Allow auth on public endpoints and delete guest docs

src/main/kotlin/com/android/trisolarisserver/controller/GuestDocuments.kt

@@ -139,6 +139,37 @@ class GuestDocuments(
             .body(resource)
     }
 
+    @DeleteMapping("/{documentId}")
+    @ResponseStatus(HttpStatus.NO_CONTENT)
+    fun deleteDocument(
+        @PathVariable propertyId: UUID,
+        @PathVariable guestId: UUID,
+        @PathVariable documentId: UUID,
+        @AuthenticationPrincipal principal: MyPrincipal?
+    ) {
+        requireRole(propertyAccess, propertyId, principal, Role.ADMIN, Role.MANAGER)
+
+        val document = guestDocumentRepo.findByIdAndPropertyIdAndGuestId(documentId, propertyId, guestId)
+            ?: throw ResponseStatusException(HttpStatus.NOT_FOUND, "Document not found")
+        val status = document.booking.status
+        if (status != com.android.trisolarisserver.models.booking.BookingStatus.OPEN &&
+            status != com.android.trisolarisserver.models.booking.BookingStatus.CHECKED_IN
+        ) {
+            throw ResponseStatusException(
+                HttpStatus.BAD_REQUEST,
+                "Documents can only be deleted for OPEN or CHECKED_IN bookings"
+            )
+        }
+
+        val path = Paths.get(document.storagePath)
+        try {
+            Files.deleteIfExists(path)
+        } catch (_: Exception) {
+            throw ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Failed to delete file")
+        }
+        guestDocumentRepo.delete(document)
+    }
+
     private fun runExtraction(documentId: UUID, propertyId: UUID, guestId: UUID) {
         extractionQueue.enqueue {
             val document = guestDocumentRepo.findById(documentId).orElse(null) ?: return@enqueue

src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt

@@ -20,7 +20,11 @@ class FirebaseAuthFilter(
     private val logger = LoggerFactory.getLogger(FirebaseAuthFilter::class.java)
 
     override fun shouldNotFilter(request: HttpServletRequest): Boolean {
-        return PublicEndpoints.isPublic(request)
+        if (!PublicEndpoints.isPublic(request)) {
+            return false
+        }
+        val header = request.getHeader(HttpHeaders.AUTHORIZATION)
+        return header.isNullOrBlank() || !header.startsWith("Bearer ")
     }
 
     override fun doFilterInternal(