@micha.bigler/ui-core-micha 2.2.13 → 2.3.0

package/dist/auth/apiClient.js

@@ -9,25 +9,52 @@ let redirectingToLogin = false;
 function isBrowser() {
     return typeof window !== "undefined";
 }
-// WICHTIG: Liste aller Routen, die OHNE Login funktionieren müssen.
-// Beginnt der Pfad mit einem dieser Strings, wird kein Auto-Redirect ausgelöst.
-const PUBLIC_PATHS = [
+// Routen, die OHNE Login funktionieren müssen. Library-eigene Pfade sind eingefroren
+// und können nicht entfernt werden — sonst würde z. B. `removePublicPath("/login")`
+// auf der Login-Page selbst einen Redirect-Loop auslösen.
+const BUILTIN_PUBLIC_PATHS = Object.freeze([
     "/login",
     "/signup",
-    "/reset-request-password", // Request Page
-    "/invite", // Invite Link (/invite/:uid/:token)
-    "/reset", // Reset Link (/reset/:uid/:token)
-    "/welcome" // Optional: Falls Welcome auch öffentlich ist
-];
+    "/reset-request-password",
+    "/invite", // /invite/:uid/:token
+    "/reset", // /reset/:uid/:token
+    "/welcome",
+]);
+const CONSUMER_PUBLIC_PATHS = new Set();
+/**
+ * Register an additional public path so a 401 on that route does not auto-redirect
+ * to `/login`. Typical use: a public landing on `/` in an otherwise authenticated app.
+ *
+ * MUST be called before the AuthProvider mounts (i.e. before `ReactDOM.render`).
+ * Calling it later won't help the bootstrap probe which fires on AuthProvider mount.
+ */
+export function addPublicPath(path) {
+    if (typeof path === "string" && path) {
+        CONSUMER_PUBLIC_PATHS.add(path);
+    }
+}
+/** Remove a consumer-added public path. Library-internal paths are protected. */
+export function removePublicPath(path) {
+    CONSUMER_PUBLIC_PATHS.delete(path);
+}
 function isPublicSitePath(pathname) {
     return pathname === "/sites" || pathname.startsWith("/sites/");
 }
+// Match rule: an entry of exactly "/" requires strict equality (avoids matching
+// every path with startsWith). Other entries keep the looser prefix match so
+// dynamic routes like /invite/:uid/:token still work.
+function matchesPublicPath(pathname, entry) {
+    if (entry === "/")
+        return pathname === "/";
+    return pathname.startsWith(entry);
+}
 function redirectToLoginOnce() {
     if (!isBrowser())
         return;
     const currentPath = window.location.pathname;
-    // 1. Check: Sind wir auf einer öffentlichen Seite?
-    const isPublicPage = isPublicSitePath(currentPath) || PUBLIC_PATHS.some(path => currentPath.startsWith(path));
+    const isPublicPage = isPublicSitePath(currentPath) ||
+        BUILTIN_PUBLIC_PATHS.some((path) => matchesPublicPath(currentPath, path)) ||
+        Array.from(CONSUMER_PUBLIC_PATHS).some((path) => matchesPublicPath(currentPath, path));
     // Wenn ja: NICHT weiterleiten. Der 401 Fehler wird an die Komponente durchgereicht.
     if (isPublicPage)
         return;
@@ -83,13 +110,18 @@ function extractAuthSignal(data) {
     return { code: null, i18nKey: null };
 }
 apiClient.interceptors.response.use((response) => response, (error) => {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e;
     const status = (_b = (_a = error === null || error === void 0 ? void 0 : error.response) === null || _a === void 0 ? void 0 : _a.status) !== null && _b !== void 0 ? _b : null;
     const data = (_d = (_c = error === null || error === void 0 ? void 0 : error.response) === null || _c === void 0 ? void 0 : _c.data) !== null && _d !== void 0 ? _d : {};
     const { code, i18nKey } = extractAuthSignal(data);
     const isAuthStatus = status === 401 || status === 403;
     const isNotAuthenticated = code === "not_authenticated" || i18nKey === "auth.not_authenticated";
-    if (isAuthStatus && isNotAuthenticated) {
+    // Per-request opt-out: bootstrap probes (e.g. fetchCurrentUser on app start)
+    // expect to handle 401 silently and must not trigger a redirect-on-mount.
+    // Carried as an axios config property, so it never travels to the backend
+    // (would otherwise trigger a CORS preflight on cross-origin requests).
+    const skipRedirect = ((_e = error === null || error === void 0 ? void 0 : error.config) === null || _e === void 0 ? void 0 : _e.skipAuthRedirect) === true;
+    if (isAuthStatus && isNotAuthenticated && !skipRedirect) {
         redirectToLoginOnce();
     }
     return Promise.reject(error);

