Protect account creation system against spam
Steps to reproduce:
- Click "Sign Up"
- Enter a name, email address, and passwordx2
- You're now logged in as that user
That's a security problem, because you haven't validated the user's identity. We should always send a confirmation email and only finish creating the account after the link in the email has been clicked. The auth framework should provide a mechanism for this.