Whoah! So the actual problem is that I registered the rule for auth.id in the simulator as 169508069
, the integer. $user has the value of "169508069"
, the string. When I manually set the value to compare against (an integer), of course it works.
Pretty tricky to track down.
Suggestion for the Firebase folks: print the computed value of the $variable
in the security simulator output to help isolate security issues.
For others, just a heads up to be wary of data types.