Blaze Security Compiler for Firebase
The blaze compiler simplifies building security rules for Firebase. It drastically reduces the amount of copy and pasting involved. Blaze compiler security rules are shorter, and the syntax is less fussy.
Getting started
npm install -g blaze_compiler
create a rules.yaml containing the following code
functions:
- isLoggedIn(): auth.id !== null
schema: {}
access:
- location: /
read: true
write: true && isLoggedIn()
now compile it from the commandline with
blaze rules.yaml
A rules.json will be generated which you can upload to Firebase!
find more about the functions, simpler rule expressions, the schema definitions, access control or inline tests.
Functions
Common expressions for reuse are defined in the functions list. A function can take arguments (they are functions).
functions:
- isLoggedIn(): auth.username !== null
- isUser(username): auth.username === username
You can then use them anywhere a security expression would be expected, for example, in the access control section:-
access:
location: /users/$userid/
write: isUser($userid)
Simple Security Expressions
Security expressions are the strings that used to go in write/read/validate portions of the old security rules. Blaze expressions have similar semantics but shorter syntax.
Variables renamed
data and newData have been renamed prev and next. root has the same meaning.
Child selection
The expression for selecting a child is now an array-like syntax. What was:
root.child('users')
is now
root['users']
In the common case that you are selecting a child using a single literal, you can select the child as if it were a property. So you can also write the above as:
root.users
Coercion of .val()
In the new syntax, .val() is inserted if the expression is next to an operator or in an array like child selector. You only need to use .val() if you are using a method of a value type like .length, .beginsWith() .contains(...). So
newData.child('counter').val() == data.child('counter').val() + 1
is simplified to just
next.counter == prev.counter + 1
Schema
The schema section describes the layout of the data tree.
Types
A Firebase schema node is either a leaf type (string, number, boolean) or an object which contains more child schema nodes. The type is specified with "type". Children of objects are specified as a map under "properties"
schema:
type: object
properties:
string_child: {type: string}
boolean_child: {type: boolean}
number_child: {type: number}
anything_child: {}
In the above example you could set {string_child: "blah"}
at the root of the Firebase but not {string_child: true}
You can leave a schema unspecified with {} or with type: "any".
required
The required keyword states which children must be present. The required keyword is only valid for schema nodes with object types.
schema:
type: object
required: [child1, child2]
additionalProperties
By default, objects can have additional children not mentioned. If additionalProperties is set to false, however, only children explicitly mentioned in the properties are allowed. The additionalProperties keyword is only valid for object and non-typed schemas.
schema:
type: object
additionalProperties: false
properties:
string_child: {type: string}
would not accept {number_child: 5}
in the root, but without additionalProperties it would.
enum
The enum keyword constrains the value of a string types to be one of the predefined array elements.
schema:
type: string
enum: [yes, no, maybe]
$wildchild
An object can have many children bound to a path variable denoted with a keyword starting with $. Note that wildchilds are not put in the properties definition. The following shows how to accept many objects as children of "/users/"
schema:
type: object
properties:
users:
type: object
$userid: {}
Constraints
The semantics of enforcing data integrity is different from the original rules. There is no overriding of constraints, nor separate read/write/validate expressions. There is just one field for expressing data integrity named constraint. All ancestors and descendant constraints must evaluate to true for a write to be allowed.
The following example, fixes the id of a user to equal the key, and makes the account writable only at creation time.
schema:
type: object
properties:
users:
type: object
$userid:
properties:
id:
type: string
constraint: next == $userid
constraint: (!prev.exists())
You can be sure all constraints above and below evaluate to true for a write to be allowed. The only quirk is related to wildchilds. You can't write anything above a wildchild that includes the wildchild as a descendant. They do inherit their parents constraints though, as do their siblings, so the use of wildchilds never makes the Firebase less constrained accidentally.
Model reuse
Denormalization of data requires replicating a model in multiple places in a schema. JSON Schema allows importing of models across the Internet or within a document through URLs. Currently, blaze only supports in-document reuse.
Model definitions are declared in the keyword definitions object, and references are made using the $ref keyword as follows:
schema:
definitions:
stamped_value:
type: object
properties:
modified: {type: number}
required: [value, modified]
constraint: next.value == prev.value || next.modified == now
type: object
$data: {$ref: "#/definitions/stamped_value"}
In JSON Schema you are able to extend model objects using the allOf modeling construct (example). However, blaze does not currently support this. Let us know if you need it!
Inline testing
Writing a complex schema can be difficult. For example, a typo in a required field could enforce the existence of
a child other than the one intended. For that reason blaze provides keywords for inline testing
of nested schema at compile time.
examples is a list of JSONs that you expect to be accepted by the JSON schema node.
nonexamples is a list of JSONs that you expect to be rejected by the JSON schema node.
These inline tests are good for documenting intent and providing fast feedback when authoring a new schema.
schema:
type: object
properties:
object: {type: object}
string: {type: string }
boolean: {type: boolean}
number: {type: number }
additionalProperties: false
examples:
- {object: {name: "hello"}}
- {string: string}
- {boolean: true}
- {number: 4.6}
nonexamples:
- {object: true}
- {string: {grandchild: true}}
- {boolean: "true"}
- {number: "4.6"}
- {extra: "4.6"}
Access Control
The schema portion of the rules YAML file is for specifying the data layout and constraints. Read/write access is described in a separate access control list under "access". For each entry, the scope of the rule is a subtree at, or below, the path indicated in the location field. Read access is granted to that subtree if the read expression evaluates to true, and write access is granted if the write expression evaluates to true.
functions:
- isLoggedIn(): auth !== null
...
access:
- location: "/"
read: isLoggedIn()
- location: "/users/$userid/"
write: auth.username === $userid
Only one access control entry needs to evaluate to true for an operation to be permitted.
Example
This is an example that exploits most of the new features. It is a messaging system where users can send messages to each other, by posting to other user's inboxes
functions:
- isLoggedIn(): auth.username !== null
- createOnly(): next.exists() && !prev.exists()
- deleteOnly(): prev.exists() && !next.exists()
- createOrDelete(): createOnly() || deleteOnly()
schema:
definitions:
message:
type: object
properties:
from:
type: string
constraint: (auth.username == next && createOnly()) ||
($userid === auth.username && deleteOnly())
to: {type: string, constraint: createOrDelete()}
message: {type: string, constraint: createOrDelete()}
required: [from, to, message]
additionalProperties: false
examples:
- {from: "bill", to: "tom", message: "hey Tom!"}
nonexamples:
- {to: "tom", message: "hey Tom!"}
type: object
properties:
users:
type: object
$userid:
type: object
properties:
inbox:
type: object
$message: {$ref: "#/definitions/message"}
outbox:
type: object
$message: {$ref: "#/definitions/message"}
additionalProperties: false
access:
- location: users/$userid/inbox/
write: createOnly() && isLoggedIn()
- location: users/$userid/inbox/
write: deleteOnly() && $userid === auth.username
- location: users/$userid/outbox/
write: true
- location: users/$userid/
read: $userid === auth.username
Changelog
-
18th August 2014:
- predicates renamed to functions
-
14th July 2014:
- improved error reporting
- updated installation
-
9th July 2014:
- support for rules in JSON
-
30th June 2014:
- removed trailing /* from access location syntax
- allowed untyped schema if type is not specified