Preface: I am NOT looking for the “Disable Sign Ups” behavior.
With Universal login, /u/login endpoint with connection: 'email' prompts the user for their email, and then sends them a code and prompts them for that code. Underneath that, there is a " Don’t have an account yet?" link that takes them to /u/signup which behaves similarly, but with the link “Already have an account?” that links back to /u/login. However, no matter which of these pages I’m on, if the user enters an email that does not yet exist, it creates a new user.
I don’t want this. I only want a user to be created from the /u/signup page. For login with an invalid email, I want it to appear successful and move on the “enter code” screen, but not actually send the email (otherwise a malicious user could “mine” for valid email addressess).
I can block it using api.access.deny in the pre-user-registration action. However:
- I don’t see any way to differentiate between the cases of
/u/login/and/u/signupfrom the event body in there - It displays an error message to the user, so we’re back to being able to checking addresses for validity
