Deploying Firebase Security Rules

IMPORTANT: Security rules must be deployed to both DEV and PRODUCTION Firebase projects.

---

Prerequisites

1. Install Firebase CLI:

   npm install -g firebase-tools

2. Login to Firebase:

   firebase login

---

Deploy to DEV Environment

# Select DEV project
firebase use lantern-app-dev

# Deploy Firestore rules only
firebase deploy --only firestore:rules

# Deploy Storage rules only
firebase deploy --only storage:rules

# Deploy both at once
firebase deploy --only firestore:rules,storage:rules

Verify in Firebase Console:

1. Go to https://console.firebase.google.com
2. Select lantern-app-dev project
3. Click "Firestore Database" → "Rules"
4. Verify rules are active
5. Click "Storage" → "Rules"
6. Verify storage rules are active

---

Deploy to PRODUCTION Environment

⚠️ WARNING: Production deployment affects live users!

# Select PRODUCTION project
firebase use lantern-app-prod

# Deploy rules to production
firebase deploy --only firestore:rules,storage:rules

Verify in Firebase Console (same steps as DEV, but for lantern-app-prod).

---

Test Security Rules

Test Firestore Rules

1. Go to Firebase Console → Firestore Database → Rules
2. Click "Rules Playground"
3. Test scenarios:

   # Test: User can read their own profile
   Type: get
   Location: /users/{your-user-id}
   Auth: Authenticated as {your-user-id}
   Expected: ALLOW
   
   # Test: User cannot read another user's encrypted data
   Type: get
   Location: /users/{other-user-id}
   Auth: Authenticated as {your-user-id}
   Expected: ALLOW (but encrypted fields are gibberish)
   
   # Test: Unauthenticated users cannot read anything
   Type: get
   Location: /users/{any-user-id}
   Auth: Unauthenticated
   Expected: DENY
   
   # Test: User can only update their own profile
   Type: update
   Location: /users/{your-user-id}
   Auth: Authenticated as {your-user-id}
   Expected: ALLOW
   
   # Test: User cannot update another user's profile
   Type: update
   Location: /users/{other-user-id}
   Auth: Authenticated as {your-user-id}
   Expected: DENY

Test Storage Rules

1. Go to Firebase Console → Storage → Rules
2. Test upload scenarios:

   # Test: Venue owner can upload venue photo
   Operation: create
   Path: /venues/venue-123/photo.jpg
   Auth: Authenticated
   Expected: ALLOW
   
   # Test: Cannot upload user profile photo
   Operation: create
   Path: /users/user-123/profile.jpg
   Auth: Authenticated
   Expected: DENY (privacy policy)
   
   # Test: File size limits enforced
   Operation: create
   Path: /venues/venue-123/big-photo.jpg
   File size: 10MB
   Expected: DENY (exceeds 5MB limit)

---

Firestore Rules Summary

Collection	Read	Create	Update	Delete
users	✅ Authenticated (own + public fields)	✅ Owner only	✅ Owner only	✅ Owner only
checkins	✅ Authenticated	✅ Owner only	✅ Owner only	✅ Owner only
waves	✅ Sender or recipient	✅ Authenticated	✅ Sender/recipient (status only)	✅ Sender or recipient
chats	✅ Participants only	✅ Participants only	✅ Participants (metadata only)	❌ Never
offers	✅ Authenticated	✅ Merchant only	✅ Merchant only	✅ Merchant only
venues	✅ Authenticated	✅ Verified owners only	✅ Owner only	❌ Never

---

Storage Rules Summary

Path	Read	Write	Notes
/venues/{venueId}/{fileName}	✅ Anyone	✅ Venue owner	Max 5MB, images only
/offers/{offerId}/{fileName}	✅ Anyone	✅ Merchant	Max 2MB, images only
/users/{userId}/{fileName}	❌ NEVER	❌ NEVER	No user photos allowed

---

CI/CD Integration

To automatically deploy rules on merge to main:

1. Create GitHub Actions workflow:

   # .github/workflows/deploy-firebase-rules.yml
   name: Deploy Firebase Rules
   
   on:
     push:
       branches:
         - main
       paths:
         - 'firestore.rules'
         - 'storage.rules'
   
   jobs:
     deploy:
       runs-on: ubuntu-latest
       steps:
         - uses: actions/checkout@v3
         - uses: actions/setup-node@v3
         - run: npm install -g firebase-tools
         - run: firebase deploy --only firestore:rules,storage:rules --token ${{ secrets.FIREBASE_TOKEN }}

2. Generate Firebase CI token:

   firebase login:ci

3. Add token to GitHub Secrets:

   • Go to repo Settings → Secrets
   • Add FIREBASE_TOKEN

---

Troubleshooting

Error: "Permission denied"

• Check that user is authenticated
• Verify user is accessing their own data
• Check Firestore Rules Playground for specific error

Error: "Missing required fields"

• Ensure all required fields are included in write operations
• Check field types match schema (e.g., timestamp vs string)

Error: "Resource already exists"

• User trying to create profile that already exists
• Use set() with merge: true instead of create()

---

Next Steps

After deploying rules:

1. ✅ Test auth flows (signup, login)
2. ✅ Test profile creation and updates
3. ✅ Verify encrypted data is stored correctly
4. ✅ Test cross-device sync
5. ✅ Security audit with Rules Playground

See also:

• Firestore Security Rules Reference
• Storage Security Rules Reference
• SECURITY.md for security policies