I have a web app which I've deployed to multiple Firebase projects (i.e. dev, staging, production). It uses Cloud Functions for Firebase for its back-end functionality.
Recently, after deploying to a new environment, I started getting a CORS error for one of the functions. After some searching I found that the Authentication settings in the Cloud Functions panel can affect this, and in this case making the Function accessible to allUsers solved my CORS issue.
While in the Functions console, I noticed that most, but not all, of my Firebase functions had Authentication set to "Allow unauthenticated" by default. What was strange, however, is that in different environments (i.e. dev vs staging) a function might be set to allow unauthenticated, but in others would not (even though I never manually altered any of these settings).
Essentially, my question is, how are these settings determined? I only every deployed my functions via firebase deploy or firebase deploy --only functions. What is the expected behavior here? Are Cloud Functions deployed via Firebase expected to be set to "Allow unauthenticated" by default, and those that aren't simply experienced some kind of error during deployment?
Are Cloud Functions deployed via Firebase expected to be set to "Allow unauthenticated" by default?
Yes, that's what the Firebase CLI does, and that allows the function to be invoked without Google IAM. That's the expectation for code that backs a mobile or web app, since they won't use IAM.
That setting has nothing to do with CORS. CORS is fully under your control in the code of the function.