(Moved from https://github.com/kwantu/platformconfiguration/wiki/Account-creation-widget/)
This widget can be configured to enable anonymous users on a hub domain website to create a new user account. Hubs may configure multiple instances of the widget that manage sign-up for specific node communities or provide different welcome messages.
The following parameters are defined during configuration:
- If the widget is active or not
- Which user role or roles are assigned to users
- On which community or communities the roles are assigned
- The HTML welcome message sent to users signing up by email
- The SMS welcome message sent to users signing up with a mobile number
- Error messages
- Email address OR mobile number (primary identifier)
- First name
- Last name
- Password
- Confirmation checkbox for Terms and Conditions and Privacy Policy agreement
- Organisation name
- Position
Case where user has account on another hub
The form must validate if the email or mobile number entered is already associated with an account on another hub. If it is then the user should be prompted that they may (i) link their existing account to this hub or (ii) use a different email or mobile number.
- Google OAuth integration
- Other third-party authentication services (Apple, Microsoft, etc.)
Email Verification
(i) System sends verification email containing:
- Unique verification link with time-limited token (24-hour validity)
- Clear subject line indicating purpose
- Branding and security information
(ii) User clicks verification link:
- System validates token
- Upon success, marks email as verified
- Redirects to account activation confirmation page
(iii) Error handling:
- Expired token: Display message with option to request new verification email
- Invalid token: Display security error with support contact
Mobile Verification
(i) System sends SMS containing:
- 6-digit verification code (10-minute validity)
- Brief explanation of purpose
(ii) User enters verification code:
- System validates code
- Upon success, marks mobile number as verified
- Displays account activation confirmation
(iii) Error handling:
- Expired/invalid code: Allow up to 3 attempts before enforcing cooldown period
- Resend option: Available after 30 seconds, limited to 3 resends per day
(i) User initiates reset:
- Requests via "Forgot Password" link
- Enters email address or mobile number
(ii) Verification:
- System sends reset link (email) or code (SMS)
- Token/code valid for 1 hour
(iii) Password reset:
- User creates new password meeting security requirements
- System validates password strength and uniqueness
- Upon success, invalidates all active sessions
- Notifies user of successful password change
(iv) Security measures:
- Rate limiting for reset requests (5 per hour per identifier)
- Notification to primary contact method upon successful reset
- Automatic account lockout after 5 successive failed attempts
(i) Primary Status Flags
- accountStatus: ENUM ["PENDING", "ACTIVE", "SUSPENDED", "CLOSED"]
- emailVerified: BOOLEAN
- mobileVerified: BOOLEAN
- lastLoginTimestamp: DATETIME
- failedLoginAttempts: INTEGER
- accountLockoutUntil: DATETIME (null if not locked)
(ii) Security Attributes
- passwordLastChanged: DATETIME
- twoFactorEnabled: BOOLEAN
- activeSessionCount: INTEGER
- securityLevel: ENUM ["STANDARD", "ENHANCED", "HIGH"]
(iii) Activity Tracking
- creationTimestamp: DATETIME
- lastActivityTimestamp: DATETIME
- termsAcceptedVersion: STRING
- privacyPolicyAcceptedVersion: STRING
- termsAcceptanceTimestamp: DATETIME
(i) Data Storage
- User credentials must be stored using industry-standard hashing (Argon2 or bcrypt)
- PII data should be encrypted at rest
- Verification tokens should never be stored in plaintext
(ii) API Endpoints
- POST /api/v1/auth/register - Create new account
- POST /api/v1/auth/verify-email - Verify email address
- POST /api/v1/auth/verify-mobile - Verify mobile number
- POST /api/v1/auth/reset-password - Initiate password reset
- POST /api/v1/auth/confirm-reset - Complete password reset
(iii) Security Requirements
- HTTPS required for all endpoints
- CSRF protection for all forms
- Rate limiting on all authentication endpoints
- IP-based anomaly detection for suspicious activities