A while back, I wrote about problems with performing validation with Firebase. In an email exchange with Firebase, the representative indicated that providing more information was a security risk. I can see some logic in that, but I don't really agree with it.

Firebase just responding with "PERMISSION_DENIED" is pretty tough for testing. It's also pretty tough from a UX perspective. It's hard to know why a write failed. How do you guide the user towards fixing the problem if you don't know what failed?

Here's a sample of how I might like this to work. Just throwing some thoughts out there that would allow the same wonderful validation that Firebase has now with some extra info for the developer.

Proposed Rules Sample

{
  "rules": {
    "users": {
      "$user_id": {
        ".write": "$user_id === auth.uid",
        ".read": "$user_id === auth.uid",
        "familyName": [
          {
            ".validate": "newData.isString()",
            "error": "Family Name Must Be A String"
          },
          {
            ".validate": "newData.val().length > 1",
            "error": "Family Name Must Be Greater Than 1 Character"
          },
          {
            ".validate": "newData.val().length < 100",
            "error": "FAM001"
          }
        ],
        "email": [
          {
            ".validate": "newData.val() === auth.email",
            "error": "Unapproved email address"
          }
        ]
      }
    }
  }
}

In this sample, validation for each field is broken out. Every test has its own entry and an accompanying error response. If the client sent a familyName value of just "A", the client would get back maybe something like this:

{
  "status": "PERMISSION_DENIED",
  "errors": [
    {
      "familyName": "Family Name Must Be Greater Than 1 Character"
    }
  ]
}

Dealing with Existing Firebase Rules

Having complete control over each validation or authentication error output would be wonderful. However, that would require a huge change on the Firebase backend. So, it's clearly not likely to happen any time soon.

However, Firebase already has some capability for telling the client why a write/read failed. If the user is authenticated with a token with the 'admin' property and debug is enabled, Firebase already spits out the validation issues. Unfortunately, it does this out of band, not in the actual response.

So, a smaller Firebase change to at least report to the client what portion of the validation failed would help the developer present the right UI warning to the user. That would certainly be a lot better than :

"Umm... sorry. Something is wrong and I have no idea why. Why don't you go change all your data and try again."

Anyone else have suggestions or comments on this?