Weather shouldn't use the confirm_auth string in the URL of the /pending/ page
Currently Weather forwards a newly subscribed user to the /pending/ page, passing on the confirm_auth string in the URL. This is a bad idea from a security point of view. Nicolas Pouillard reported this issue (thanks!). It is currently worked around in the live version of Weather.
A real fix might need a redesign of some parts or workflows in Weather.