Don't require reverification for package claiming

[chadwhitacre]

@rohitpaulk proposes at #4488 (comment) and in slack that we drop the email dance when an email address is already verified, that we just send a notification ex post facto instead.

Todo (from #4584)

• update claim action so it happens immediately (w/ notification to self)
• update bulk claiming so it happens immediately (w/ notification to self)
• implement verify action
• rip out claim-by-email wiring entirely

[chadwhitacre]

Notification to claimer would line up with notifying other maintainers as well: #4425.

[rohitpaulk]

There are two reasons I think this'll be a good idea:

a) Easier for the user, one less step
b) Decouples email verification from package claiming verification/notification - keeps our code simpler.

[chadwhitacre]

The potential drawback is security concerns around claiming packages. This would be offset by an after-the-fact notification but not quite as tight. Do we care?

[chadwhitacre]

The potential drawback is security concerns around claiming packages.

It turns out through discussion culminating at #4557 (comment) that limiting the messages we send to unknown email accounts to just verifications is a better protection against phishing, because such verification spam is more of a known quantity to the general population and ignoring such messages is an already-learned behavior. Assigning any further agency to unsuspecting users is significantly more unsettling.

It would still be safer to require email confirmation for sensitive actions like linking packages (cf. #3969), but I agree that we shouldn't conflate claiming and verifying for unverified addresses.

There are two reasons I think this'll be a good idea:

So security is a third reason.

[chadwhitacre]

So security is a third reason.

Sorry, that's not actually fully relevant here. This ticket is about when someone has already verified an email address. The security concern has to do with when an email address is unverified.