Description
Operating System
Any
Browser Version
Any
Firebase SDK Version
9.14.0
Firebase SDK Product:
Firestore, Functions
Describe your project's tooling
VS Code set up as a generic project
Describe the problem
firebase/rules-unit-testing is a great way to test security rules, it allows easy switching between simulated users to check security from various users perspectives.
However, when your test involves calling a cloud function as such a simulated user, there is no way to do this. An example workflow:
- Use authenticatedContext to switch to "Alice"
- Call secured cloud function, which Alice is allowed to call
- Unit test can expect "success"
- Use authenticatedContext to switch to "Bob"
- Call same secured cloud function, but Bob isn't on the list of allowed callees
- Unit test can expect "failure"
I have searched around looking for a way to do this, but there is no mention out there on the internet.
So if it is possible, I would suggest that the documentation is updated.
If it is not possible, I would suggest adding this to firebase/rules-unit-testing which has a nice environment in place already.
I am not sure how major deployments of firebase are out there without automated testing for their security, and I feel that this is something that should not be overlooked.
Steps and code to reproduce issue
Make a new project with a cloud function that returns the authentication data.
Make a unit test that creates a simulated user with rules-unit-testing.
Hack the rules-unit-testing library to return a function object, and injected the authentication parameters into it.
Call the cloud function.
Expect to see authentication in the returned data.
It wasn't there.