package/dist/auth/authApi.js

@@ -12,7 +12,12 @@ function getCsrfToken() {
 // Session & User Core
 // -----------------------------
 export async function fetchCurrentUser() {
-    const res = await apiClient.get(`${USERS_BASE}/current/`);
+    // Bootstrap-Probe: 401 darf nicht in einen Login-Redirect umschlagen,
+    // damit Public-Landings auf "/" sichtbar bleiben. `skipAuthRedirect` ist eine
+    // client-seitige axios-Config-Property und wird nicht ans Backend gesendet.
+    const res = await apiClient.get(`${USERS_BASE}/current/`, {
+        skipAuthRedirect: true,
+    });
     return res.data;
 }
 export async function fetchAuthMethods() {

package/dist/components/AccessCodeSingleUseToggle.js

@@ -0,0 +1,59 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import React, { useEffect, useState } from 'react';
+import { Alert, Box, FormControlLabel, Switch, Typography, } from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+export function AccessCodeSingleUseToggle({ canEdit = true, policy = null, onPolicyChange = null }) {
+    const { t } = useTranslation();
+    const [value, setValue] = useState(false);
+    const [busy, setBusy] = useState(false);
+    const [error, setError] = useState('');
+    const [success, setSuccess] = useState('');
+    useEffect(() => {
+        if (policy) {
+            setValue(Boolean(policy === null || policy === void 0 ? void 0 : policy.access_code_single_use));
+            return undefined;
+        }
+        let active = true;
+        (async () => {
+            try {
+                const data = await fetchAuthPolicy();
+                if (active) {
+                    setValue(Boolean(data === null || data === void 0 ? void 0 : data.access_code_single_use));
+                }
+            }
+            catch (_a) {
+                // Keep defaults when policy is unavailable.
+            }
+        })();
+        return () => {
+            active = false;
+        };
+    }, [policy]);
+    const handleChange = async (event) => {
+        if (!canEdit) {
+            return;
+        }
+        const nextValue = event.target.checked;
+        const previous = value;
+        setValue(nextValue);
+        setBusy(true);
+        setError('');
+        setSuccess('');
+        try {
+            const updated = await updateAuthPolicy({ access_code_single_use: nextValue });
+            if (onPolicyChange) {
+                onPolicyChange((current) => (Object.assign(Object.assign({}, (current || {})), (updated || {}))));
+            }
+            setSuccess(t('Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS', 'Access code policy saved.'));
+        }
+        catch (err) {
+            setValue(previous);
+            setError(t((err === null || err === void 0 ? void 0 : err.code) || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save access code policy.'));
+        }
+        finally {
+            setBusy(false);
+        }
+    };
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_SINGLE_USE_TITLE', 'Access Code Single-Use') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.ACCESS_CODE_SINGLE_USE_HINT', 'When enabled, each access code can be redeemed only once. Recommended.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), _jsx(FormControlLabel, { control: _jsx(Switch, { checked: value, disabled: busy || !canEdit, onChange: handleChange }), label: t('Auth.ACCESS_CODE_SINGLE_USE_TOGGLE', 'Codes are single-use') })] }));
+}

