While sniffing the Firebase traffic, I have seen that a code is passed to the auth server so that it always returns a 200 status code. This shows that there is some level of optional security at some level in the authentication protocol.
Is there a way to cause Firebase authentication to fail with an identical error message when the user enters a non-existent email address as when they enter the wrong password?
The INVALID_USER status code gives me concern about the potential for a user enumeration attack, in a case where my application has become compromised via script injection.
Information on how to more securely lock down the Firebase auth protocol, and/or some sort of statement about smart rate limiting (somehow distributed attack immune?) being applied would probably go a long way to assuring me that Firebase's built-in email and password auth is indeed secure (assuming Firebase rules are set up correctly, certs aren't compromised on the client, etc).
