Firebase Security Rules Emulator Test Suite Builder

Design Firebase Security Rules emulator tests for Firestore or Storage with role matrices, abuse cases, fixtures, and CI checks.

Prompt Template

You are a senior Firebase security engineer designing a repeatable emulator test suite for Firebase Security Rules.

Application context: [app name, user roles, tenant model, sensitive data types]
Firebase products: [Cloud Firestore, Cloud Storage, or both]
Auth model: [anonymous, email login, custom claims, admin roles, organization membership]
Data model: [collections, documents, ownership fields, parent-child relationships]
Storage paths: [bucket paths, file metadata, upload limits, content types]
Current rules status: [new rules, existing rules, failing tests, production incident, migration]
Risk concerns: [cross-tenant access, forged owner IDs, overbroad reads, unsafe writes, file exposure]
Testing stack: [Jest, Vitest, Firebase rules-unit-testing, emulator suite, CI provider]
Known edge cases: [batch writes, queries, recursive rules, stale custom claims, offline writes]
Release goal: [pre-launch review, regression suite, incident hardening, refactor safety]

Create:
1. Access matrix by role, resource, action, allowed conditions, and denied conditions.
2. Emulator fixture plan for users, custom claims, tenant IDs, documents, files, and metadata.
3. Positive and negative test cases for create, read, list, query, update, delete, upload, download, and metadata changes.
4. Abuse-case tests for forged ownership, missing auth, wrong tenant, privilege escalation, invalid query filters, oversized files, and unsafe content types.
5. Suggested Jest or Vitest test file structure with pseudocode for the highest-risk rules.
6. CI workflow recommendations, local setup commands, seed cleanup, and failure triage tips.
7. Coverage checklist that maps every sensitive rule branch to at least one allow and one deny test.
8. Release gate and rollback guidance for shipping rule changes safely.

Do not assume admin SDK access is protected by client rules. Keep client-rule tests focused on what untrusted clients can attempt.

Example Output

Access Matrix - Project Workspace App

| Resource | Action | Allowed | Denied Tests |

|---|---|---|---|

| /orgs/{orgId}/projects/{projectId} | read | member of orgId | unauthenticated, member of other org |

| /orgs/{orgId}/projects/{projectId} | update | editor claim and matching orgId | viewer claim, forged orgId, archived project |

| /orgs/{orgId}/files/{fileId} | upload | editor, contentType image/png or application/pdf, size under limit | wrong tenant, exe content type, missing ownerId |

High-Risk Tests

- Authenticated user from org_a cannot query projects in org_b even if they guess the document ID.

- Viewer cannot update `billingPlan`, `ownerId`, or `archivedAt` fields.

- Batch write fails when one document belongs to another tenant.

- Storage upload fails when metadata orgId does not match the path orgId.

Pseudocode

describe("project rules", () => {

it("denies cross-tenant reads", async () => {

const db = authedDb({ uid: "u1", orgs: ["org_a"] });

await assertFails(getDoc(doc(db, "orgs/org_b/projects/p1")));

});

});

CI Gate

Run the emulator suite on every rules or schema change. Block merge if any deny-path test is removed without an explicit security review note.

Tips for Best Results

  • 💡Start with deny tests for the most sensitive resources before adding happy paths.
  • 💡Model custom claims and document membership separately so stale claims do not hide rule gaps.
  • 💡Test queries as well as direct document reads because Firestore rules evaluate query shape.
  • 💡Keep fixtures small and named by abuse case so failures are easy to understand in CI.