Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you debug Firestore security rules?

I'm crying myself to sleep on this one.

My getAfter is returning an object that only has 1 field, as every other field type is incorrect. Which I have no idea how to check without any debugging tools (I can't see the data, so its all guess and check).

Here is a watered down version of my rules for users.

match /users/{userId} {
  function isValidUser(user) {
    return user.id is string &&
       (user.address is string || user.address == null) &&
       (user.dateOfBirth is number || user.dateOfBirth == null) &&
       user.email is string &&
       user.name is string &&
       (user.phoneNumber is string || user.phoneNumber == null);
  }

  function isValidWrite(userId, user) {
    return signedIn() && 
        writeHasMatchingId(userId, user) &&
        isValidUser(user);
  }

  allow read: if signedIn();
  allow create: if signedInAndWriteHasMatchingId(userId) &&
    userHasId(userId) &&
    isValidUser(request.resource.data); // Tested
  allow update: if isValidWrite(
    userId,
    getAfter(/databases/$(database)/documents/users/$(userId))
  );
}

and this is the transaction I am trying to run.

const user1Ref = this.userCollection.doc(user1Id);
const user2Ref = this.userCollection.doc(user2Id);
const batchWrite = this.store.batch();

batchWrite.update(user1Ref, {
     "details.friend": user2Id,
});
batchWrite.update(user2Ref, {
     "details.wishlist": true,
});

batchWrite.commit();

If I comment out the isValidUser(user) line, the operation succeeds. If I leave any line uncommented out inside the function isValidUser(user) except user.id is string, it fails.

Why would the getAfter document only have the id field and no others when they are listed in the Firebase console? Is there a way to output or debug the value of getAfter so I can see what it even is?

like image 457
ColdLogic Avatar asked Oct 17 '18 08:10

ColdLogic


People also ask

How do you update firestore security rules?

Edit and update your rulesOpen the Firebase console and select your project. Then, select Realtime Database, Cloud Firestore or Storage from the product navigation, then click Rules to navigate to the Rules editor.

Where is the Firebase debug log?

Report on event data Once you enable debug mode on your development devices, navigate to DebugView by selecting the arrow next to StreamView on the top nav of Google Analytics and selecting DebugView. Then, just start using your app to see your app's events being logged in the DebugView report.

What are security rules in Firebase?

Firebase Security Rules work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths. All Rules across Firebase products have a path-matching component and a conditional statement allowing read or write access.


1 Answers

Another approach, not mentioned here yet and likely not available at the time the question was raised, is wrapping your rules with debug().

Why this is cool?

  • Allows to see the values suspected of not being right; I still use the same comment-out-narrow-down method that @ColdLogic nicely described in one of their comments

Why this is not enough?

  • There is no tagging about which value was output; just eg. int_value: 0. Debug would benefit from eg. printing the first 10 letters of the equation it's evaluating, in the output.

  • Security Rules rejection reasons are still awfully short, as false for 'update' @ L44.

    • the line number always points to the main expression being evaluated. Never to a function called, or a subexpression with && that really causes the fail.

    Firebase could fix this (not change the output syntax; just give a more detailed line number). That would eliminate the need to comment-out-and-narrow-down.

  • The output goes to firestore-debug.log (fairly hidden), so one needs to open yet another terminal and keep an eye on it.

Debugging Security Rules is unnecessarily difficult - and I'm afraid it means people don't use their full potential. We should change this.

like image 56
akauppi Avatar answered Oct 18 '22 13:10

akauppi