Registration Control

Registration Control

The Registration Control feature allows application administrators to enable or disable new user registration on a per-application basis. This provides flexible access control for different deployment scenarios.

Overview

Registration Control is a feature that enables administrators to:

  • Control Registration Access: Enable or disable new user registration at the application level
  • Maintain Existing Access: Keep existing users' login capabilities unaffected
  • Provide Clear Communication: Display appropriate messages to visitors when registration is unavailable

Use Cases

Closed Beta / Private Access

During a closed beta phase or private event, administrators can disable public registration while allowing invited users to continue accessing the application.

Invite-Only Applications

For applications that should only be accessible to specific users, administrators can disable registration and manage access through invitations.

Temporary Access Control

When capacity limits are reached or maintenance is needed, administrators can temporarily disable new registrations while keeping the application operational for existing users.

How It Works

For Administrators

  1. Navigate to Application Settings

    • Go to Projects → Select Project → Applications → Select Application
    • Click on "Settings" (Einstellungen)
    • Select "Registration" (Registrierung)

  2. Toggle Registration Setting

    • Check/uncheck the "Registration Enabled" checkbox
    • Click "Save" to apply changes
    • Changes take effect immediately

  3. Verify Status

    • The setting is persisted in the application configuration
    • No application restart is required
    • Changes are reflected immediately in both API and UI

Registration Flow

When a new user registers:

  1. They fill out the registration form on the login page
  2. After successful registration, they are redirected to /verify-mail
  3. They must verify their email address by clicking the link sent to their inbox
  4. Once verified, they gain full access to the application

For Visitors

When registration is disabled:

  • The registration form and "Register here" link are hidden
  • Only the login form is displayed
  • If a visitor attempts to access a bookmarked registration URL (e.g., ?action=register), they see a user-friendly message explaining that registration is currently unavailable
  • Contact information is provided for requesting access

For Existing Users

Existing users are completely unaffected by the registration setting:

  • Login functionality remains fully operational
  • All application features work identically
  • Password reset functionality continues to work
  • Session management is unaffected

Configuration

Default Behavior

  • Default Value: true (registration enabled)
  • Backward Compatibility: Applications without this property explicitly set default to registration enabled
  • Type: Boolean, optional

Security Considerations

  1. Endpoint Protection: The registration endpoint validates the setting server-side, preventing API bypass attempts
  2. Admin Permissions: Only users with appropriate application management permissions can change this setting
  3. No Information Leakage: Error messages to visitors do not expose system internals or configuration details
  4. Audit Trail: Registration attempts when disabled can be logged for security monitoring

Testing

E2E Test Coverage

The feature includes comprehensive E2E tests:

  • Administrator can toggle registration setting
  • API blocks registration attempts when disabled
  • UI hides registration elements when disabled
  • Direct registration URLs show appropriate messages
  • Existing user login works regardless of setting
  • Full application access for existing users is maintained

Manual Testing Checklist

  1. ✅ Toggle setting in backoffice and verify immediate effect
  2. ✅ Verify registration form is hidden for visitors
  3. ✅ Test direct access to /?action=register URL
  4. ✅ Confirm existing users can login
  5. ✅ Verify API rejects direct registration attempts
  6. ✅ Test password reset functionality
  7. ✅ Verify session persistence

Internationalization

The feature supports multiple languages:

English:

  • auth.registration.unavailable: "Registration is currently unavailable"
  • auth.registration.contactAdmin: "Please contact an administrator if you need access to this application"
  • auth.errors.registrationDisabled: "User registration is currently disabled for this application"

German:

  • auth.registration.unavailable: "Die Registrierung ist derzeit nicht verfügbar"
  • auth.registration.contactAdmin: "Bitte wenden Sie sich an einen Administrator, wenn Sie Zugriff auf diese Anwendung benötigen"
  • auth.errors.registrationDisabled: "Die Benutzerregistrierung ist für diese Anwendung derzeit deaktiviert"

Migration

No database migration is required. The registrationEnabled property:

  • Defaults to true for backward compatibility
  • Can be added to existing applications via the settings UI
  • Does not require application restart when changed
  • Opt-Ins: User consent management during registration
  • User Types: Different types of users in the system
  • Applications: General application configuration

Troubleshooting

Registration Still Visible After Disabling

Solution: Clear browser cache or perform a hard refresh (Ctrl+Shift+R / Cmd+Shift+R)

Existing Users Cannot Login

Issue: This should never happen - authentication is independent of registration setting
Solution: Check server logs for authentication errors unrelated to registration control

API Returns Registration Disabled Error

Expected Behavior: This is correct when registration is disabled
For Legitimate Users: Have an administrator enable registration or create an invitation

Performance Impact

The registration control feature has minimal performance impact:

  • The registrationEnabled property is part of the application data already loaded for each request
  • No additional database queries are required
  • No caching changes needed
  • UI rendering is only slightly affected (hiding/showing elements)

Future Enhancements

Potential future improvements:

  • Scheduled registration windows (enable/disable at specific times)
  • Invitation-based registration bypass
  • Registration quota limits
  • Custom messages for disabled registration
  • Per-application invitation management
Markdown llm.txt