# Registration Control

The Registration Control feature allows application administrators to enable or disable new user registration on a per-application basis. This provides flexible access control for different deployment scenarios.

## Overview

Registration Control is a feature that enables administrators to:
- **Control Registration Access**: Enable or disable new user registration at the application level
- **Maintain Existing Access**: Keep existing users' login capabilities unaffected
- **Provide Clear Communication**: Display appropriate messages to visitors when registration is unavailable

## Use Cases

### Closed Beta / Private Access
During a closed beta phase or private event, administrators can disable public registration while allowing invited users to continue accessing the application.

### Invite-Only Applications
For applications that should only be accessible to specific users, administrators can disable registration and manage access through invitations.

### Temporary Access Control
When capacity limits are reached or maintenance is needed, administrators can temporarily disable new registrations while keeping the application operational for existing users.

## How It Works

### For Administrators

1. **Navigate to Application Settings**
   - Go to Projects → Select Project → Applications → Select Application
   - Click on "Settings" (Einstellungen)
   - Select "Registration" (Registrierung)

2. **Toggle Registration Setting**
   - Check/uncheck the "Registration Enabled" checkbox
   - Click "Save" to apply changes
   - Changes take effect immediately

3. **Verify Status**
   - The setting is persisted in the application configuration
   - No application restart is required
   - Changes are reflected immediately in both API and UI

### Registration Flow

When a new user registers:
1. They fill out the registration form on the login page
2. After successful registration, they are redirected to `/verify-mail`
3. They must verify their email address by clicking the link sent to their inbox
4. Once verified, they gain full access to the application

### For Visitors

When registration is disabled:
- The registration form and "Register here" link are hidden
- Only the login form is displayed
- If a visitor attempts to access a bookmarked registration URL (e.g., `?action=register`), they see a user-friendly message explaining that registration is currently unavailable
- Contact information is provided for requesting access

### For Existing Users

Existing users are completely unaffected by the registration setting:
- Login functionality remains fully operational
- All application features work identically
- Password reset functionality continues to work
- Session management is unaffected

## Configuration

### Default Behavior

- **Default Value**: `true` (registration enabled)
- **Backward Compatibility**: Applications without this property explicitly set default to registration enabled
- **Type**: Boolean, optional

## Security Considerations

1. **Endpoint Protection**: The registration endpoint validates the setting server-side, preventing API bypass attempts
2. **Admin Permissions**: Only users with appropriate application management permissions can change this setting
3. **No Information Leakage**: Error messages to visitors do not expose system internals or configuration details
4. **Audit Trail**: Registration attempts when disabled can be logged for security monitoring

## Testing

### E2E Test Coverage

The feature includes comprehensive E2E tests:
- Administrator can toggle registration setting
- API blocks registration attempts when disabled
- UI hides registration elements when disabled
- Direct registration URLs show appropriate messages
- Existing user login works regardless of setting
- Full application access for existing users is maintained

### Manual Testing Checklist

1. ✅ Toggle setting in backoffice and verify immediate effect
2. ✅ Verify registration form is hidden for visitors
3. ✅ Test direct access to `/?action=register` URL
4. ✅ Confirm existing users can login
5. ✅ Verify API rejects direct registration attempts
6. ✅ Test password reset functionality
7. ✅ Verify session persistence

## Internationalization

The feature supports multiple languages:

**English**:
- `auth.registration.unavailable`: "Registration is currently unavailable"
- `auth.registration.contactAdmin`: "Please contact an administrator if you need access to this application"
- `auth.errors.registrationDisabled`: "User registration is currently disabled for this application"

**German**:
- `auth.registration.unavailable`: "Die Registrierung ist derzeit nicht verfügbar"
- `auth.registration.contactAdmin`: "Bitte wenden Sie sich an einen Administrator, wenn Sie Zugriff auf diese Anwendung benötigen"
- `auth.errors.registrationDisabled`: "Die Benutzerregistrierung ist für diese Anwendung derzeit deaktiviert"

## Migration

No database migration is required. The `registrationEnabled` property:
- Defaults to `true` for backward compatibility
- Can be added to existing applications via the settings UI
- Does not require application restart when changed

## Related Features

- **[Opt-Ins](./opt-ins.md)**: User consent management during registration
- **[User Types](./user-types.md)**: Different types of users in the system
- **[Applications](./overview.md)**: General application configuration

## Troubleshooting

### Registration Still Visible After Disabling

**Solution**: Clear browser cache or perform a hard refresh (Ctrl+Shift+R / Cmd+Shift+R)

### Existing Users Cannot Login

**Issue**: This should never happen - authentication is independent of registration setting  
**Solution**: Check server logs for authentication errors unrelated to registration control

### API Returns Registration Disabled Error

**Expected Behavior**: This is correct when registration is disabled  
**For Legitimate Users**: Have an administrator enable registration or create an invitation

## Performance Impact

The registration control feature has minimal performance impact:
- The `registrationEnabled` property is part of the application data already loaded for each request
- No additional database queries are required
- No caching changes needed
- UI rendering is only slightly affected (hiding/showing elements)

## Future Enhancements

Potential future improvements:
- Scheduled registration windows (enable/disable at specific times)
- Invitation-based registration bypass
- Registration quota limits
- Custom messages for disabled registration
- Per-application invitation management