Are auth tokens supposed to be viewable to the public?

Question

I'm kind of new to firebase security, and web development in general, but I am generating JWT's on the server-side of my Rails app. However, to pass them to firebase, it seems I have to pass the token (which is stored on the users table in the db) in a view with this Javascript code:

var ref = new Firebase('https://mysite.firebaseio.com/');
ref.auth('<%= @user.auth_token %>');

Is this how you are supposed to handle auth tokens? I thought it might defeat the point, since the auth tokens are then viewable to the users from the page source.

Answer 1

The auth token can also be viewed from the Firebase REST APIs explained here.

The query parameter auth value is also available, if someone traces the http packets someway, like using wireshark, but I guess this is the way it is to be used. JWT auth token is just a string.

But these JWTs can be generated with specific expiration time using Token Generation Libraries, by default expiry time is 24 hours.

Reference

By default, authentication tokens expire 24 hours after they are issued and the client will automatically be unauthenticated at that time. We can override this by changing the Session Length setting on the Login & Auth tab of the Firebase's dashboard, or individually when creating the token by providing a specific expiration date. For details, see the docs for the specific token generator library you're using.

Also firebase provides ways to specify Definite Rules to access the data in firebase.See Here

Also it provides Data Validation to keep the data consistent. See Here

Answer 2

The Firebase auth token is used for identity, but not for authorization. The latter is governed by your Firebase Security Rules, which will use the present (and future, if writing) state of the data, in combination with the identity presented in the auth token to determine whether or not a given read or write operation is allowed.

As a result, users can see / access their own auth tokens, but should not be able to see / access the auth tokens of others users, as that would allow other users (who are potentially malicious parties) to impersonate the user corresponding to that auth token.