PHP

How to make authorization through Firebase on a multi-page site?

Hello.

I'm making a small website in html/php/js.
The main nuance is that the site pages should be available only to those users who have logged in by phone number.

Ready-made and convenient solutions (for a novice developer like me) through SMS services are expensive. Authorization by call is cheaper, but also costs money. I found quite a suitable solution - SMS authorization through Google Firebase. The free limit is more than enough for me.

In the Firebase repository https://github.com/firebase/firebaseui-web took an example implementation. There is also an example of tracking whether the user is authorized on the site or not.

Everything would be fine, but the examples on the Firebase page are in JS.
Tell me how to make authorization on a multi-page site using JS? If I correctly understood the capabilities of the JS implementation, then the process of tracking authorization in JS cannot be done, otherwise the authorization sign will somehow be transmitted either in cookies or in the get / post request parameters. Those. after executing the JS script from the Firebase example, I see the user's cell number, token, and some other information. But how, based on this information, to close access to the page - I can’t figure it out.

I started looking for ways to implement this code in php.
- It seems like a good option to pass a variable about the authorization status from JS to PHP. But again, the variable will be transmitted in an accessible form and it is easy to replace it.
- I found a JWT library (including for php), which allows you to check the status by token. This option seems to be perfect. But the difficulty is that the library is installed via composer, and I have a simple hosting and no ssh support. Maybe there are some specific php files that I can copy from the repositories of JWT solution developers (but there are so many files that it is not clear which files I need for this library to work and how to connect them correctly)?

Another option that I managed to find is closing access to site pages through htaccess. Those. make the page with authorization open, and password-protect others. And if the authorization is correct, then give the user access to other pages. But I don't understand if this is even possible. After all, the password is written fixed and I don’t understand how to add users to the exception list in this case.

I would appreciate any help and advice on this matter.