[FR]: Ability to proxy identitytoolkit and securetoken hosts

[jostster]

Description

1. Since the auth tokens are public, this allows attackers to brute force with credential stuffing attacks, by hitting the firebase auth api directly. Firebase should allow overrides for organizations to allow proxying the auth endpoints so that they can be placed behind firewalls and have more control to combat attacks.
2. Currently organizations are at the mercy of attackers since Firebase host scripts only trigger on a successful login attempt.
3. Allowing organizations to override the auth endpoint so that it is proxied through a service behind a firewall, this gives organizations to block the public api key from hitting firebase auth / identitytoolkit endpoints directly. When proxied, the real auth key can be appended to the end of the requests and placed behind a firewall for additional security checks to prevent credential stuffing.

API Proposal

No API changes are required

Firebase Product(s)

Authentication

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[triplef]

I believe this is a duplicate of #4987.