Tweet
Tweet

Slide 1

Slide 1 text

Security Rules Unit Testing Pipeline Integration for Firestore Google Developer Expert in Firebase Surahutomo Aziz Pradana Firebase Dev Day 2023 GDG Bangkok Firebase Thailand Organized by

Slide 2

Slide 2 text

Let’s get to know each other! Now Web Mentor Lead Co-Lead 2015 2022 2019 2017

Slide 3

Slide 3 text

Sensitive resources Realtime Database Firestore Storage

Slide 4

Slide 4 text

Security Rules Realtime Database Firestore Storage Sensitive resources

Slide 5

Slide 5 text

Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

Slide 6

Slide 6 text

Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous Admin

Slide 7

Slide 7 text

Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous Admin Developer

Slide 8

Slide 8 text

What kind of protection that security rules can protect ?

Slide 9

Slide 9 text

? Anonymous Security Rules Realtime Database Firestore Storage Google Server - Prebuilt public and private key to prevent anomaly access X

Slide 10

Slide 10 text

? Anonymous Security Rules Realtime Database Firestore Storage Google Server - Prebuilt public and private key to prevent anomaly access - Prebuilt protect from any malicious attack X

Slide 11

Slide 11 text

Admin Security Rules Realtime Database Firestore Storage Google Server - Updating the wrong record accidentally X

Slide 12

Slide 12 text

Admin Security Rules Realtime Database Firestore Storage Google Server - Updating the wrong record accidentally - Manipulating the data or fraud X

Slide 13

Slide 13 text

Admin Security Rules Realtime Database Firestore Storage Google Server - Updating the wrong record accidentally - Manipulating the data or fraud - Hacked admin account for suspicious action X

Slide 14

Slide 14 text

Developer Security Rules Realtime Database Firestore Storage Google Server - Prevent bugs by protecting code payload consistency X

Slide 15

Slide 15 text

rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { match /members/{memberId} { allow write: if hasKey(["uid"]) } } } firestore.rules

Slide 16

Slide 16 text

Developer Security Rules Realtime Database Firestore Storage Google Server - Prevent bugs by protecting code payload consistency - Prevent bugs when dev forget the specific rule in user flow journey X

Slide 17

Slide 17 text

rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { function withSpecialCondition(role) { // return some special condition } match /members/{memberId} { allow write: if withSpecialCondition("special_role") } } } firestore.rules

Slide 18

Slide 18 text

Developer Security Rules Realtime Database Firestore Storage Google Server - Prevent bugs by protecting code payload consistency - Prevent bugs when dev forget the specific rule in user flow journey - Increase code quality by using strong and centralized data flow and its operation X

Slide 19

Slide 19 text

rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { function someFunction(role) { // return some function logic } match // collection name 1 { allow write: if // some condition 1 } match // collection name 2 { allow read: if // some condition 2 } } } firestore.rules

Slide 20

Slide 20 text

Now, question is Is that protection enough ?

Slide 21

Slide 21 text

Technically … YES

Slide 22

Slide 22 text

But actually operationally … Nope

Slide 23

Slide 23 text

There is a story, lemme introduce you to them !

Slide 24

Slide 24 text

His name is Pyro-chan~ He is new fresh graduate engineer

Slide 25

Slide 25 text

His name is Mr.Dart He is Senior Software Engineer

Slide 26

Slide 26 text

They are childhood friends that has the same interest into tech!

Slide 27

Slide 27 text

So, “Operationally … Nope” What might be missing i wonder ?

Slide 28

Slide 28 text

Well, the factor is actually “Human Error”

Slide 29

Slide 29 text

Oh yeahh, i remember! I think i had those mistakes ehehe

Slide 30

Slide 30 text

Oh nooo! I have a product demo in a minute, I need to rush and finish this code ! Long time ago …

Slide 31

Slide 31 text

Oh my, it breaks my old code :( I didn’t realize it! Then …

Slide 32

Slide 32 text

Alright easy tasks, done! Let’s go home! Long time ago …

Slide 33

Slide 33 text

Oh my, it breaks my old code :( I didn’t realize it! Then …

Slide 34

Slide 34 text

OKAY! This time i concentrated and not underestimate the code changes, looks fine! Long time ago …

Slide 35

Slide 35 text

Oh my, it breaks my code, the library has changed its implementation and i didn’t realize it :( Then …

Slide 36

Slide 36 text

See, because of those ..

Slide 37

Slide 37 text

It might causing us : - Money Loss - Data breached - Anomaly data

Slide 38

Slide 38 text

Sorry

Slide 39

Slide 39 text

It’s okay, learning is what’s really important!

Slide 40

Slide 40 text

Let me tell you something

Slide 41

Slide 41 text

At least there are 3 levels Tech Testing Auto Building the security Testing the security level Automate the testing process Minimize human error by building this! So ..

Slide 42

Slide 42 text

In that case what we can do is

Slide 43

Slide 43 text

Steps : ● Build our testing for security rules ● Automate running the security rules testing ● Protect the branch with the automation !

Slide 44

Slide 44 text

Ahh.. Interesting ? ?

Slide 45

Slide 45 text

So, Dana can you show us how ?

Slide 46

Slide 46 text

in/retzd @retzd_ medium.com/@retzd g.dev/retzd devpost.com/retzd Thank you! Don’t forget to contact Dana, he is super helpful about Firebase!