Add an option to disable rejection of requests with invalid App Check token for callable functions.

CHANGELOG.md

@@ -1 +1,2 @@
 - GCS Enhancement
+- Add option to allow callable functions to ignore invalid App Check tokens.

spec/common/providers/https.spec.ts

@@ -40,6 +40,8 @@ interface CallTest {
 
   callableFunction2: (request: https.CallableRequest<any>) => any;
 
+  callableOption?: https.CallableOptions;
+
   // The expected shape of the http response returned to the callable SDK.
   expectedHttpResponse: RunHandlerResult;
 }
@@ -104,7 +106,10 @@ function runHandler(
 
 // Runs a CallTest test.
 async function runTest(test: CallTest): Promise<any> {
-  const opts = { origin: true, methods: 'POST' };
+  const opts = {
+    cors: { origin: true, methods: 'POST' },
+    ...test.callableOption,
+  };
   const callableFunctionV1 = https.onCallHandler(opts, (data, context) => {
     expect(data).to.deep.equal(test.expectedData);
     return test.callableFunction(data, context);
@@ -470,6 +475,30 @@ describe('onCallHandler', () => {
     });
   });
 
+  it('should handle bad AppCheck token with callable option', async () => {
+    await runTest({
+      httpRequest: mockRequest(null, 'application/json', {
+        appCheckToken: 'FAKE',
+      }),
+      expectedData: null,
+      callableFunction: (data, context) => {
+        return;
+      },
+      callableFunction2: (request) => {
+        return;
+      },
+      callableOption: {
+        cors: { origin: true, methods: 'POST' },
+        allowInvalidAppCheckToken: true,
+      },
+      expectedHttpResponse: {
+        status: 200,
+        headers: expectedResponseHeaders,
+        body: { result: null },
+      },
+    });
+  });
+
   it('should handle instance id', async () => {
     await runTest({
       httpRequest: mockRequest(null, 'application/json', {

src/common/providers/https.ts

@@ -592,16 +592,22 @@ async function checkTokens(
 type v1Handler = (data: any, context: CallableContext) => any | Promise<any>;
 type v2Handler<Req, Res> = (request: CallableRequest<Req>) => Res;
 
+/** @hidden **/
+export interface CallableOptions {
+  cors: cors.CorsOptions;
+  allowInvalidAppCheckToken?: boolean;
+}
+
 /** @hidden */
 export function onCallHandler<Req = any, Res = any>(
-  options: cors.CorsOptions,
+  options: CallableOptions,
   handler: v1Handler | v2Handler<Req, Res>
 ): (req: Request, res: express.Response) => Promise<void> {
-  const wrapped = wrapOnCallHandler(handler);
+  const wrapped = wrapOnCallHandler(options, handler);
   return (req: Request, res: express.Response) => {
     return new Promise((resolve) => {
       res.on('finish', resolve);
-      cors(options)(req, res, () => {
+      cors(options.cors)(req, res, () => {
         resolve(wrapped(req, res));
       });
     });
@@ -610,6 +616,7 @@ export function onCallHandler<Req = any, Res = any>(
 
 /** @internal */
 function wrapOnCallHandler<Req = any, Res = any>(
+  options: CallableOptions,
   handler: v1Handler | v2Handler<Req, Res>
 ): (req: Request, res: express.Response) => Promise<void> {
   return async (req: Request, res: express.Response): Promise<void> => {
@@ -621,7 +628,10 @@ function wrapOnCallHandler<Req = any, Res = any>(
 
       const context: CallableContext = { rawRequest: req };
       const tokenStatus = await checkTokens(req, context);
-      if (tokenStatus.app === 'INVALID' || tokenStatus.auth === 'INVALID') {
+      if (tokenStatus.auth === 'INVALID') {
+        throw new HttpsError('unauthenticated', 'Unauthenticated');
+      }
+      if (tokenStatus.app === 'INVALID' && !options.allowInvalidAppCheckToken) {
         throw new HttpsError('unauthenticated', 'Unauthenticated');
       }
 

src/function-configuration.ts

@@ -160,6 +160,11 @@ export interface RuntimeOptions {
    * Invoker to set access control on https functions.
    */
   invoker?: 'public' | 'private' | string | string[];
+
+  /*
+   * Allow requests with invalid App Check tokens on callable functions.
+   */
+  allowInvalidAppCheckToken?: boolean;
 }
 
 export interface DeploymentOptions extends RuntimeOptions {

src/providers/https.ts

@@ -90,7 +90,13 @@ export function _onCallWithOptions(
   // in another handler to avoid accidentally triggering the v2 API
   const fixedLen = (data: any, context: CallableContext) =>
     handler(data, context);
-  const func: any = onCallHandler({ origin: true, methods: 'POST' }, fixedLen);
+  const func: any = onCallHandler(
+    {
+      allowInvalidAppCheckToken: options.allowInvalidAppCheckToken,
+      cors: { origin: true, methods: 'POST' },
+    },
+    fixedLen
+  );
 
   func.__trigger = {
     labels: {},

src/v2/providers/https.ts

@@ -157,7 +157,10 @@ export function onCall<T = any, Return = any | Promise<any>>(
   // onCallHandler sniffs the function length to determine which API to present.
   // fix the length to prevent api versions from being mismatched.
   const fixedLen = (req: CallableRequest<T>) => handler(req);
-  const func: any = onCallHandler({ origin, methods: 'POST' }, fixedLen);
+  const func: any = onCallHandler(
+    { cors: { origin, methods: 'POST' } },
+    fixedLen
+  );
 
   Object.defineProperty(func, '__trigger', {
     get: () => {