Different security rules behavior between firestore(firebase-js-sdk) and @firebase/rules-unit-testing (also @firebase/testing).

[Qrymy]

[REQUIRED] Describe your environment

• Operating System version: Mac OS Catalina 10.15.6
• Browser version: Google Chrome
• Firebase SDK version: 7.21.1
• Firebase Product: firestore / rules-unit-testing

[REQUIRED] Describe the problem

For example, there is a collection includes following documents.

{
  userId: 'userId',
  data: null
}

Then, I created following security rules.

match /collectionName/{documentId} {
  allow read: if resource.data.userId == request.auth.uid;
}

I can pass following test via rules-unit-testing. (I'm using jest and ts-jest)

import * as testing from '@firebase/rules-unit-testing'

test('Should get document', () => {
  const app =  testing.initializeTestApp({ projectId: 'projectId', auth: { uid: 'userId' } })
  // Following ref has a document like this { userId: 'userId' }.
  const ref = app.firestore().collection('collectionName').doc('documentId').get()
  return testing.assertSucceeds(ref.get())
})

However, I can't get data via firebase/firestore. (Permission denied error)

  firebase.firestore().collection('collectionName').doc('documentId').get()

Using following query, I can get data.

  firebase.firestore().collection('collectionName').where('userId', '==', firebase.auth().currentUser.uid)

I think this behavior(client sdk) is not wrong, but I don't know why test will be passed.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.