I wouldn't call this "known security issues", it's an inherent problem with any signup or forgot password page.

Also, I doubt this is going to be pissing users off since they added Turnstile in invisible mode, and selectively to certain pages in the auth flow. Already signed in users will not be affected, even if the service is down. This is way different from sites like Reddit who use their site-wide bot protection, which creates those interstitial captcha pages.

I fully agree with your comment. Wouldn't it be possible to just put off sending welcome emails until the user actually engaged with the product in some way? And if an account wigh no engagement persists for more than say three months just delete the account again under the premise of 'eroneousely created'?

So your solution would be to do nothing?

Cloudflare is an excellent solution for many things. The internet was designed to withstand a nuclear war, but it also wasn’t designed for the level of hostility that goes on on the internet these days.

I had a similar issue and evaluated alternatives. Sadly, there were none that did the job well enough.

How do you suggest to implement bot prevention that works reliably? Because at this point in time, LLMs are better at solving CAPTCHAs than humans are.

Since they updated the flow to only ever push 1 email to unverified users, I would say that's as patched as it can realistically be before you bring in the captchas.

And your solution is assume everyone on the internet is a good actor?

How would you solve this at scale?

Honestly I really like CloudFlare as a business. There's no vendor lock-in, just a genuine good product.

If they turn around later and do something evil, literally all I need to do is change the nameserver to a competitor and the users of my website won't even notice.