erik/slugkit
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Add approved viewer registration #171

New issue
Open
opened 2026-06-20 09:04:39 -05:00 by erik · 0 comments
erik commented 2026-06-20 09:04:39 -05:00
Owner
Copy link

Goal

Add open registration for viewer access, with email verification and explicit admin approval before a user becomes active.

Requirements

  • Public registration must create a pending site user, not an active viewer.
  • Registration must require email verification before the request can be approved.
  • Pending users must not receive settings, admin, or API access while awaiting approval.
  • Pending users may only see a clear pending-approval status after signing in or following verification.
  • Admins must be able to approve or reject pending registration requests from the Site users/settings area.
  • Approval must activate the user with the viewer role.
  • Rejection must keep the user unable to sign in or access viewer-only resources.
  • Viewers must be treated as untrusted internet users.
  • Viewer access must be limited to explicitly safe read-only resources.
  • Viewers must not access Site users, ActivityPub admin, site config, audit/security information, drafts, private metadata, or write operations.
  • API keys must not be created automatically during registration or approval.
  • Viewer-created API keys must be scoped only to viewer-safe GET endpoints.
  • Registration and magic-link/verification flows must be rate-limited to reduce abuse.
  • Registration and login flows must avoid revealing whether an email address already exists.
  • Deactivated, rejected, or unverified users must be unable to authenticate into protected areas.
  • Add tests for pending, approved, rejected, inactive, and viewer authorization paths.
  • Document the registration and approval model.

Acceptance criteria

  • A new public registration flow accepts an email address and creates a pending site user.
  • Registration sends or records an email verification step before admin approval is possible.
  • Pending users cannot access settings/admin pages, protected APIs, or viewer-only resources.
  • Pending users see a pending-approval status instead of protected content.
  • Admins can view pending registrations in the Site users/settings area.
  • Admins can approve a pending user, activating them with the viewer role.
  • Admins can reject a pending user, keeping them unable to authenticate into protected areas.
  • Approved viewers can access only explicitly allowed viewer-safe read-only resources.
  • Viewers are denied access to Site users, ActivityPub admin, site config, audit/security data, drafts, private metadata, and write operations.
  • Registration and verification requests are rate-limited.
  • Registration/login responses do not disclose whether an email already exists.
  • No API key is automatically created for a registered or approved viewer.
  • Viewer API keys, if created later by the viewer, are restricted to safe GET endpoints.
  • Tests cover pending approval, approval, rejection, inactive users, viewer access, and viewer denial cases.
  • Documentation explains the pending-registration, email-verification, approval, and viewer-access model.

Dependencies

  • task-cdb4c12b
## Goal Add open registration for viewer access, with email verification and explicit admin approval before a user becomes active. ## Requirements - Public registration must create a pending site user, not an active viewer. - Registration must require email verification before the request can be approved. - Pending users must not receive settings, admin, or API access while awaiting approval. - Pending users may only see a clear pending-approval status after signing in or following verification. - Admins must be able to approve or reject pending registration requests from the Site users/settings area. - Approval must activate the user with the `viewer` role. - Rejection must keep the user unable to sign in or access viewer-only resources. - Viewers must be treated as untrusted internet users. - Viewer access must be limited to explicitly safe read-only resources. - Viewers must not access Site users, ActivityPub admin, site config, audit/security information, drafts, private metadata, or write operations. - API keys must not be created automatically during registration or approval. - Viewer-created API keys must be scoped only to viewer-safe `GET` endpoints. - Registration and magic-link/verification flows must be rate-limited to reduce abuse. - Registration and login flows must avoid revealing whether an email address already exists. - Deactivated, rejected, or unverified users must be unable to authenticate into protected areas. - Add tests for pending, approved, rejected, inactive, and viewer authorization paths. - Document the registration and approval model. ## Acceptance criteria - [ ] A new public registration flow accepts an email address and creates a pending site user. - [ ] Registration sends or records an email verification step before admin approval is possible. - [ ] Pending users cannot access settings/admin pages, protected APIs, or viewer-only resources. - [ ] Pending users see a pending-approval status instead of protected content. - [ ] Admins can view pending registrations in the Site users/settings area. - [ ] Admins can approve a pending user, activating them with the `viewer` role. - [ ] Admins can reject a pending user, keeping them unable to authenticate into protected areas. - [ ] Approved viewers can access only explicitly allowed viewer-safe read-only resources. - [ ] Viewers are denied access to Site users, ActivityPub admin, site config, audit/security data, drafts, private metadata, and write operations. - [ ] Registration and verification requests are rate-limited. - [ ] Registration/login responses do not disclose whether an email already exists. - [ ] No API key is automatically created for a registered or approved viewer. - [ ] Viewer API keys, if created later by the viewer, are restricted to safe `GET` endpoints. - [ ] Tests cover pending approval, approval, rejection, inactive users, viewer access, and viewer denial cases. - [ ] Documentation explains the pending-registration, email-verification, approval, and viewer-access model. ## Dependencies - task-cdb4c12b
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/slug-cli-v0.5.0
release/slug-cli-v0.4.0
release/slug-cli-v0.3.0
release/slug-cli-v0.2.0
release/slug-cli-v0.1.2
release/slug-cli-v0.1.1
feat/task-47be19ea-api-meta-route
feat/task-51eaa27f-swagger-api-docs
feat/task-0dbd25d3-site-config-homepage
feat/task-69937fe4-sqlite-migrations
feat/task-a3cd5595-cli-foundation
feat/task-c272cbda-openapi-health
feat/task-d6397b57-template-foundation
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.2
v0.1.1
Labels
Clear labels   
activitypub

   
admin

   
api

   
articles

   
auth

   
bug

   
cleanup

   
cli

   
comments

   
compatibility

   
config

   
contacts

   
database

   
deployment

   
design

   
dev-env

   
docs

   
documentation

   
email

   
enhancement

   
feature

   
federation

   
feed

   
homepage

   
implementation

   
integration

   
media

   
openapi

   
priority:high

   
priority:low

   
priority:medium

   
proof

   
public-routes

   
public-ui

   
release

   
safety

   
social

   
sources

   
status:active

   
status:canceled

   
status:done

   
status:inprogress

   
status:waiting

   
syndication

   
tailwind

   
template

   
test

   
web
No labels
activitypub
admin
api
articles
auth
bug
cleanup
cli
comments
compatibility
config
contacts
database
deployment
design
dev-env
docs
documentation
email
enhancement
feature
federation
feed
homepage
implementation
integration
media
openapi
priority:high
priority:low
priority:medium
proof
public-routes
public-ui
release
safety
social
sources
status:active
status:canceled
status:done
status:inprogress
status:waiting
syndication
tailwind
template
test
web
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
erik/slugkit#171
No description provided.