在使用客户端 SDK 进行 Firebase 身份验证时，您只能删除当前登录的用户帐户.否则将带来巨大的安全风险，因为它会允许您应用的用户删除彼此的帐户.

When using the client-side SDKs for Firebase Authentication, you can only delete the user account that is currently signed in. Anything else would be a huge security risk, as it would allow users of your app to delete each other's account.

用于 Firebase 身份验证的 Admin SDK 旨在用于受信任的环境，例如您的开发机器、您控制的服务器或 Cloud Functions.因为它们运行在受信任的环境中，所以它们可以执行某些客户端 SDK 无法执行的操作，例如 只需知道用户的 UID 即可删除用户帐户.

The Admin SDKs for Firebase Authentication are designed to be used in a trusted environment, such as your development machine, a server that you control, or Cloud Functions. Because they run in a trusted environment, they can perform certain operations that the client-side SDKs can't perform, such as deleting user accounts by simply knowing their UID.

另见:

• 从网络应用程序中删除经过 Firebase 身份验证的用户

另一种常见的方法是在 Firebase 数据库等中保留白名单/黑名单，并基于此对用户进行授权.请参阅如何在 Firebase 3.x 中禁用注册一个>

Another common approach is to keep a whitelist/blacklist in for example the Firebase Database and authorize user based on that. See How to disable Signup in Firebase 3.x