I am writing a Web App where users can pay via credit card and book a room. Showing Firebase configs in source code hasn't been a problem since Firebase uses user based security - a user can only write what he/she is allowed to write. However, when it comes to payment, I doubt if users may add bookings using the configs without going through payment process from the front end.
How may I ensure that when a booking record is inserted, there is something like a valid payment token? Is this possible with my current choice of tools? (Firebase and Stripe)
You should have a look at at https://github.com/firebase/functions-samples/tree/master/stripe.
In this sample, the triggers are user creation (see below) or user deletion, but you could have another model.
exports.createStripeCustomer = functions.auth.user().onCreate(event => {....