I'm trying to work around the lack of a username property in firebase auth, and was thinking of storing a username in the user profile itself in the UserInfo.displayName property. This is necessary so that I can get the displayname as auth.token.name in the security rules and then use it as a username.
However, it seems like the updateProfile method isn't locked down so it is conceivable that the user can hack the api with their token and call updateProfile directly to change that display name to someone else's username. https://firebase.google.com/docs/reference/js/firebase.User#updateProfile
Is there a way that I can lock down that displayName so that it's not editable after by the client or after registration?
firebaser here
There is no way to limit the user profile changes to initial user registration. The public properties in that profile (currently displayName and photoURL) are the user's to change.
If you want more control over the properties kept for a user, you will have to keep them in a secondary system, such as the database that Alex mentions in his answer.