Turns out: When your sign up flow consists of users entering an email address and password you might want to verify that the person signing up actually owns that email address. Who would have guessed.
Since I’m using Firebase to build Goblin Mode I have a whole plethora of features and functions at my disposal that make this easily possible. In theory.
In practice I would have had to learn Firebase cloud functions to delete accounts without a verified address after a specific timeframe and that just wasn’t realistic. I’ll teach myself how cloud functions work when I start working on notifications.
Well, how to solve the issue of people being able to sign up with other people’s email addresses? You circumvent the whole thing by not offering email/password sign up at all.
Goblin Mode sign ups now use Sign in with Apple. Ethically it’s the only right choice if I want to even think about releasing the thing at some point. I’m not good enough at programming yet to say with conviction that I could build a confidence-inspiring login system any other way.
But that’s fine. This flow is surprisingly sleek and Apple even offers to hide people’s actual email addresses.
Oh and I used this opportunity to slightly tweak the whole onboarding experience. It’s not my greatest design work ever but it does the job.