Home > Blockchain >  Prevent deployment of insecure rules on Firebase or Firestore
Prevent deployment of insecure rules on Firebase or Firestore

Time:03-19

@askfirebase Is there any solution to prevent deployment of insecure rules ?

Getting notified after 24 hours mite be a little to late!

CodePudding user response:

There is nothing built into Firebase to detect/prevent deploying rules that would be marked as insecure. It's an interesting idea though, so I recommend you file a feature request for it.

If you'd like this feature to catch mistakes by yourself or collaborators on your project, the easiest way to implement this yourself would probably to check the size of the rules file. The default rules are quite small compared to most actual rules, so setting a minimum threshold before you call firebase deploy might be a good quick check.

CodePudding user response:

My proposed solution is to use unit testing for the rules and npm script pre hook in the firebase.json file

"firestore": {
    "predeploy":mocha spec --exclude spec/_tools.mjs",
    "rules": "firestore.rules"
}, 

however .... the hook works but mocha is not available in that context

$ firebase deploy --only firestore:rules

=== Deploying to 'project-v2'...

i  deploying firestore
Running command: echo $(pwd) && mocha spec --exclude spec/_tools.mjs
/home/user/project
/bin/sh: 1: mocha: not found

it is strange because echo $(pwd) prints the same result when used in package.json and in firebase.json

PS: could someone explain why mocha is not available in this context ?

  • Related