Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Rules Unit Testing Pipeline Integration for Firestore

Firebase Thailand
April 01, 2023
Technology
0
100

Security Rules Unit Testing Pipeline Integration for Firestore

Making sure the quality of our apps and web to be stable all the time would be challenging especially for critical issue such as security rules, here we will talk about how developers can integrate their security rules for cloud firestore within a pipeline integration for continuous deployment for a modern web application. We will get to know about Firebase Security Rules, Firebase Rules Testing Library. Firebase Emulator Suite, Cloud Firestore and Github Pipeline Integration.

Firebase Thailand

April 01, 2023
Tweet

More Decks by Firebase Thailand

See All by Firebase Thailand
Say Hello to Cloud Functions for Firebase 2nd Gen
firebasethailand
1
230
What's New in Firebase 2023
firebasethailand
3
520
Building a more Efficient Firestore Web App
firebasethailand
1
150
Developing with Firebase - Best Practices
firebasethailand
0
150
Analyze your production issue on Firebase Crashlytics more efficient with BigQuery
firebasethailand
0
250
What I learn from Firebase when build Saifah
firebasethailand
0
120
Building Simple Collaborative Online IDE with AngularFire and Firepad
firebasethailand
0
96
Full-Stack Development with FlutterFire
firebasethailand
0
130
From Feature Flags to Personalisation with Firebase Remote Config
firebasethailand
0
380

Other Decks in Technology

See All in Technology
One engineer company with Ruby on Rails
rstankov
2
180
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
5
390
Azureの基本的な権限管理の勉強会
yhana
0
770
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.3k
競技としてのKaggle、役に立つKaggle
yu4u
5
2k
アクセス制御にまつわる改善 / Improving access control
itkq
0
560
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
540
Building Dashboards as a Hobby
egmc
0
280
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
150
JAWS-UG Bedrock Claude Night
yamahiro
3
620
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
2
200

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The Cult of Friendly URLs
andyhume
74
5.7k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
4 Signs Your Business is Dying
shpigford
175
21k
How to train your dragon (web standard)
notwaldorf
73
5.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Making Projects Easy
brettharned
108
5.5k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k

Transcript

  1. Security Rules Unit Testing Pipeline Integration for Firestore Google Developer

    Expert in Firebase Surahutomo Aziz Pradana Firebase Dev Day 2023 GDG Bangkok Firebase Thailand Organized by

  2. Let’s get to know each other! Now Web Mentor Lead

    Co-Lead 2015 2022 2019 2017

  3. Sensitive resources Realtime Database Firestore Storage

  4. Security Rules Realtime Database Firestore Storage Sensitive resources

  5. Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

  6. Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

    Admin

  7. Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

    Admin Developer

  8. What kind of protection that security rules can protect ?

  9. ? Anonymous Security Rules Realtime Database Firestore Storage Google Server

    - Prebuilt public and private key to prevent anomaly access X

  10. ? Anonymous Security Rules Realtime Database Firestore Storage Google Server

    - Prebuilt public and private key to prevent anomaly access - Prebuilt protect from any malicious attack X

  11. Admin Security Rules Realtime Database Firestore Storage Google Server -

    Updating the wrong record accidentally X

  12. Admin Security Rules Realtime Database Firestore Storage Google Server -

    Updating the wrong record accidentally - Manipulating the data or fraud X

  13. Admin Security Rules Realtime Database Firestore Storage Google Server -

    Updating the wrong record accidentally - Manipulating the data or fraud - Hacked admin account for suspicious action X

  14. Developer Security Rules Realtime Database Firestore Storage Google Server -

    Prevent bugs by protecting code payload consistency X

  15. rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { match

    /members/{memberId} { allow write: if hasKey(["uid"]) } } } firestore.rules

  16. Developer Security Rules Realtime Database Firestore Storage Google Server -

    Prevent bugs by protecting code payload consistency - Prevent bugs when dev forget the specific rule in user flow journey X

  17. rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { function

    withSpecialCondition(role) { // return some special condition } match /members/{memberId} { allow write: if withSpecialCondition("special_role") } } } firestore.rules

  18. Developer Security Rules Realtime Database Firestore Storage Google Server -

    Prevent bugs by protecting code payload consistency - Prevent bugs when dev forget the specific rule in user flow journey - Increase code quality by using strong and centralized data flow and its operation X

  19. rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { function

    someFunction(role) { // return some function logic } match // collection name 1 { allow write: if // some condition 1 } match // collection name 2 { allow read: if // some condition 2 } } } firestore.rules

  20. Now, question is Is that protection enough ?

  21. Technically … YES

  22. But actually operationally … Nope

  23. There is a story, lemme introduce you to them !

  24. His name is Pyro-chan~ He is new fresh graduate engineer

  25. His name is Mr.Dart He is Senior Software Engineer

  26. They are childhood friends that has the same interest into

    tech!

  27. So, “Operationally … Nope” What might be missing i wonder

    ?

  28. Well, the factor is actually “Human Error”

  29. Oh yeahh, i remember! I think i had those mistakes

    ehehe

  30. Oh nooo! I have a product demo in a minute,

    I need to rush and finish this code ! Long time ago …

  31. Oh my, it breaks my old code :( I didn’t

    realize it! Then …

  32. Alright easy tasks, done! Let’s go home! Long time ago

  33. Oh my, it breaks my old code :( I didn’t

    realize it! Then …

  34. OKAY! This time i concentrated and not underestimate the code

    changes, looks fine! Long time ago …

  35. Oh my, it breaks my code, the library has changed

    its implementation and i didn’t realize it :( Then …

  36. See, because of those ..

  37. It might causing us : - Money Loss - Data

    breached - Anomaly data

  38. Sorry

  39. It’s okay, learning is what’s really important!

  40. Let me tell you something

  41. At least there are 3 levels Tech Testing Auto Building

    the security Testing the security level Automate the testing process Minimize human error by building this! So ..

  42. In that case what we can do is

  43. Steps : • Build our testing for security rules •

    Automate running the security rules testing • Protect the branch with the automation !

  44. Ahh.. Interesting ? ?

  45. So, Dana can you show us how ?

  46. in/retzd @retzd_ medium.com/@retzd g.dev/retzd devpost.com/retzd Thank you! Don’t forget to

    contact Dana, he is super helpful about Firebase!