I decided to start build my first real web app using Firebase (Firebase Authentication, Firebase Firestore, Firebase Storage).

Of course, I want to make my web app highly performant and secure. The only publicly available routes should be /login , /sign-up and /reset-password. All other routes should be protected by authentication, meaning a user must be authenticated to access them.

I terms of performance, I want the web app to be fast.
Firebase basically has a Client SDK (which only runs on the client side) and an Admin SDK that should only run in a privileged environment/server.

Would you say it’s possible to have a fast and performant (no long loading spinners, etc.) and secure (protected routes) app using only the client side and client SDK?

How would you go about securing all routes except /login, /sign-up, and /reset-password, so that anyone trying to access a protected route without being authorized sees an “Unauthorized” page? Is that even possible using just the client SDK or on client side in general?

Basically, I’m just trying to figure out if I actually need the Admin SDK, or if it’s just overkill.