Deposit via API using account w/o an email address

[dshorthouse]

Browser & OS (see also https://www.whatismybrowser.com/): n/a

Describe the bug

I have an OAuth-based auth application & am experiencing an error response when creating a new deposit via API calls on behalf of some users that I had not seen before:

OAuth2::Error (<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">)
<title>403 Forbidden</title>
<h1>Forbidden</h1>
<p>To create a deposit please verify your email. You can resend the verification email from your profile settings.</p>

My only guess here is that the user had created their Zenodo account using ORCID & as a consequence, does not have an email address in your system. And so, new deposits are now being blocked until a user has an email address & that it's been verified. Is this new behaviour, perhaps part of your recent SPAM-fighting activities?