: /api/summarize.
Database A place where your app saves data so it’s still there after refresh.
Firestore Firebase’s database for storing documents (items, usage counters, etc.).
Authentication (Auth) The part that creates accounts and checks who is logged in.
Deploy / Publish Put your app online so other people can open it.
URL A web address like https://example.com.
Diff The changes made to code (what was added/removed). Smaller diffs are safer.
JSON A simple text format for data. Example: { "text": "hello" }.
Terminal A text box where you type commands. Think “typing instructions”.
CLI A command-line tool you run in Terminal. Firebase CLI can deploy your app from your computer.
Environment variables Hidden settings used for secret keys. They must not be placed directly in frontend code.
API key A password-like secret that lets your app call a paid service. Must be kept secret.
Rate limiting Limits how often a user can do an expensive action (like AI calls) to prevent abuse and surprise costs.
Security rules Rules that decide who can read/write data in Firestore.
2-account privacy test Create two accounts and confirm they cannot see each other’s data.
Blaze plan Firebase pay-as-you-go billing. Usually needed for publishing server code.
App Hosting Firebase product for hosting full-stack Next.js apps. It builds and runs your app for you.

What you will build

A tiny micro-SaaS called SummaryBox:

  • Users create an account and log in.
  • They paste text and click “Summarize”.
  • The app calls the Gemini API and returns a short summary.
  • The app saves the original text + summary to Firestore.

Lesson 1 — Create & publish your first app

Goal: create a basic web app in Firebase Studio and publish it online (get a public URL).

Progress: 0/0 completed Deploy Plan B: Appendix section
Step 0 — Billing awareness (1 minute)

Publishing backend code (later for AI) usually requires Blaze plan. This doesn’t mean “expensive”—it means “pay only for what you use.” Set a budget alert.

Step 1 — Create a Firebase project

Open Firebase Console → Create project → finish setup.

If you can’t find the button: search the page for “Create project”.

Step 2 — Create a Firebase Studio workspace

In Firebase Studio, create a web app workspace (choose Next.js if offered).

If you see multiple templates, choose the simplest “web app” option.

Vibe prompt (paste into Studio AI chat): 
I am a complete beginner. Create a minimal Next.js web app with:
- Home page that shows the title “SummaryBox”
- A link button that goes to /login (even if it’s empty for now)
Keep it simple.
Before coding: list the files you will change.
After coding: tell me exactly which button to click to run the app in Preview.
Keep diffs small (diff)
Step 3 — Run in Preview

Start Preview and confirm you can see “SummaryBox”.

If Preview is missing: ask Studio AI “Where is the Preview panel?”

Step 4 — Publish (default path)

In Firebase Studio, click Publish (or Deploy), choose App Hosting, connect your Firebase project, and finish.

If you don’t see “Publish”: search the UI for “Deploy”, “Hosting”, or open the Firebase panel inside Studio.

If Studio publish fails: Use Deploy Plan B in the Appendix: Firebase CLI → App Hosting.
Step 5 — Checkpoint (your undo button)

Create a checkpoint:

  • If Git is available: commit (“Lesson 1: published skeleton”).
  • If not: export/download the project as a ZIP.
Stop here if you don’t have a working public URL. Lesson 2 assumes your app is online.

Lesson 2 — Add login (Firebase Authentication)

Goal: users can create an account and log in. The app shows the main screen only after login.

Progress: 0/0 completed Key term: Auth
Step 1 — Enable Email/Password sign-in

Firebase Console → Build → Authentication → Sign-in method → enable Email/Password.

If you can’t find it: search the page for “Sign-in method”.

Vibe prompt (paste into Studio AI chat): 
Add Firebase Authentication (Email/Password) to this Next.js app.

Requirements (beginner-friendly):
- Create /login page with email + password inputs.
- Add two buttons: “Sign up” and “Sign in”.
- Create /app page that is protected:
  - If NOT logged in: redirect to /login.
  - If logged in: show “Welcome” and the user’s email.
- Add a “Sign out” button on /app.
- Keep changes small. Before coding, list exactly which files you will change. Try to keep it under 6 files.
Step 3 — Test login in Preview
  1. Open /login
  2. Create an account (Sign up)
  3. Log in (Sign in)
  4. Confirm /app shows your email
  5. Sign out, confirm you return to /login
Step 4 — Publish again

Publish so login works on your public URL.

