See here: https://stackoverflow.com/questions/77313457/block-client-side-password-reset-in-firebase

I would like to be able to disable all client-side password resets, both sending a password reset email and directly updating a password after re-authenticating so I can do all my logic though the admin API in functions.

For example, add and option in Authentication -> settings -> user actions that blocks client-side password resets (throws an 'auth/admin-restricted-operation')

(Would be nice to have this option for all auth functions, so you can decide to control access for everything better)