[PaulHoule]

It's a tricky area. There are strong reasons why systems like this tend to use dark patterns and it is your own call what you think is appropriate. Also making a system like this really work as opposed to pretend to work means effort put into email deliverability and things like that that other people can't really do for you.

I read this in 1999

https://philip.greenspun.com/panda/

and came to the conclusion that the basic need for a "web framework" was a system of authentication that did what most commercial sites do: let people create new self-service accounts with email verification and all of that. That was the essence of the tcl-based framework that Phil Greenspun was pushing but I didn't like tcl, so I wrote something in PHP that was meant to integrate with 'best-of-breed' PHP applications (install the authentication system, then modify various applications to use your authentication not then) as opposed to the "PHPNuke" approach which was popular in the industry which was "install some portal which had worst-of-breed implementations of most of the functionality you think you need".

What I found baffling was that nobody cared about authentication frameworks until they became something that worked "as a service" about 10 years later which is silly for so many reasons, not the least that a company that offers a service like that is going to either run out of money and shut down the service or get aqui-hired and shut down the service.