Registration leads to a 403 when account activation required

When you register an account on Pleroma and activation is required, the /api/v1/accounts endpoint returns a 200 with a bearer token.

PleromaFE tries to use the bearer token returned to login passing it to /api/v1/accounts/verify_credentials which fails with a 403. (edit: a 403 without the correct response. See comments.)

The registration worked, but to the user it looks broken and we do not provide any mechanism to tell an app or FE that the registration was successful and that they need to check for an activation email. (edit: returning the correct 403 is the first step!)

I don't know what the procedure should be, but I think we shouldn't return a bearer token if it can't even be used yet. That shouldn't happen until the account activation. We should also hint that the account activation is required. I don't know how Mastodon is doing this yet or if they do anything at all to solve this.