Firestore security rule with custom error message and status code

Question

By default, security rules give me an error like this PERMISSION_DENIED: false for 'update' @ L236. As you could see it's not that useful.

For eg in the case of rate-limited Is there a way to send something like 429 status code along with a custom message which I could render in my front end... In case some field is missing I could do an error in userName or something like that

I couldn't find any reference in https://firebase.google.com/docs/reference/rules/rules.firestore

Answer 1

There is no way to customize the message that is returned when the security rules reject an operation. You will have to detect the condition in your application code, and handle it there.

Typically this is not a problem when you follow the best practice to developer your application code and security rules hand in hand. My flow usually is:

1. Lock down my database completely in security rules.
2. Write the code for a first small use-case.
3. Watch it being rejected by my security rules.
4. Open up my security rules by the minimal amount to allow the code to run.
5. Continue on the next use-case.

If you follow this process, your code will always meet the security rules - as that's precisely how you wrote them. So in that case the most common people to get "permission denied" are abusive users, who may use any additional information you might give them as an attack vector.