Client app contact email

[jace]

Client apps should have a contact email address for support issues (if say, an API is changing and we need to notify the app's owner).

Since apps can be owned by an org and orgs don't have email addresses, we can't default to the owner's email. However, a plain text field will effectively be an unverified email.

Options:

1. Wait for UserEmail/Claim and UserPhone/Claim should have org_id and team_id #125 and use Lastuser's existing verification support,
2. Limit choices to the editing user's personal addresses, or
3. Use unverified email addresses.

[jace]

#125 has been reversed. Contact info can only be linked to a user account. We are left with options 2 and 3 now.

[jace]

If we implement the second option (limit choices to the editing user's personal addresses), we will be encouraging users to add a shared email address to their personal account. This is dangerous as shared email addresses provide a vector for breaking into an individual's account. Our options appear to be:

1. Unverified email addresses
2. Separate verification for client app email addresses, handled independent of UserEmail verification.

Ironically, the latter is how Hasjob verifies email addresses (for job posts), bypassing Lastuser entirely. Now we have the same solution pattern in Lastuser.