Session management with Firebase?

Question

I am building a basic webapp using Firebase that requires authentication and session handling. Going over the docs for Firebase Auth, I decided to use the email/password opt

Answer 1

The tokens returned by the Simple Login are time-bound, user-specific tokens. If compromised, they will at worst allow an attacker to impersonate that user for a limited period of time. They do not contain the user's password or other sensitive data.

localstorage can only be accessed by Javascript on the host domain from which it was saved, so other sites you visit will have no access to it (assuming the browser or your site haven't been compromised, but if they have, all bets are off...)

So, short answer, this approach is quite secure.