Understood.
When this happens, and the email address has never been used before, our backend will create an account for them and log them in in the background
How do you protect against spam? Anybody can just use any email address, the email address isn’t verified at this point, if I see it correctly. Also, unless there’s bot protection in place, somebody could create a few thousand comments/accounts this way.
We want to use an implicit signup to automatically create an account and login the user if they used an email address for the first time. Then if they try to signup with an email that was already used, they’ll have to use the passwordless flow to validate their email using a code.
This way a malicious user can lock out other users by using their email address to create comments, isn’t it? Or at least could post one ‘weird’ comment that wasn’t actually posted by the actual email account owner.
(Asking because we’ve seen this as a problem a lot in the past. Legitimate users not being able to register because their email address is already in use - though never verified).
The entire idea here is that the we create an account and login the user automatically without the user having to do anything.
Ok, then (why) wouldn’t the approach I mentioned above work? (You can use it in combination with a Passwordless Account & Account Linking)