Auth-gate low-friction, direct return, OTP anti-abuse, and in-context recovery/paywall entry

DEC-0062 - Auth-gate low-friction, direct return, OTP anti-abuse, and in-context recovery/paywall entry

Context

Core outside-in access baseline was already in place, but several interaction-level choices still needed one deterministic implementation path to prevent conversion drift between auth, recovery, and result paywall surfaces.

Decision

Guest attempt-start auth gate:

• At protected attempt-start actions, auth gate opens inline in current context (modal/bottom-sheet) by default.
• Full-page auth is fallback only when inline surface is unavailable.

Post-auth return behavior:

• If auth is triggered from protected context, successful auth returns user directly to the exact protected target (when still valid).
• Home-first redirect is fallback only when target is invalid/expired.

OTP anti-abuse guardrail:

• OTP verification in signup/login cannot be unlimited retry.
• Apply cooldown + short temporary lock on repeated wrong OTP attempts.

Forgot-password path:

• Password recovery starts directly from login step (Quen mat khau) and follows recoverable-contact verification.
• Do not reroute recovery intent into signup flow.

Result paywall entry:

• In result context, locked AI actions open in-context quick-upgrade popup.
• Pricing page remains optional detail route, not default forced redirect.

Decision Value

• Keeps auth friction low at the exact moment users decide to start practice.
• Reduces drop-off by preserving protected-intent continuity after login.
• Improves security posture for OTP while remaining recoverable.
• Aligns recovery with user expectation (quên mật khẩu from login).
• Preserves learning continuity by keeping upgrade actions in-context on result screens.

Rationale

These rules optimize conversion and continuity without adding complex branching: users stay on-task, recovery stays intuitive, and anti-abuse controls are explicit.