I can successfully send verification code using firebase with the code below in Javascript :

firebase.auth()
            .signInWithPhoneNumber(phoneNumber, appVerifier)
            .then(function(confirmationResult) {
              log('SMS sent');
              window.confirmationResult = confirmationResult;
 
            })
            .catch(function(error) {
              log('Error : SMS not sent '+error);
   
            });

My issue is that malicious users can execute the script above as many times they want abusing the authentication system, I would like to control the requests in the backend (PHP) is it possible?