6

I'm working hard on putting up a Firebase backend. In the beginning it is very much straight forward but as the rules grow, it is harder to spot a security flaw. What are the options to actually test the rules? I've looked into Targaryen, which is a 3rd-party library, but can't get it up and running on OSX. Is there a more common approach to test the rules? What is the most common approach to do Firebase security tests?

musse1
  • 379
  • 4
  • 17
  • 3
    Did you check out [Bolt](https://github.com/firebase/bolt)? It has built-in validation and testing. – Kato Oct 14 '15 at 22:38
  • No, I havn't. But i will check it out. But what is the most common way to test the rules? Or is everyone just depending on; "hopefully I wrote this correctly"? – musse1 Oct 15 '15 at 06:55
  • 3
    The rules simulator and bolt would be the common methods for testing. – Kato Oct 15 '15 at 20:00

3 Answers3

6

If you haven't seen it yet, in the Firebase control panel for your app, there's a number of options down the left side; Data, Security and Rules, Simulator; Simulator is the one you want.

Once there, you can authenticate as a user and then test read and write ability on different child nodes.

We crafted our own small app to read/write to different nodes: as our app grew, so did the complexity of the rules and it just made it easier to bang through testing 20 nodes via the app then one at a time in the simulator. Our testing app is all of about 100 lines of code.

Jay
  • 34,438
  • 18
  • 52
  • 81
  • 1
    Ah, cool. Totally missed that one. What about automated tests? Do I have to look into a 3rd-party library like Targaryen to create automated tests or is there a common way to do them as well? – musse1 Oct 16 '15 at 07:06
  • Depends on your definition of 'automated tests'. The tiny app we wrote is pretty well automated. One click and it tells us if all of the rules are working and if not, which node needs to be addressed. – Jay Oct 16 '15 at 13:25
  • Can you test writes with your custom app? Maybe you have a development copy of your Firebase for testing so you don't corrupt production? – 19Craig Feb 17 '16 at 18:24
  • I am experimenting with Targaryen. It looks very good specially using mocha + chai. But is has two drawbacks. 1) It is not really active (https://github.com/goldibex/targaryen/graphs/contributors) 2) it is not officially supported by Firebase which it could mean that it is not doing exactly the same controls that firebase does (?????) – Seb Jul 05 '16 at 14:05
  • The old firebase docs had Targaryen on the 3rd party list and Targaryen@3 is closer to the specs; it includes e2e tests against a live db. – Dinoboff Feb 12 '17 at 23:22
3

I've just set up Bolt and it looks like a much better option than using the standard rules and simulator through the Firebase UI.

You do need to actually use the Bolt syntax but I find it's much easier than the standard rules anyway, especially if they are getting large and complex, since Bolt allows you to create functions to re-use common code for read/write/validate logic. The testing was just a bonus for me.

A few things to note:

  • The instructions say to install firebase-bolt globally but node can find it unless it's installed locally or you link to the global install.
  • See this answer to get mocha running. If you add --ui tdd to "test": "mocha --ui tdd" in the scripts section of your package.json file and you keep your tests in test/test.js then you just need to run npm test to run all your tests.
Community
  • 1
  • 1
SteveMellross
  • 3,404
  • 2
  • 20
  • 18
  • 1
    I'm just started to play with Bolt, but it has not been very active since Feb 2016 : https://github.com/firebase/bolt/graphs/contributors. The tests don't work on Firebase 3.0 – Seb Jul 05 '16 at 14:07
2
  • To develop your rules you can use Targaryen.
  • To test your rules against a live db, you can use the REST api using a token with the debug flag set to true (database secret used to create those token are deprecated but I don't think you create such token with the new Firebase Admin SDK); the response header will include debug info about rule evaluation.
  • To debug your rules and production data use the simulator in the firebase console (note that it doesn't allow to simulate update operation AFAIK)
Dinoboff
  • 2,622
  • 2
  • 26
  • 26