Mitigate fake email sign-up request: throttling of unsigned API calls and/or captcha

[andrea-dintino]

Problem: when signing up, the client sends an unsigned mutation containing an email. A hacker can use this to send N mutations containing emails from a list, to figure out which email is registered in Zenflows.

Ways to mitigate this are:

• throttling of unsigned API calls
• implementing a captcha