package/dist/components/EmailVerificationRequirementCard.js

@@ -0,0 +1,59 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import React, { useEffect, useState } from 'react';
+import { Alert, Box, FormControlLabel, Switch, Typography, } from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+export function EmailVerificationRequirementCard({ canEdit = true, policy = null, onPolicyChange = null }) {
+    const { t } = useTranslation();
+    const [value, setValue] = useState(false);
+    const [busy, setBusy] = useState(false);
+    const [error, setError] = useState('');
+    const [success, setSuccess] = useState('');
+    useEffect(() => {
+        if (policy) {
+            setValue(Boolean(policy === null || policy === void 0 ? void 0 : policy.require_email_verification));
+            return undefined;
+        }
+        let active = true;
+        (async () => {
+            try {
+                const data = await fetchAuthPolicy();
+                if (active) {
+                    setValue(Boolean(data === null || data === void 0 ? void 0 : data.require_email_verification));
+                }
+            }
+            catch (_a) {
+                // Keep defaults when policy is unavailable.
+            }
+        })();
+        return () => {
+            active = false;
+        };
+    }, [policy]);
+    const handleChange = async (event) => {
+        if (!canEdit) {
+            return;
+        }
+        const nextValue = event.target.checked;
+        const previous = value;
+        setValue(nextValue);
+        setBusy(true);
+        setError('');
+        setSuccess('');
+        try {
+            const updated = await updateAuthPolicy({ require_email_verification: nextValue });
+            if (onPolicyChange) {
+                onPolicyChange((current) => (Object.assign(Object.assign({}, (current || {})), (updated || {}))));
+            }
+            setSuccess(t('Auth.EMAIL_VERIFICATION_SAVE_SUCCESS', 'Email verification requirement saved.'));
+        }
+        catch (err) {
+            setValue(previous);
+            setError(t((err === null || err === void 0 ? void 0 : err.code) || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save email verification requirement.'));
+        }
+        finally {
+            setBusy(false);
+        }
+    };
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.EMAIL_VERIFICATION_TITLE', 'Email Verification') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.EMAIL_VERIFICATION_HINT', 'Require verified email ownership before social sign-in can link to an account. Recommended.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), _jsx(FormControlLabel, { control: _jsx(Switch, { checked: value, disabled: busy || !canEdit, onChange: handleChange }), label: t('Auth.EMAIL_VERIFICATION_TOGGLE', 'Require email verification') })] }));
+}

package/dist/i18n/authTranslations.js

@@ -1643,5 +1643,53 @@ export const authTranslations = {
         "fr": "Chargement…",
         "en": "Loading…",
         "sw": "Inapakia..."
+    },
+    "Auth.EMAIL_VERIFICATION_TITLE": {
+        "de": "E-Mail-Verifizierung",
+        "fr": "Vérification de l'e-mail",
+        "en": "Email Verification",
+        "sw": "Uthibitishaji wa Barua Pepe"
+    },
+    "Auth.EMAIL_VERIFICATION_HINT": {
+        "de": "Verlangt einen Nachweis des E-Mail-Besitzes, bevor ein Social-Login mit einem Konto verknüpft werden kann. Empfohlen.",
+        "fr": "Exige une preuve de propriété de l'adresse e-mail avant qu'une connexion sociale ne puisse être liée à un compte. Recommandé.",
+        "en": "Require verified email ownership before social sign-in can link to an account. Recommended.",
+        "sw": "Inahitaji uthibitishaji wa umiliki wa barua pepe kabla ya kuingia kwa mitandao kuunganishwa na akaunti. Inapendekezwa."
+    },
+    "Auth.EMAIL_VERIFICATION_TOGGLE": {
+        "de": "E-Mail-Verifizierung erforderlich",
+        "fr": "Vérification de l'e-mail requise",
+        "en": "Require email verification",
+        "sw": "Hitaji uthibitishaji wa barua pepe"
+    },
+    "Auth.EMAIL_VERIFICATION_SAVE_SUCCESS": {
+        "de": "Anforderung zur E-Mail-Verifizierung gespeichert.",
+        "fr": "Exigence de vérification de l'e-mail enregistrée.",
+        "en": "Email verification requirement saved.",
+        "sw": "Mahitaji ya uthibitishaji wa barua pepe yamehifadhiwa."
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
+        "de": "Zugangscode: Einmalverwendung",
+        "fr": "Code d'accès : usage unique",
+        "en": "Access Code Single-Use",
+        "sw": "Msimbo wa Ufikiaji: Matumizi ya Mara Moja"
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_HINT": {
+        "de": "Wenn aktiviert, kann jeder Zugangscode nur einmal eingelöst werden. Empfohlen.",
+        "fr": "Lorsqu'activé, chaque code d'accès ne peut être utilisé qu'une seule fois. Recommandé.",
+        "en": "When enabled, each access code can be redeemed only once. Recommended.",
+        "sw": "Ikiwa imewashwa, kila msimbo wa ufikiaji unaweza kutumika mara moja tu. Inapendekezwa."
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_TOGGLE": {
+        "de": "Codes sind einmalig verwendbar",
+        "fr": "Codes à usage unique",
+        "en": "Codes are single-use",
+        "sw": "Misimbo ni ya matumizi ya mara moja"
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS": {
+        "de": "Zugangscode-Richtlinie gespeichert.",
+        "fr": "Politique de code d'accès enregistrée.",
+        "en": "Access code policy saved.",
+        "sw": "Sera ya msimbo wa ufikiaji imehifadhiwa."
     }
 };

