Is using Firebase Authentication using Custom tokens safe?

Question

I am using the Firebase Admin SDK on java to mint custom tokens with custom claims set. I am sending these back to the ANDROID app which is the client interface and am logging in with:

signInWithCustomToken("foundtokenfromserver");

Now the Service account file used to sign the token is safe and hidden. But since Database URL, API Key and Storage Bucket URL are exposed on the Web part, I think anyone can make an app of their own from that. I do have security rules in place restricting a user to their own node.

My main concern is:

If someone intercepts the custom token minted and saves that. Can they not just use that token to log in using the above FirebaseApp (generated using the exposed info)?

Is there a way where firebase does prevent such misuse (maybe the auth domain can stop the web but what about localhost)?

Answer 1

In general, you will only mint the custom token after you send some auth assertion to your server. For example, you may be using your own custom auth system using email/password. Another example is that you could be using an unsupported OAuth provider and assume that provider already verified the user and only returned the assertion (OAuth credential/Authorization code, etc) after verifying the application. In addition, you would be using a secure TLS connection to prevent eavesdropping.