Checkpoint

Commit/export ZIP (“Login version”).

Lesson 3 — Save data (Firestore database)

Goal: logged-in users can save items and see their past items.

Progress: 0/0 completed Key term: Firestore
Step 1 — Create Firestore database

Firebase Console → Build → Firestore Database → Create database.

Temporary setting: If it offers “test mode”, you may start with it for development. We will lock it down in Lesson 5. Do not share your app widely before Lesson 5.
Vibe prompt: 
Add Firestore storage for this app.

Requirements:
- In /app, add a textarea called “Original text” and a button “Save”.
- When user clicks Save, store a document in Firestore collection “items” with fields:
  userId, userEmail, originalText, createdAt
- Below the form, show the user's last 10 saved items (most recent first).
- Make sure the code includes the userId on every saved item.
- Keep the change small (under 8 files). List the files first.
Step 3 — Test it

Log in, save two items, refresh the page.

You should see: saved items still appear after refresh.

Step 4 — Publish again

Publish so saved items work on the public link.

Checkpoint

Commit/export ZIP (“Database version”).

Lesson 4 — Add AI summarization (Gemini API)

Goal: user pastes text → clicks Summarize → gets a short summary → app saves it.

Progress: 0/0 completed Key term: API key Key term: Env vars
KEY SAFETY BOX (read carefully)
  • Your Gemini API key is like a password. If it leaks, someone can spend your money.
  • Never paste the key into frontend code.
  • Never name it with NEXT_PUBLIC_ (that exposes it to the browser).
  • Store it as an environment variable and use it only inside backend code (API endpoints).
Step 1 — Create a Gemini API key

Open Google AI Studio → create an API key → copy it.

Store it privately. Treat it like a password.

Step 2 — Add the key as an environment variable

Add an env var named GEMINI_API_KEY in your deployment settings.

If you’re using App Hosting, set secrets/env vars there. If Studio UI is unclear, use the Appendix notes.

Vibe prompt: 
Add an AI summarizer using the Gemini API.

Requirements:
- Create a backend endpoint /api/summarize.
- It accepts JSON: { text: string }.
- It uses GEMINI_API_KEY from environment variables (NOT from frontend).
- It returns JSON: { summary: string }.
- In /app, add a button “Summarize” that calls /api/summarize using the text in the textarea.
- After summarizing, save the summary into the existing Firestore document (add field: summaryText).
- Add friendly errors: if AI fails, show “Could not summarize. Try again.”
- Keep it small: list files first, aim under 10 files.
More: Key safety
Step 4 — Test it

Paste a paragraph, click Summarize.

You should see: a short summary. Refresh and confirm it remains saved.

Step 5 — Publish again

Publish so summarization works on the public link.

Checkpoint

Commit/export ZIP (“AI version”).

Lesson 5 — Secure rules + 2-account privacy test + ship safely

Goal: lock down Firestore so users cannot see each other’s data, then verify it.

Progress: 0/0 completed Key term: Security rules Key term: 2-account test

Part A — Replace “test mode” with real Firestore rules

Step A1 — Open the Rules editor

Firebase Console → Firestore Database → Rules.

Step A2 — Paste the template and Publish

Replace your current rules with the template below, then click Publish.

If you can’t find Publish: look for “Save” or “Publish” at the top-right of the rules editor.

Firestore Rules Template (copy/paste): 
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    function signedIn() {
      return request.auth != null;
    }

    function isOwner(data) {
      return signedIn() && data.userId == request.auth.uid;
    }

    // Private user items (the main data)
    match /items/{itemId} {

      // Create: must be signed in and must write their own userId
      allow create: if signedIn()
        && request.resource.data.userId == request.auth.uid;

      // Read/update/delete: only if the stored item belongs to you
      allow read, update, delete: if isOwner(resource.data);
    }

    // Rate limit / usage counters (optional)
    match /usage/{usageId} {
      allow create: if signedIn()
        && request.resource.data.userId == request.auth.uid;
      allow read, update, delete: if isOwner(resource.data);
    }

    // Error logs: block all client access (server code can still write using admin credentials)
    match /errors/{errorId} {
      allow read, write: if false;
    }
  }
}
Explained in Appendix
Important: Publishing rules is not enough. You must test them with real accounts, or you can ship insecure access by mistake.

