Firebase onCall functions and Google Cloud Functions authentication showing call is unauthenticated

A few months ago I deployed some onCall Firebase functions, and they worked fine.

Today I deployed a new onCall Firebase function, and I cannot call it, I get the following errors:

In Google Cloud Functions logs:

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client

On the client (web browser):

Access to fetch at 'https://asia-northeast1-myprojectname.cloudfunctions.net/myfunctionname' from origin 'http://localhost:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I suspect the CORS error is just a consequence of the authentication failure though, and not directly a due to CORS settings.

Investigating this further, although I see no difference between the old and new functions in the Firebase console, going to the Google Cloud Functions Console I can see a difference between the old and new functions:

In the Authentication column, the old ones were set to "Allow unauthenticated" while the new ones are set to "Require authentication".

I do not remember ever changing the setting on the old ones, so I'm not sure why the new ones have a different setting. However, my understanding was that one of the purposes of the onCall functions (as opposed to onRequest) is they handle authentication automatically. I can see the user's auth data in request.auth, so it is clearly being provided. In that case, why I am getting the error saying the request was not authenticated? How can I get the client to authenticate itself properly when calling the cloud function?

To be clear, the user is already logged in/authenticated with Firebase authentication before the function call is made.

That authentication column in the console has nothing to do with the fact that it's a callable function and also has nothing to do with Firebase Authentication. It's referring to something entirely different, which you will find out if you click the provided link in the error message. It has to do with GCP IAM authentication.

The other functions that are set to "allow unauthenticated" are indeed correctly set. Callable functions need to have that IAM setting so that they work from web and mobile applications. If you want to fix this right now, change the setting allow unauthenticated access like your older functions. This involves adding the "allUsers" role to the function. Read more in the GCP documentation: https://cloud.google.com/run/docs/authenticating/public

The Firebase CLI should set this automatically on deployment. If it's not adding allUsers, then something is wrong in the system, and you should reach out to Firebase support to report this as a problem with the Firebase CLI. Or file an issue on firebase-tools.

See also:

• Does "allUsers" in Cloud Functions allow only the users of my app?
• Cloud Function Error: Forbidden unless I open function to allUsers
• Configuring Correct Permissions in Firebase Cloud Function to Avoid CORS Error
• Newly Created Firebase Functions Throwing UNAUTHENTICATED Error