I understand that Firebase is a nice solution with which we need not pay much attention to backend / serverside development.
But since all code is on client-side, (if we use javascript/html5 as client , it will be easy to be unpacked), how can we protect code in client side?
Because we have a standard server side (the Firebase Backend service), anyone who get our javascript/html client can simply edit URL of our client and release their own new client App.
is there any solution for that?
You are right, it is totally possible to reverse engineer your front-end code. If some of your business logic should stay secret (aka your "secret sauce") the recommended approach in a Firebase project is to implement it in your back-end.
The most common/easy solution to do so is to use Cloud Functions because they take advantage of the serveless nature of the Firebase services and they are tightly integrated with the other services (Database, Cloud Storage, Auth, etc...).
Concretely you would write one or more Cloud Functions that you would trigger either directly from your front-end (See Callable Cloud Functions or HTTPS Cloud Functions, which can be seen as similar to REST API endpoints) or by a background event (e.g. new Document in Firestore, new file in Cloud Storage, etc.), or on a schedule way.
Another solution would be to implement this secret Business Logic in your own application server and expose APIs that you would call from your front-end. Your server could interact with the Firebase backend-s via the Admin SDK (available for Node.js, Java, Go, C# and Python).