feat(https): add enforceAuth option to callable functions

[kyungseopk1m]

Description

Fixes #1557

Adds an enforceAuth option to onCall callable functions, mirroring
the existing enforceAppCheck pattern.

Problem: onCall functions unconditionally reject requests with
invalid or expired auth tokens with a 401 error. There is no way to opt
out for public endpoints that don't require authentication.

Solution: Add enforceAuth?: boolean option. When false, requests
with invalid auth tokens log a warning and set context.auth to
undefined instead of throwing. Defaults to true to preserve
existing behavior.

Code sample

// Public endpoint — allow requests with invalid/expired tokens
export const publicFn = onCall({ enforceAuth: false }, (req) => {
  // req.auth is undefined if token was invalid or missing
  return { user: req.auth?.uid ?? "anonymous" };
});

// Default behavior (enforceAuth: true) — unchanged
export const privateFn = onCall((req) => {
  return { user: req.auth.uid };
});

[gemini-code-assist]

Code Review

This pull request introduces the enforceAuth option for Firebase HTTPS callable functions in both v1 and v2 SDKs. This feature allows developers to control whether invalid authentication tokens should automatically trigger a 401 Unauthorized response (the default behavior) or be allowed through with a warning, in which case context.auth is expected to be undefined. The changes include updates to configuration interfaces, the request handling logic in wrapOnCallHandler, and new test cases. One piece of feedback suggests explicitly setting context.auth = undefined when an invalid token is permitted to ensure consistency with the documentation and avoid potential issues with mock data in the emulator.

[gemini-code-assist]

To ensure that context.auth is strictly undefined when an invalid token is provided and enforcement is disabled (as stated in the documentation), it should be explicitly cleared. This is particularly important because the emulator hook (lines 803-812) might have already populated context.auth with mock data, which should not be used if an actual (but invalid) token was sent in the request.

        } else {
          logger.warn(
            "Allowing request with invalid auth token because enforcement is disabled"
          );
          context.auth = undefined;
        }

[kyungseopk1m]

context.auth is already undefined in the INVALID path since checkAuthToken only sets it on success. This matches the existing enforceAppCheck behavior which also does not explicitly reset context.app.

[cabljac]

Hi @kyungseopk1m thanks for your contribution!!

This as a feature is under some internal discussion right now, I'll keep you updated here on the outcome.