Firestore rules simulator with custom claims

[Malte Redschlag]

Hi,

when testing/evaluating rules in "firestore simulator" with custom claims on the auth-object and a login with email and password (I guess it won't work for other logins, too?) the custom claims connected to the uid are not added to the auth-token/object and the rules (actually read/write-operations) fail. When reading data logged into the real application, the rules work fine. For testing this feels like a nightmare.

What do I mean?

I have following rule defined:

match /users/{userId} {

    allow read: if isSignedIn() && (request.auth.uid == userId || (isManager() && resource.data.ns == getNamespace()));

    allow write: if isSignedIn() && (request.auth.uid == userId || (isManager() && request.resource.data.ns == getNamespace()));

}

and following helper functions:

//Functions

function isSignedIn() {

    return request.auth != null;

}

function isManager() {

    return request.auth.token.pm == true;

}

function getNamespace() {

    return request.auth.token.ns;

}

In the simulator area i chose "authenticated" and my provider is "password". I then use a uid of a user who has the claims used (request.auth.token.pm == true and request.auth.token.ns corresponds to the "ns"-field in the data of the user i try to read) and a valid password.

I try to read a user with matching "ns/namespace" but the evaluation of the rule already fails on "isManager()" even though my user does have the right claim.

The Authentication-Payload:

{

  "uid": "9mcyD3RodwMpJ89Sasomemoreboring",

  "token": {

    "sub": "9mcyD3RodwMpJ89Sasomemoreboring",

    "aud": "some-project-id-123",

    "email": "some-...@gmail.com",

    "email_verified": true,

    "firebase": {

      "sign_in_provider": "password"

    }

  }

}

Here it becomes clear, that the used authentication-payload by the simulator does not contain the custom claims set on the firebase-account for that uid. For better testability of firestore-rules with the in-browser-simulator it would be great when the auth-payload would contain the custom claims.

Thank you very much and kind regards

Malte Redschlag

[Kato Richardson]

Hi Malte,

Great to hear from you! I think you can just add the custom claims into the mock user object when you run firebase.initializeTestApp(...). There's a sample doing so here.

Note that there's a Stack Overflow post here that suggests both passing them on the top level of the auth object or under the `token` field. I'm not sure which actually works : )

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/60c6bfd1-4f0a-410c-810e-9b76520f537c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Malte Redschlag]

Hi Kato,
Thanks for the reply, but I am talking about the simulator in the webconsole, not running tests from code.

[Kato Richardson]

Sorry I missed that detail. Doesn't look like it's supported is the console simulator right now. Running locally with the emulator would probably be a better option.

☼, Kato

From: Malte Redschlag <malte.r...@bmtg.ch>
Date: Tue, May 7, 2019 at 7:23 AM
To: Firebase Google Group

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/3e157d5b-b5b6-4aa4-a690-7285a314960c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Alan Escobar Martinez]

Hello Malte,

I think this is a misunderstanding, because the main objective of using that web tool is to "emulate" requests made from users without using any real information, including the custom claims. 

In that sense, you need to provide all the information to be used by the rules in the comparison. To do so, you can mark the "authenticated" checkbox and select "custom" as the provider, in that way, you will be able to modify the token and add the information needed by your rules (custom claims), emulating the request from a real user.

I hope this information helps you :)

Alan

[Guanaco Devs]

Wow, where you were a month ago???
Thats Great!!, Thank you for sharing