User self-registration #726
Description
This is useful if you want to run a site monitoring service, or allow your clients to self-register.
Global configuration options:
- User registration: Disabled (default), Admin approval, Self-approval
- Allowed domains (one per line)
- Disallowed domains (one per line)
- Default user group for new users: Users (a new user group we will install and which has no privileges)
- Disallow commonly abused usernames
- Maximum time for account self-activation (days). Default: 7
- Maximum self-activation tries. Default: 3
When it's anything other than Disabled the login page has a “Create account” link at the bottom.
The user is asked to provide:
- Email address
- Username
- Password
- Password (repeat)
- CAPTCHA
The email must belong to one of the “Allowed domains” if said list is not empty. The email must NOT belong to one of the “Disallowed domains” if said list is not empty.
The email and username must be unique across all users.
The username must not belong to the list of common usernames when “Disallow commonly abused usernames” is enabled.
The two passwords must match.
When admin approval is required: create the user account but make it Blocked. An email is sent to the user to let them know their account application is under review by an administrator. When an account is blocked it cannot be logged in and results in a login failure to be logged. The admin must enable the account. Enabling a blocked account sends an email to the user to let them know their account is approved.
When self-approval is required. create the user account but make it Blocked. An email is sent to the user with a token. The token is the HMAC-SHA-1 of the concatenation of the username, email, and hashed password with a random 64 byte string as the key. The key is saved in the user account. When the user clicks on the email they are brought to a form where they have to provide their username, password, and token. Submitting this form checks that the information matches. If it does, the account is enabled and the email for account approval is sent. Otherwise, the counter of activation tries is increased by one. If we go past the Maximum self-activation tries, or if we are past the Maximum time for account self-activation (days), the account is deleted and the user is notified they have to retry registering an account.
When creating a (blocked) user account the following information is stored in the user account:
- Creation date
- Blocked
- Activation type (self, admin)
When the account is activated the creation date, and activation type are removed. This prevents accidental collection of manually disabled accounts by the users cleanup task.
Cleanup task
A task runs every day at midnight to remove unactivated user accounts which were created more than “Maximum time for account self-activation (days)” ago.
CAPTCHA
Integrate with Invisible reCAPTCHA and hCaptcha. Use events so that site owners can provide their own CAPTCHA implementations if they so wish.
Security considerations
If you have sites which are visible to the default user group for self-registered users they will have full control over them.
Spam registrations are a thing. Not a security consideration per se, but a malicious user might use another person's name and email address to cause confusion and conflict between that person and the site's operator. For admin-approved registrations it might be abused to spam the admin.