package/dist/index.js

@@ -1,7 +1,7 @@
 // index.js (Entry Point deiner Library)
 // --- 1. Auth Context (Essentiell für den Wrapper) ---
 export { AuthContext, AuthProvider } from './auth/AuthContext';
-export { default as apiClient, ensureCsrfToken } from "./auth/apiClient";
+export { default as apiClient, ensureCsrfToken, addPublicPath, removePublicPath, } from "./auth/apiClient";
 // --- 2. API & Services (Neue Struktur) ---
 // Statt dem 'authApi'-Objekt exportieren wir die Funktionen direkt.
 // Konsumenten können dann machen: import { loginWithPassword } from 'django-core-micha';
@@ -24,6 +24,8 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
+export { EmailVerificationRequirementCard } from './components/EmailVerificationRequirementCard';
+export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 // --- 6. Translations ---
 export { authTranslations } from './i18n/authTranslations';

package/dist/pages/AccountPage.js

@@ -16,6 +16,8 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
+import { EmailVerificationRequirementCard } from '../components/EmailVerificationRequirementCard';
+import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
 import { SupportRecoveryRequestsTab } from '../components/SupportRecoveryRequestsTab';
@@ -129,5 +131,5 @@ export function AccountPage({ userListExtraColumns = [], userListExtraRowActions
     const activeExtraTab = builtInTabValues.has(safeTab)
         ? null
         : extraTabs.find((tab) => tab.value === safeTab);
-    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
+    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(EmailVerificationRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AccessCodeSingleUseToggle, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@micha.bigler/ui-core-micha",
-  "version": "2.2.13",
+  "version": "2.3.0",
   "main": "dist/index.js",
   "module": "dist/index.js",
   "repository": {
@@ -24,10 +24,10 @@
     "build": "tsc -p tsconfig.build.json"
   },
   "devDependencies": {
+    "@mui/icons-material": "^7.3.11",
     "typescript": "^5.9.3"
   },
   "dependencies": {
     "react-i18next": "^16.3.5"
   }
 }
-

package/src/auth/apiClient.jsx

@@ -13,29 +13,60 @@ function isBrowser() {
   return typeof window !== "undefined";
 }
 
-// WICHTIG: Liste aller Routen, die OHNE Login funktionieren müssen.
-// Beginnt der Pfad mit einem dieser Strings, wird kein Auto-Redirect ausgelöst.
-const PUBLIC_PATHS = [
+// Routen, die OHNE Login funktionieren müssen. Library-eigene Pfade sind eingefroren
+// und können nicht entfernt werden — sonst würde z. B. `removePublicPath("/login")`
+// auf der Login-Page selbst einen Redirect-Loop auslösen.
+const BUILTIN_PUBLIC_PATHS = Object.freeze([
   "/login",
   "/signup",
-  "/reset-request-password", // Request Page
-  "/invite",                 // Invite Link (/invite/:uid/:token)
-  "/reset",                  // Reset Link (/reset/:uid/:token)
-  "/welcome"                 // Optional: Falls Welcome auch öffentlich ist
-];
+  "/reset-request-password",
+  "/invite",                 // /invite/:uid/:token
+  "/reset",                  // /reset/:uid/:token
+  "/welcome",
+]);
+
+const CONSUMER_PUBLIC_PATHS = new Set();
+
+/**
+ * Register an additional public path so a 401 on that route does not auto-redirect
+ * to `/login`. Typical use: a public landing on `/` in an otherwise authenticated app.
+ *
+ * MUST be called before the AuthProvider mounts (i.e. before `ReactDOM.render`).
+ * Calling it later won't help the bootstrap probe which fires on AuthProvider mount.
+ */
+export function addPublicPath(path) {
+  if (typeof path === "string" && path) {
+    CONSUMER_PUBLIC_PATHS.add(path);
+  }
+}
+
+/** Remove a consumer-added public path. Library-internal paths are protected. */
+export function removePublicPath(path) {
+  CONSUMER_PUBLIC_PATHS.delete(path);
+}
 
 function isPublicSitePath(pathname) {
   return pathname === "/sites" || pathname.startsWith("/sites/");
 }
 
+// Match rule: an entry of exactly "/" requires strict equality (avoids matching
+// every path with startsWith). Other entries keep the looser prefix match so
+// dynamic routes like /invite/:uid/:token still work.
+function matchesPublicPath(pathname, entry) {
+  if (entry === "/") return pathname === "/";
+  return pathname.startsWith(entry);
+}
+
 function redirectToLoginOnce() {
   if (!isBrowser()) return;
 
   const currentPath = window.location.pathname;
 
