Implement real token verification tests for HTTPS callables (matching Node.js `mockrequest.ts`)

[kevmoo]

Context

Currently, the firebase_functions_dart SDK relies entirely on skipTokenVerification: true (or implicitly dropping the Admin SDK instance) in both unit and E2E tests for HTTPS callables. This means we are not testing the actual dart_firebase_admin token verification path (verifyIdToken / verifyToken).

The firebase-functions-js SDK solves this issue natively in its unit tests without relying on complex E2E environment token minting.

How the JS SDK handles it

In spec/fixtures/mockrequest.ts, the JS SDK sets up an in-memory integration test for the Admin SDK's verification logic:

1. Mock Keys: They use a hardcoded test private/public keypair in their test fixtures (key.json, jwk.json).
2. Local Token Minting: They mint real signed JWTs locally using the jsonwebtoken library and their fake private key.
3. HTTP Interception: They use nock to intercept the outgoing HTTP request the Admin SDK makes to fetch Google's public keys (e.g., https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com).
4. Verification: nock returns the fake public key, and the Admin SDK successfully performs the cryptographic validation.

Proposal for Dart

We should replicate this testing strategy in Dart to ensure full coverage of the token validation boundary:

1. Token Generation: Use package:dart_jsonwebtoken to generate and sign properly formed JWTs locally using a test private key.
2. HTTP Interception: Intercept the backend HTTP requests dart_firebase_admin attempts to make to fetch the keys. This could be achieved by:
   • Injecting a mocked http.Client (e.g., MockClient from package:http/testing.dart) if the Admin SDK permits dependency injection for its internal HTTP requests.
   • Alternatively, using HttpOverrides.global in the test suite to catch global dart:io HTTP traffic to the Google certificate endpoints and returning a mocked payload.

Implementing this will give us high-confidence SDK integration tests over the authentication headers without introducing flake or demanding complex credentials in E2E.