Can User Create or Change Firebase Auth.uid?

Question

I'm going to use Firebase in my Android project and i want to authenticate the user with signInWithCustomToken function.

I'll generate the token from my Admin SDK(Python) and return it to the user and the user will authenticate with that token.

My question is;

1 -> That token i generated with a key can be generated by only me? I mean is it unique to me?

uid = 'some-uid'

custom_token = auth.create_custom_token(uid)

Can someone create the same token as mine if he uses the same uid or is it always unique?

2 -> Can someone set fireabase.auth.uid variable manually, without using firebase.authenticate function?

I mean if someone gets the auth.uid but not the token, can he set that auth.uid in client to auth variable?

Thanks for the informations and answers...

Answer 1

1 - The custom token could only be duplicated if someone gains access to your serviceCredentials file, meaning they'd have full access to read/write your Firebase contents. If you create a token with the same UID from a different Firebase project, the tokens won't match.

2 - Someone may attempt to set the auth.uid variable manually, however, this is useless without the auth token its-self, which enables read/write on the database (depending on your Firebase security rules). Firebase documentation states that they will generate the auth token, and once again this cannot be done without having your serviceCredentials file.