Reduce friction for invited member signups

[KevinTriplett]

Currently, invitations require the invited to enter their email address. This part is okay because the person may want to use a different address.

The friction comes if the email they enter is the same used for the invitation, they have to re-verify their email by entering a code sent to the same email address.

I propose skipping email verification if the email submitted in the signup form matches the email in the "Join" from the link in the invitation email.

[KevinTriplett]

@tibetsprague, may I tackle this one? I have several groups that I want to invite people to reduce their friction in migrating to Hylo.

[tibetsprague]

hmm, but then couldn't someone else use your invite link to sign up as you? I suppose thats an edge case but possible 🤔

[KevinTriplett]

Valid edge case -- I thought of several mechanisms*, only one felt valid:

Alice forwards the invite link to Bill, wanting him to join her in the same group (I'm assuming pronouns here). But she forwards it before using it, so Bill accidentally signs up with Alice's email. This can potentially be avoided by showing Bill the signup email address in an input, so he has a chance to change it.

I feel like posting this on Hylo Dev Circle as a proposal. You don't need to respond if you agree with this as a next step.

• other mechanisms:
  1. Nefarious: Bill has access to the Alice's email. Bill signs up and Alice gets the welcome email. Alice is curious why she's getting this welcome email and goes to the site and potentially regains control via "forgot password" feature. Which Bill can regain access using the same mechanism, since he has access to her email. But Bill can change the account email. But Bill could have spoofed Alice with this other email address all along, so this feels weak to me.

2. Nefarious: Alice forwards the invite link to Bill. But this is unavoidable with the current system, since Alice can let Bill signup using her email and forward the verification code to Bill.

3. Accidental: Alice forwards the invite link to Bill, wanting him to join her in the same group. But her invite will not be valid if she's already a member, so this is guarded against. In this case, we could offer Bill an input to enter his email, although that might lead to Alice, forgetting she'd already signed up or clicking an old invite link, to create multiple accounts.