How to properly handle security within authorization and authentication?

I’m about to start a new project with Meteor and React, but this project has some security levels to handle.

How to not expose unauthorized pages/components to users?

Since React components will be on the client, they can be viewed, right?
There is some way to only expose previous authorized components? So unauthenticated users will see only the <Login /> component… Managers will see <ManageUsers /> components and so on…