Support verification of AppCheck token in Callable Functions

[taeold]

Callable Functions will now verify the AppCheck token included in the X-Firebase-AppCheck request header. Similar to auth, Callable Function will return 401 Unauthorized if the AppCheck token is invalid.

New Logging Behavior

In addition, all requests to Callable Functions will emit a log that contains status of the token verifications. E.g. If auth token isn't included in the request while the appCheck token is included but invalid, following log is emitted:

{
  "severity": "WARNING",
  "logging.googleapis.com/labels": {"firebase-log-type": "callable-request-verification"},
  "jsonPayload": {
    "message": "Callable header verifications failed: AppCheck token was rejected.",
    "verifications": {
      "auth": "MISSING",
      "app": "INVALID",
    }
  }
}

Log will be used by customers that plans on setting up log-based metric on status of appCheck/auth enforcement on their Callable Functions (Note that other products, like storage, natively supports such metric via Cloud Monitoring).

tsconfig target update es2017->es2018

This change was necessary to run npm run build:release command now that we've bumped the admin sdk version from 8 to 9. I'm unsure why this is necessary to make the release tarball, but don't think this is a dangerous change as es2018 is supported from Nodev8 and beyond.

[inlined]

LGTM. My only concern is that we're dropping support for 9.0.0 to ~9.7

[diegofun]

I got an issue implementing AppChek, when use a callable funciton the system says:

W/StorageUtil: Error getting App Check token; using placeholder token instead...

what you think sholud I do?

[taeold]

@diegofun Can you try writing up an issue at https://github.com/firebase/firebase-functions/issues instead? It would help if you included a reproducible example (e.g. code samples, full stacktrace of error you are getting) so I can help debug the issue more easily.