We have admin pages on our React website using Next.js. Our user types are defined in Cloud Firestore, but checking the user type for admin-only pages incurs a cost for each read operation. To mitigate this, we considered using custom claims. However, we’ve read that custom claims should be managed in a secure Firebase Admin SDK environment on a server.

I need to establish Firebase security rules to allow only admin user types and regular users (for every user created in Firebase Authentication, a user document is written in Cloud Firestore where the user type is defined) to read and write. However, I still want to allow sign-up and sign-in pages to read and write, as sign-up pages create the user document and sign-in reads the user document to determine which page to take the user to. However, I am concerned that someone could potentially exploit these pages to perform excessive reads and writes. I am using react and nextjs.