Skip to main content

A month of Flutter: Firestore create user rules and tests


Originally published on bendyworks.com.

When a user signs in with Google I'm going to create a user document in Firestore. Each authenticated user should only be able to create one user document. These documents will eventually be readable by other users so Firestore needs to have server(less)-side validation to keep the data as correct as possible.
Right now I'm working on registering users so I'm only going to implement create rules, not readupdate, etc.
match /users/{userId} {
  allow create: if isOwner(userId) &&
                  // TODO: enable after bug fix https://github.com/firebase/firebase-tools/issues/1073
                  //  validCreateTimestamps() &&
                  validCreateUser();
}
This will allow user documents to be created if the owner has the same ID and the document being created passes validation.
Validation of timestamps is being skipped because of a bug in the emulator that causes tests to hang. I've also been considering moving createdAt and updatedAt timestamps into Cloud Functions but I'm not ready to make that commitment yet.
User document creation is primarily validated with two tests. One to make sure an authenticated user can create their own document and one to make sure a user can't create a document for someone else.
@test
async 'can create self'() {
  const uid = this.user().uid;
  const user = this.db({ uid }).collection('users').doc(uid);
  await firebase.assertSucceeds(user.set(this.validUser));
}

@test
async 'can not create someone else'() {
  const user = this.db(this.user()).collection('users').doc(uuid.v4());
  await firebase.assertFails(user.set(this.validUser));
}
Additionally, there are several tests that iterate over a number of invalid values and assert they fail.
There are a number of helper methods I've defined in firestore.rules:
function isOwner(userId) {
  return request.auth != null &&
          request.auth.uid == userId;
}
The isOwner helper checks to see if the user document ID matches that of the current authenticated user.
function validString(key) {
  return data()[key].trim() == data()[key] &&
          data()[key].size() > 0;
}
The validString helper checks to see that a required string has a value.
function validUrl(url) {
  return url.matches('https://[a-zA-Z].+');
}
The validUrl helper checks that a string starts with https://. I'm pretty sure this will not correctly validate some URLs but this value should generally be set to a Google CDN so I don't think invalid hosts will come up.
function validCreateTimestamps() {
  return data().updatedAt == request.time &&
          data().createdAt == request.time;
}
validCreateTimestamps checks that the updatedAt and createdAtvalues match the time on the request. This works because the client will set that value with a constant that Firestore will replace with the current time.
function validUser() {
  // TODO: prevent extra fields
  return validString('nickname') &&
          validString('fullName') &&
          validString('photoUrl') &&
          validUrl(data().photoUrl);
}

function validCreateUser() {
  return validUser() &&
          data().agreedToTermsAt == request.time;
}
The final two helpers are to validate a user document leveraging all the other helpers. One TODO I've left for the future is to make sure all fields on the document are on an allowed list.
I'm not completely happy with how the server tests are currently organized. I will probably do some cleanup in the future to try and make everything more elegant. I plan on adding faker.js for fun too.

Code changes

Popular posts from this blog

Little known @Twitter and @TwitterAPI tips and tricks

Be sure to comeback as new tips and tricks get added. If you know of anything I missed be sure to let me know.

Static URL for profile images based on screen_name:

https://api.twitter.com/1/users/profile_image/abraham

* This performs a http redirect to the actual profile image URL. Currently https redirects to http. You can also add "?size={mini | bigger | normal}" to get specific sizes.

Redirect to profile based on user_id:

https://twitter.com/account/redirect_by_id?id=9436992

In_reply_to_status_id mentions:

https://api.twitter.com/1/statuses/update.json?status=reply+to+@abraham&in_reply_to_status_id=12410413197

* In the web interface new mentions are only replies if they start with @screen_name. By pushing @screen_name further along in the string your followers who do not follow @screen_name will still see the status.

Profile image sizes:

http://a3.twimg.com/profile_images/54160223/chart-black-small.png

* By default you get the original image size you can add _mini, _normal, and …

Installing Storytlr the lifestreaming platform

"Storytlr is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation."

I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal. While I love Drupal and FeedAPI I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions.

Assumptions:
LAMP stack installed and running.Domain setup for a directory.MySQL database and user ready to go.Lets get started!
Get the code: wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgzYou can find out the latest stable release on Storytlr's downloads page.

Import the database:
Within protected/install is database.sql. Import this into your empt…

Sync is currently experiencing problems

Update: I now recommend you install Google Chrome and disable the built in Browser as it supports encrypting all synced data.

After picking up a gorgeous Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly."




In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser.



Visit the Google Dashboard and "Stop sync and delete data from Google". I waited until the stored dat…