Update app/main.py

app/main.py

@@ -291,10 +291,42 @@ async def verify_request(request: Request):
     # If no valid token, allow (for public endpoints)
     return True
 
-def verify_app_check_token(token: str):
-    if not token or len(token) < 20:
-        raise HTTPException(status_code=401, detail="Invalid Firebase App Check token")
-    return True
+from firebase_admin import app_check
+from fastapi import HTTPException
+import os
+
+def verify_app_check_token(
+    token: str | None,
+    *,
+    required: bool = False
+):
+    """
+    If required=False:
+      - Missing token is allowed
+      - Invalid token is rejected
+    If required=True:
+      - Missing OR invalid token is rejected
+    """
+
+    # Token missing
+    if not token:
+        if required:
+            raise HTTPException(
+                status_code=401,
+                detail="Firebase App Check token missing"
+            )
+        return True  # OPTIONAL → allow request
+
+    # Token present → must be valid
+    try:
+        app_check.verify_token(token)
+        return True
+    except Exception as e:
+        raise HTTPException(
+            status_code=401,
+            detail="Invalid Firebase App Check token"
+        )
+
 
 def _resolve_user_id(request: Request, supplied_user_id: Optional[str]) -> Optional[str]:
     """Return supplied user_id if provided and not empty, otherwise None (will auto-generate in log_media_click)."""
@@ -606,7 +638,7 @@ async def colorize(
     import time
     start_time = time.time()
     
-    verify_app_check_token(x_firebase_appcheck)
+    verify_app_check_token(x_firebase_appcheck,required=False)
     
     ip_address = request.client.host if request.client else None
     effective_user_id = _resolve_user_id(request, user_id)