Can debug logging be added to firestore rules functions?

Question

Given that the firestore rules structure allows for functions, is there some way to add debug logs to those rule-functions ? .. in order to verify that the function you expect, is in fact being called.

I see that with the simulator it shows a red X at the line in the rules sturcture, where access is denied for a given simulation-request. However, am curious for verification in production mode so it can be communicated to parties concerned about the rules integrity.

In the example below, I was thinking it might be implemented with that commented-out line:

console.log('ENTER: isAccessOn()');

However this does not work. Asking here in case there's any option for something like this in the platform.. or if not, if there's a suggestion for how to make such verifications with a production deployment. Thanks

service cloud.firestore {
  match /databases/{database}/documents {

    // block client access
    function isAccessOn() {
      // console.log('ENTER: isAccessOn()');
      return false;
    }

    match /{document=**} {
      allow read, write: if isAccessOn();
    }

  }
}

Answer 1

Firestore rules now have a debug() function

It's still not brilliant but better than before.

Answer 2

You may want to look into local rules emulation using the Firebase CLI, which is a brand new feature of the CLI. You can do simple logging with the emulator with the debug() function.

However, there is no way to log anything in security rules in production. If you want to verify that your rules work as expected, you should write some integration tests for those and run your tests to make sure access is rejected or allowed according to your specifications.