Not sure if this is desirable (since slightly nonstandard registration flow) but it is the best way to do things, I feel.
Back in the old Rust implementation, the registration flow worked like this:
Send registration link to email -> Create account with registration link
so that any account created is email-verified by definition.
The auth code becomes drastically more simplified; we do not need to deal with the difference between verified and unverified users.
A malicious actor cannot try and trick a user with false verification emails sent at the same time as the real ones (because even if the malicious actor generates registration codes, ultimately the real user is still the one using them).
And a malicious actor cannot "email-squat", that is, create an unverified account with someone else's email, thereby preventing the real owner of that email from registering with it.
Not sure if this is desirable (since slightly nonstandard registration flow) but it is the best way to do things, I feel.
Back in the old Rust implementation, the registration flow worked like this:
Send registration link to email -> Create account with registration link
so that any account created is email-verified by definition.