18

Given that the firestore rules structure allows for functions, is there some way to add debug logs to those rule-functions ? .. in order to verify that the function you expect, is in fact being called.

I see that with the simulator it shows a red X at the line in the rules sturcture, where access is denied for a given simulation-request. However, am curious for verification in production mode so it can be communicated to parties concerned about the rules integrity.

In the example below, I was thinking it might be implemented with that commented-out line:

console.log('ENTER: isAccessOn()');

However this does not work. Asking here in case there's any option for something like this in the platform.. or if not, if there's a suggestion for how to make such verifications with a production deployment. Thanks

service cloud.firestore {
  match /databases/{database}/documents {

    // block client access
    function isAccessOn() {
      // console.log('ENTER: isAccessOn()');
      return false;
    }

    match /{document=**} {
      allow read, write: if isAccessOn();
    }

  }
}
Gene Bo
  • 11,284
  • 8
  • 90
  • 137

3 Answers3

13

You may want to look into local rules emulation using the Firebase CLI, which is a brand new feature of the CLI. You can do simple logging with the emulator with the debug() function.

However, there is no way to log anything in security rules in production. If you want to verify that your rules work as expected, you should write some integration tests for those and run your tests to make sure access is rejected or allowed according to your specifications.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
9

Firestore rules now have a debug() function

It's still not brilliant but better than before.

Stefan
  • 523
  • 4
  • 8
  • 2
    This does not work in production, only on the Firebase emulator. According to the linked docs: "debug function blocks are only executed by the Security Rules engine in the Firestore emulator, part of the Firebase Emulator Suite. The debug function has no effect in production." – Doug Stevenson Oct 28 '20 at 19:33
  • @DougStevenson, ouch & interesting. In OP, the title is general but in OP body I do mention *"production"* for getting the debug output. So now, not sure which answer to accept, because this is in fact useful to provide logging we can get back from the runtime execution even if just at the emulator level. – Gene Bo Oct 29 '20 at 18:00
  • Well, you would typically accept the one that is *most* useful, but upvote all of them that are at least somewhat helpful. – Doug Stevenson Oct 29 '20 at 18:07
  • This is definitely something more available to us than we had before for this kind of debug work/verification, so I will leave the Accept on this one. Standing by for the next iteration :). Thanks Doug – Gene Bo Oct 29 '20 at 19:30
  • 1
    I'd argue that you shouldn't use your production app for debugging ;-) Whatever next, a way to console.log? We'd be so spoiled. – Stefan Oct 29 '20 at 20:52
  • Is there a similar tool for Firebase Realtime Database? – Simon Tran Sep 16 '21 at 17:20
0

You can use the debug function in rules like this:

match /databases/{database}/documents {
  match /{document=**} {
    // show paths being requested
    allow create, read, update, delete: if debug(request.path);
  }
}

Then watch the log file:

tail -f firestore-debug.log
uɥƃnɐʌuop
  • 14,022
  • 5
  • 58
  • 61