Part B — The 2-account privacy test (this catches hidden insecurity)

Step B1 — Create Account A
  1. Sign up with Email A
  2. Save 1 item
  3. Summarize it
  4. Sign out
Step B2 — Create Account B
  1. Sign up with Email B
  2. Confirm B cannot see A’s items

Expected result: B’s list should be empty (or only B’s items).

If Account B can see Account A’s data (fix now)
  1. Open Firestore and check if every item document contains a userId field.
  2. Confirm rules include resource.data.userId == request.auth.uid for reads.
  3. Ask your AI in Studio: “Here are my Firestore rules and item documents. Why can B see A?”
Do not publish until this test passes.

Part C — Release gates (non-negotiable)

Before every publish, all gates must be “Yes”.

Gate 1: App runs (no blank screens).
Gate 2: Login works (sign up / sign in / sign out).
Gate 3: Smoke test: log in → paste → summarize → refresh → still saved.
Gate 4: Bad inputs do not crash the app (empty, very long text).
Gate 5: Errors are friendly (“Try again”) and retry works.
Gate 6: 2-account privacy test passes.
Part D — Publish your secure version

After all gates pass, publish again.

You now have a safe micro-SaaS skeleton. Reuse it for office tools: meeting minutes, SOP summarizer, inbox triage helper, task tracker, policy Q&A.

Appendix — Deploy Plan B + Rules + Privacy tests + Key safety

Deploy Plan B: Firebase CLI → App Hosting

Use this if you cannot publish from Studio. It is longer, but reliable. Key terms: Terminal, CLI, App Hosting.

Requirements:
  • Firebase project with Blaze billing enabled
  • Node.js (LTS) installed on your computer
  • Firebase CLI installed
  1. Export/download your Firebase Studio project to your computer.
  2. Open a Terminal in the folder that contains package.json.
  3. Install Firebase CLI:
npm install -g firebase-tools
  1. Log in:
firebase login
  1. Initialize App Hosting in your project folder:
firebase init apphosting

When prompted: select your Firebase project, confirm the app root directory (the folder with package.json), and create/select an App Hosting backend.

  1. Deploy:
firebase deploy
You should get: a public URL. Open it in a browser to confirm it works.

Firestore rules explained (simple)

The rules you used do two core things:

  • Create: you can only create items where userId equals your logged-in id.
  • Read/Update/Delete: you can only access items where the stored userId matches you.

Privacy tests to reuse forever

1) 2-account test (human test)

  1. Create Account A → save 1 item.
  2. Log out.
  3. Create Account B → confirm B cannot see A’s item.

2) Optional “link guessing” test

If your UI ever exposes item IDs, try to access an item as Account B. It should fail. This catches “IDOR” style bugs (insecure direct object reference).

Key safety (expanded)

  • Never commit keys into your repo (don’t paste into code files).
  • Never put keys in frontend code.
  • Never prefix secret keys with NEXT_PUBLIC_.
  • Use GEMINI_API_KEY as a server-only environment variable.
Beginner mindset: “Where should secrets live?”

A secret (API key) should be stored where the browser cannot read it. That means: deployment settings (env vars / secrets), and used only in backend endpoints.

If you ever see your key inside the browser (DevTools, page source, or network calls), it is exposed and must be rotated (replaced).

Printable checklist (use every time)

One feature loop

  1. Write a 10-line spec (what the user does + what they get).
  2. Ask AI to change as few files as possible (small diff).
  3. Run in Preview and click through the feature.
  4. Try bad inputs (empty, long, wrong type).
  5. Run the 2-account privacy test if any data is saved.
  6. Publish only after release gates pass.
  7. Checkpoint (commit or export ZIP).

Release gate (must be all “Yes”)

Gate Yes/No
App runs (no blank screens)
Login works (signup/signin/signout)
Smoke test passes end-to-end
Bad inputs don’t crash it
Errors are friendly + retry works
Privacy test passes (2-account)

Production minimums

  • Firestore rules locked down (no test mode)
  • Secrets stored as env vars / secrets (never in code)
  • Rate limiting on expensive actions (AI calls)
  • Error logging so you can see failures
Next step: Replace “SummaryBox” with your real micro-SaaS idea, but keep this structure: login → core action → save → security rules → privacy test.
Tags

Post a Comment

Post a Comment
Previous Post Next Post