pheekus / svarog Goto Github PK

Generate Cloud Firestore helper functions for schema validation using JSON Schema.

License: MIT License

JavaScript 0.86% Batchfile 0.09% TypeScript 99.05%

svarog's Introduction

Svarog for Firestore

🚨 This project is no longer maintained. With Svarog, I was trying to see if it was possible to create a DB-first service where Firestore would handle the CRUD and the rest of the operations would be carried out in background via Triggers. The conclusion is that a) it's definitely possible and b) you're going to wish you went with the traditional RESTful monolith architecture very soon. It's way too complex for a simple project and way too limited for anything larger than a TODO app. It was fun to build though :) Thanks to everyone who gave it a try!

Svarog is a CLI that helps you protect your Firestore schema from unwanted mutations. It generates a set of of helper functions based on JSON Schema files that you can use in your Security Rules to validate user input.

Note: if you are an npm user, please avoid installing versions 0.5.0 to 1.2.5 - there was an issue (#11) with the project config that resulted in empty packages being published to npm.

Getting started

Step 1: describe your schema

Svarog was designed to be compatible with JSON Schema 7 - the latest draft of the JSON Schema standard. To get started, create a folder in your project directory, place your schema in a *.json file and give it an $id:

{
  "$schema": "http://json-schema.org/draft-07/schema",
  "$id": "Apple",
  "type": "object",
  "properties": {
    "color": {
      "type": "string",
      "enum": ["green", "red"]
    }
  },
  "required": ["color"]
}

You can use any built-in type to describe your database schema. However, you should also keep in mind that not all of the JSON Schema features are supported at the moment.

Using Firestore data types

Svarog includes basic support for Timestamp, Bytes, LatLng and Path Firestore field types. To enable type checking on such fields, register the appropriate schemas in definitions section and then reference them in your main schema with $ref like this:

{
  "$schema": "http://json-schema.org/draft-07/schema",
  "$id": "FirestoreExample",
  "type": "object",
  "definitions": {
    "Timestamp": {},
  },
  "properties": {
    "date": { "$ref": "#/definitions/Timestamp" },
  }
}

Step 2: run Svarog

Once you have your schema ready, install and run Svarog:

$ npm i -g svarog
$ svarog "schema/*.json" "firestore.rules" --verbose

The last command will pull every schema in schema folder, run the compiler and append a minified code snippet to the firestore.rules file. You can run this command every time you update your schema, and it will replace the generated snippet for you automatically if both old and new helpers were created with the compatible versions of CLI.

Step 3: call `isValid()` in Security Rules

The code we generated in the previous step exposes isValid($id: string): boolean function that you can use in your Security Rules together with other assertions:

match /apples/{appleId} {
  allow write: if isValid("Apple");
}

Svarog will apply a strict schema check when a document is created (assuring that all required properties are present and nothing out of the schema is added), and a loose one on each update (when some properties defined in schema may be missing from the patch object).

CLI reference

USAGE
  $ svarog INPUT [OUTPUT]

ARGUMENTS
  INPUT   input file containing JSON Schema or a glob pattern
  OUTPUT  target file where Svarog will output security rule helpers

OPTIONS
  -f, --force    overwrites existing Svarog code unconditionally
  -h, --help     displays this message
  -v, --verbose  enables progress logs during compilation

svarog's People

Contributors

Stargazers

Watchers

Forkers

samtstern ronzyfonzy

svarog's Issues

"required" over an array of objects is ignored

Hi 👋🏻

First, I want to say thank you for putting this library together, it's already proved super useful to me, and makes me sleep better at night 🙏🏻

I've recently been running into what I think might be a limitation of svarog though, and wanted to check if it was one indeed, or if there simply was an issue between the chair and the keyboard.

It seems that array of objects definitions ignore the required properties. I've looked into the currently described limitations, but couldn't figure out if it was the expected behavior in the current state of the tool.

