added storage security rules with tests

VGVentures · May 10, 2024 · 56f3d6d · 56f3d6d
1 parent 40dc5ef
commit 56f3d6d
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 3 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/firebase.json b/firebase.json
@@ -38,5 +38,8 @@
       "**/.*",
       "**/node_modules/**"
     ]
+  },
+  "storage": {
+    "rules": "storage.rules"
   }
 }
diff --git a/functions/package.json b/functions/package.json
@@ -11,9 +11,9 @@
     "shell": "npm run build && firebase functions:shell",
     "deploy": "firebase deploy --only functions",
     "logs": "firebase functions:log",
-    "test": "npm run test-rules && npm run test-cloud-functions",
-    "test-firestore": "mocha -r ts-node/register --reporter spec test/rules.ts",
-    "test-rules": "firebase emulators:exec --only firestore 'npm run test-firestore --exit'",
+    "test": "npm run test-rules-emulators && npm run test-cloud-functions",
+    "test-rules": "mocha -r ts-node/register --reporter spec test/rules.ts",
+    "test-rules-emulators": "firebase emulators:exec --only firestore,storage 'npm run test-rules --exit'",
     "test-cloud-functions": "mocha -r ts-node/register --reporter spec test/**/*.ts --exclude test/rules.ts --exit"
   },
   "name": "functions",

diff --git a/functions/test/rules.ts b/functions/test/rules.ts
@@ -6,6 +6,7 @@ import {
   RulesTestEnvironment,
 } from "@firebase/rules-unit-testing";
 import {doc, setDoc, getDoc} from "firebase/firestore";
+import {ref, deleteObject, uploadBytes, getDownloadURL} from "firebase/storage";
 import "mocha";
 
 let testEnv: RulesTestEnvironment;
@@ -17,6 +18,11 @@ before(async () => {
       port: 8080,
       rules: readFileSync("../firestore.rules", "utf8"),
     },
+    storage: {
+      host: "localhost",
+      port: 9199,
+      rules: readFileSync("../storage.rules", "utf8"),
+    },
   });
 });
 
@@ -127,3 +133,25 @@ describe("answers", () => {
     );
   });
 });
+
+describe("storage", () => {
+  it("should only allow read, not write, if path is 'share'", async () => {
+    const noAuthStorage = testEnv.unauthenticatedContext().storage();
+    const blob = new Blob(["Hello, world!"], {type: "text/plain"});
+    const path = "share/example.txt";
+
+    const shareRef = ref(noAuthStorage, path);
+
+    await testEnv.withSecurityRulesDisabled(async (context) => {
+      const storage = context.storage();
+      await uploadBytes(ref(storage, path), blob);
+    });
+
+    //can read object if path is 'share'
+    await assertSucceeds(getDownloadURL(shareRef));
+
+    //cannot write objects
+    await assertFails(uploadBytes(shareRef, blob));
+    await assertFails(deleteObject(shareRef));
+  });
+});
diff --git a/storage.rules b/storage.rules
@@ -0,0 +1,13 @@
+rules_version = '2';
+
+service firebase.storage {
+  match /b/{bucket}/o {
+    match /{allPaths=**} {
+      allow read, write: if false;
+    }
+
+    match /share/{allPaths=**} {
+      allow read: if true;
+    }
+  }
+}