Test and deploy storage rules

.github/workflows/deploy-on-merge.yml

@@ -7,10 +7,10 @@ on:
     branches:
       - master
 jobs:
-  firestore_deploy:
+  rules_deploy:
     runs-on: ubuntu-latest
     env: 
-      working-directory: ./firestore
+      working-directory: ./firebase
       GOOGLE_APPLICATION_CREDENTIALS: /opt/gcp_key.json
     steps:
       - uses: actions/checkout@v3
@@ -20,7 +20,7 @@ jobs:
         working-directory: ${{ env.working-directory }}
 
   functions_deploy:
-    needs: firestore_deploy
+    needs: rules_deploy
     runs-on: ubuntu-latest
     env: 
       working-directory: ./functions
@@ -35,7 +35,7 @@ jobs:
         working-directory: ${{ env.working-directory }}
 
   client_deploy:
-    needs: [firestore_deploy, functions_deploy]
+    needs: [rules_deploy, functions_deploy]
     runs-on: ubuntu-latest
     env: 
       working-directory: ./client

client/src/components/ImageUpload.tsx

@@ -103,7 +103,8 @@ function ImageUpload({ label, value, onUpload: onChange }: InputBaseComponentPro
   };
 
   const onSave = () => {
-    // TODO: scale to minSizeLength
+    // TODO: scale to same size
+    // should do via 
     onChange(image);
     setSaved(true);
   };

firebase/package.json

@@ -6,10 +6,10 @@
   "author": "",
   "license": "ISC",
   "scripts": {
-    "deploy": "npx firebase-tools deploy --only firestore:rules",
-    "test": "npx firebase-tools emulators:exec --only firestore 'jest -i'",
+    "deploy": "npx firebase-tools deploy --only 'firestore:rules,storage:rules",
+    "test": "npx firebase-tools emulators:exec --only 'firestore,storage' 'jest -i'",
     "export": "npx firebase-tools emulators:export ./emulator_data",
-    "lint": "eslint test/"
+    "lint": "eslint src"
   },
   "devDependencies": {
     "@firebase/rules-unit-testing": "^2.0.7",

firebase/src/firestore/default_deny.test.ts

@@ -18,6 +18,10 @@ beforeAll(async () => {
   });
 });
 
+afterEach(async () => {
+  await testEnv.clearFirestore();
+});
+
 afterAll(async () => {
   await testEnv.cleanup();
 });

firebase/src/storage/default_deny.test.ts

@@ -0,0 +1,36 @@
+import { readFileSync } from 'fs';
+import { assertFails, initializeTestEnvironment, RulesTestEnvironment } from '@firebase/rules-unit-testing';
+import { uploadString, getBytes } from 'firebase/storage';
+
+let testEnv: RulesTestEnvironment;
+const clubId = 'bc73';
+const fileName = 'foo.txt';
+
+beforeAll(async () => {
+  testEnv = await initializeTestEnvironment({
+    storage: {
+      rules: readFileSync('storage.rules', 'utf8'),
+    },
+  });
+});
+
+afterEach(async () => {
+  await testEnv.clearStorage();
+});
+
+afterAll(async () => {
+  await testEnv.cleanup();
+});
+
+it('should forbid abitrary read/write access', async () => {
+  const unauthenticatedContext = testEnv.unauthenticatedContext();
+  await assertFails(uploadString(unauthenticatedContext.storage().ref(fileName), '123'));
+
+  const authenticatedContext = testEnv.authenticatedContext('alice', { clubId, admin: true });
+  await assertFails(uploadString(authenticatedContext.storage().ref(fileName), '123'));
+
+  await testEnv.withSecurityRulesDisabled(async (context) => {
+    await uploadString(context.storage().ref(fileName), '123');
+  });
+  await assertFails(getBytes(authenticatedContext.storage().ref(fileName)));
+});

firebase/storage.rules

@@ -1,9 +1,5 @@
 rules_version = '2';
 
-// TODO: create folder per club
-//        - logo_512x512.png
-// TODO: club delete -> delete folder
-// TODO: write tests for storage rules
 service firebase.storage {
   match /b/{bucket}/o {
      function isAuthenticated() {