You do realize that HTTP referrers can be spoofed very easily right?

If a person can extract your firebase config from your web app code, then spoofing the domain takes the least amount of work for them.

Actually, even if you create your own Auth server in Node/PHP/Java etc., it is not stopping anyone to create spam users. That’s why rate limiting is important and firebase already provides that and you can configure how many users can be created per IP per Hour.

That’s why email verification is important to remove spam users. If the users are not verified, then just provide a minimum functionality of your app until they verify it’s them. Firebase already provides email and phone verification under free plan.

Also account inactivity can be used to send warning emails to authenticate or they will be deleted. That’s what DropBox does. Firebase already provides the last login of the users.

And that’s the reason, exposing or not exposing those API and config of firebase doesn’t matter and you found out that “In fact found that by design those config information suppose to be public.” Those are in-fact just a endpoints to communicate with your firebase backend.