All geek questions in one place

Firebase Rules and How to Test Them

I work a lot on creating a Firebase backend. At the beginning, this is very straightforward, but as the rules grow, it is more difficult to identify a lack of security. What are the options for actually testing the rules? I looked at Targaryen, which is a third-party library, but cannot launch it and run on OSX. Is there a more general approach to testing rules? What is the most common approach for conducting Firebase security tests?

+5
source share
3 answers

If you have not already seen this, there are several options on the left side in the Firebase control panel for your application; Data, security and rules, simulator; A simulator is the one you need.

After that, you can authenticate as a user, and then test the read and write ability on different child nodes.

We created our own small application for reading / writing to different nodes: as our application grew, so did the complexity of the rules, and it simply simplified testing through 20 nodes through the application, and then one at a time into the simulator. Our test application contains about 100 lines of code.

+6
source

I just installed Bolt and it looks much better than using standard rules and a simulator through the Firebase interface.

You really need to use the Bolt syntax, but in any case, I find it much easier than the standard rules, especially if they become large and complex, since Bolt allows you to create functions to reuse common code for reading / writing / checking logic. Testing was just a bonus for me.

A few notes:

  • The instructions indicate that installing firebase-bolt global, but node can find it if it is not installed locally or you are not communicating with the global installation.
  • See this answer to start mocha. If you add --ui tdd to "test": "mocha --ui tdd" in the scripts section of your package.json file and you save your tests in test/test.js , you just need to run npm test to run all your tests.
+3
source
  • To develop your own rules, you can use Targaryen .
  • To test your rules on live db, you can use the REST api using a token with the debug flag set to true (the database secret used to create this token is deprecated, but I don’t think you create such a token using the new Firebase Admin SDK); The response header will include debug information about the evaluation of the rules.
  • To debug your rules and production data, use the simulator in the firebase console (note that it does not allow simulating the AFAIK update operation)
+2
source

Source: https://habr.com/ru/post/1233692/

More articles:


All Articles