Title: Registration Control --- Registration Control The Registration Control feature allows application administrators to enable or disable new user registration on a per-application basis. This provides flexible access control for different deployment scenarios. Overview Registration Control is a feature that enables administrators to: Control Registration Access: Enable or disable new user registration at the application level Maintain Existing Access: Keep existing users' login capabilities unaffected Provide Clear Communication: Display appropriate messages to visitors when registration is unavailable Use Cases Closed Beta / Private Access During a closed beta phase or private event, administrators can disable public registration while allowing invited users to continue accessing the application. Invite-Only Applications For applications that should only be accessible to specific users, administrators can disable registration and manage access through invitations. Temporary Access Control When capacity limits are reached or maintenance is needed, administrators can temporarily disable new registrations while keeping the application operational for existing users. How It Works For Administrators Navigate to Application Settings Go to Projects → Select Project → Applications → Select Application Click on "Settings" (Einstellungen) Select "Registration" (Registrierung) Toggle Registration Setting Check/uncheck the "Registration Enabled" checkbox Click "Save" to apply changes Changes take effect immediately Verify Status The setting is persisted in the application configuration No application restart is required Changes are reflected immediately in both API and UI Registration Flow When a new user registers: They fill out the registration form on the login page After successful registration, they are redirected to /verify-mail They must verify their email address by clicking the link sent to their inbox Once verified, they gain full access to the application For Visitors When registration is disabled: The registration form and "Register here" link are hidden Only the login form is displayed If a visitor attempts to access a bookmarked registration URL (e.g., ?action=register), they see a user-friendly message explaining that registration is currently unavailable Contact information is provided for requesting access For Existing Users Existing users are completely unaffected by the registration setting: Login functionality remains fully operational All application features work identically Password reset functionality continues to work Session management is unaffected Configuration Default Behavior Default Value: true (registration enabled) Backward Compatibility: Applications without this property explicitly set default to registration enabled Type: Boolean, optional Security Considerations Endpoint Protection: The registration endpoint validates the setting server-side, preventing API bypass attempts Admin Permissions: Only users with appropriate application management permissions can change this setting No Information Leakage: Error messages to visitors do not expose system internals or configuration details Audit Trail: Registration attempts when disabled can be logged for security monitoring Testing E2E Test Coverage The feature includes comprehensive E2E tests: Administrator can toggle registration setting API blocks registration attempts when disabled UI hides registration elements when disabled Direct registration URLs show appropriate messages Existing user login works regardless of setting Full application access for existing users is maintained Manual Testing Checklist ✅ Toggle setting in backoffice and verify immediate effect ✅ Verify registration form is hidden for visitors ✅ Test direct access to /?action=register URL ✅ Confirm existing users can login ✅ Verify API rejects direct registration attempts ✅ Test password reset functionality ✅ Verify session persistence Internationalization The feature supports multiple languages: English: auth.registration.unavailable: "Registration is currently unavailable" auth.registration.contactAdmin: "Please contact an administrator if you need access to this application" auth.errors.registrationDisabled: "User registration is currently disabled for this application" German: auth.registration.unavailable: "Die Registrierung ist derzeit nicht verfügbar" auth.registration.contactAdmin: "Bitte wenden Sie sich an einen Administrator, wenn Sie Zugriff auf diese Anwendung benötigen" auth.errors.registrationDisabled: "Die Benutzerregistrierung ist für diese Anwendung derzeit deaktiviert" Migration No database migration is required. The registrationEnabled property: Defaults to true for backward compatibility Can be added to existing applications via the settings UI Does not require application restart when changed Related Features Opt-Ins: User consent management during registration User Types: Different types of users in the system Applications: General application configuration Troubleshooting Registration Still Visible After Disabling Solution: Clear browser cache or perform a hard refresh (Ctrl+Shift+R / Cmd+Shift+R) Existing Users Cannot Login Issue: This should never happen - authentication is independent of registration setting Solution: Check server logs for authentication errors unrelated to registration control API Returns Registration Disabled Error Expected Behavior: This is correct when registration is disabled For Legitimate Users: Have an administrator enable registration or create an invitation Performance Impact The registration control feature has minimal performance impact: The registrationEnabled property is part of the application data already loaded for each request No additional database queries are required No caching changes needed UI rendering is only slightly affected (hiding/showing elements) Future Enhancements Potential future improvements: Scheduled registration windows (enable/disable at specific times) Invitation-based registration bypass Registration quota limits Custom messages for disabled registration Per-application invitation management