For instance, validating:

{
  "stuffed": [
    {
      "foo": "hello, I'm Pierrot le foo"
    }
  ]
}

with the following schema

{
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "Stuff",
    "type": "object",
    "properties": {
        "stuffed": {
            "type": "array",
            "items": {
                "type": "object",
                "properties": {
                    "id": {
                        "type": "string"
                    },
                    "foo": {
                        "type": "string"
                    },
                    "bar": {
                        "type": "string"
                    }
                },
                "required": [
                    "foo",
                    "bar"
                ]
            }
        }
    },

In the context of this security rules

match /stuff/{stuffID} {
  allow create: if isValid("Stuff");

I would expect the isValid("Stuff") call to fail, and the security rules making the document creation also fail as a result, because bar was not present. It is the behavior shown by external JSON Schema validators. Is it Svarog's expected behavior? Is it a known limitation? How can I contribute to make this behavior supported if that's the case?

Cheers!

Won't compile on CircleCI - empty build on NPM

As it turns out, simply running tsc -b is not enough in the CircleCI environment to build the project, and I can't figure out why. To make things worse, everything works fine locally.

Here's what happening: running npm run build on CircleCI, which executes tsc -p tsconfig.json, outputs a single package.json file in the /lib folder. No errors or warnings, just the empty output. tsc -b gives the same result. Searching for similar issues didn't help much.

Until this is resolved, the workaround is to clone the repo and npm link it for global usage.

Add support for Firestore-specific data types

Support for Timestamp, Bytes, LatLng and Path is currently missing. v1 must have at least basic support for these types using the following syntax:

{
  "$schema": "http://json-schema.org/draft-07/schema",
  "$id": "FirestoreTypes",
  "type": "object",
  "definitions": {
    "Timestamp": {},
    "Bytes": {},
    "LatLng": {},
    "Path": {}
  },
  "properties": {
    "date": { "$ref": "#/definitions/Timestamp" },
    "bytes": { "$ref": "#/definitions/Bytes" },
    "location": { "$ref": "#/definitions/LatLng" },
    "document": { "$ref": "#/definitions/Path" }
  }
}

Compiler could look for $ref in property declaration and add basic type checking based on the provided value. This way only refs defined as shown above would work, but that'd be enough until a better approach is found.

Docs would need to be updated for this as well.

Bug: loose schema checks fail

Accessing unexistent object.key throws Property key is undefined on object. in Firestore. Such assertions are a part of loose checks that Svarog applies on update operation.

The automated release is failing 🚨

🚨 The automated release from the `master` branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Use a single Svarog interface in Security Rules instead of multiple functions

This proposal introduces a new Svarog API for Security Rules. At the moment, when we want to validate the resource, we use the following function call format:

match /posts/{postId} {
  allow create: if isPostValid(request.resource.data, true);
  allow update: if isPostValid(request.resource.data, false);
}

This is fine as long as we don't need to perform additional assertions, where condition expression quickly becomes cluttered:

match /posts/{postId} {
  allow create: if
    isPostValid(request.resource.data, true) && 
    isSomeOtherConditionMet() &&
    isEveryoneOkayWithThis() &&
    isItEvenAppropriateToProposeThatKindOfChange();
}

Since request.resource.data as well as request.method are both available globally, we can create a wrapper function that would pass them internally for us:

function isValid(schema) {
  return
    (schema == "Post" && isPostValid(request.resource.data, request.method == 'create')) ||
    (schema == "Task" && isTaskValid(request.resource.data, request.method == 'create'));
}

Also, to make the output code a bit less verbose, there could be a proxy function that would shorten the parameters:

function isValid(schema) {
  return _isValid(schema, request.resource.data, request.method == 'create');
}
function _isValid(n, d, s) {
  return (n == "Post" && isPostValid(d, s)) || (n == "Task" && isTaskValid(d, s));
}

Finally, to make using arbitrary $id possible, we could replace meaningful function names with minified identifiers like s1, s2 etc. since they are supposed to be internal anyway:

function isValid(n){return svv(n,request.resource.data,(request.method=="create"))}
function sv(n,d,s){return ((n=="Post")&&s0(d, s))||((n=="Task")&&s1(d,s))}

New syntax after this issue is closed:

match /posts/{postId} {
  allow write: if isValid("Post");
}

Drop support for strict/loose modes

Looks like request.resource.data now includes all document fields on update, even if only a subset of them was passed to the update function (see the screenshot below: the request doesn't include visibility field, but it's there anyway). So it's kind of like getAfter() now, but right in the request.

No need to check if the field is present in the resource anymore => smaller svarog snippet => more space for custom rules.