-  // 1. Check: Sind wir auf einer öffentlichen Seite?
-  const isPublicPage = isPublicSitePath(currentPath) || PUBLIC_PATHS.some(path => currentPath.startsWith(path));
-  
+  const isPublicPage =
+    isPublicSitePath(currentPath) ||
+    BUILTIN_PUBLIC_PATHS.some((path) => matchesPublicPath(currentPath, path)) ||
+    Array.from(CONSUMER_PUBLIC_PATHS).some((path) => matchesPublicPath(currentPath, path));
+
   // Wenn ja: NICHT weiterleiten. Der 401 Fehler wird an die Komponente durchgereicht.
   if (isPublicPage) return;
 
@@ -108,7 +139,13 @@ apiClient.interceptors.response.use(
     const isNotAuthenticated =
       code === "not_authenticated" || i18nKey === "auth.not_authenticated";
 
-    if (isAuthStatus && isNotAuthenticated) {
+    // Per-request opt-out: bootstrap probes (e.g. fetchCurrentUser on app start)
+    // expect to handle 401 silently and must not trigger a redirect-on-mount.
+    // Carried as an axios config property, so it never travels to the backend
+    // (would otherwise trigger a CORS preflight on cross-origin requests).
+    const skipRedirect = error?.config?.skipAuthRedirect === true;
+
+    if (isAuthStatus && isNotAuthenticated && !skipRedirect) {
       redirectToLoginOnce();
     }
     return Promise.reject(error);

package/src/auth/authApi.jsx

@@ -14,7 +14,12 @@ function getCsrfToken() {
 // -----------------------------
 
 export async function fetchCurrentUser() {
-  const res = await apiClient.get(`${USERS_BASE}/current/`);
+  // Bootstrap-Probe: 401 darf nicht in einen Login-Redirect umschlagen,
+  // damit Public-Landings auf "/" sichtbar bleiben. `skipAuthRedirect` ist eine
+  // client-seitige axios-Config-Property und wird nicht ans Backend gesendet.
+  const res = await apiClient.get(`${USERS_BASE}/current/`, {
+    skipAuthRedirect: true,
+  });
   return res.data;
 }
 

package/src/components/AccessCodeSingleUseToggle.jsx

@@ -0,0 +1,89 @@
+import React, { useEffect, useState } from 'react';
+import {
+  Alert,
+  Box,
+  FormControlLabel,
+  Switch,
+  Typography,
+} from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+
+export function AccessCodeSingleUseToggle({ canEdit = true, policy = null, onPolicyChange = null }) {
+  const { t } = useTranslation();
+  const [value, setValue] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState('');
+  const [success, setSuccess] = useState('');
+
+  useEffect(() => {
+    if (policy) {
+      setValue(Boolean(policy?.access_code_single_use));
+      return undefined;
+    }
+    let active = true;
+    (async () => {
+      try {
+        const data = await fetchAuthPolicy();
+        if (active) {
+          setValue(Boolean(data?.access_code_single_use));
+        }
+      } catch {
+        // Keep defaults when policy is unavailable.
+      }
+    })();
+    return () => {
+      active = false;
+    };
+  }, [policy]);
+
+  const handleChange = async (event) => {
+    if (!canEdit) {
+      return;
+    }
+    const nextValue = event.target.checked;
+    const previous = value;
+    setValue(nextValue);
+    setBusy(true);
+    setError('');
+    setSuccess('');
+    try {
+      const updated = await updateAuthPolicy({ access_code_single_use: nextValue });
+      if (onPolicyChange) {
+        onPolicyChange((current) => ({ ...(current || {}), ...(updated || {}) }));
+      }
+      setSuccess(t('Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS', 'Access code policy saved.'));
+    } catch (err) {
+      setValue(previous);
+      setError(t(err?.code || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save access code policy.'));
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <Box>
+      <Typography variant="h6" gutterBottom>
+        {t('Auth.ACCESS_CODE_SINGLE_USE_TITLE', 'Access Code Single-Use')}
+      </Typography>
+      <Typography variant="body2" sx={{ mb: 2, color: 'text.secondary' }}>
+        {t(
+          'Auth.ACCESS_CODE_SINGLE_USE_HINT',
+          'When enabled, each access code can be redeemed only once. Recommended.',
+        )}
+      </Typography>
+      {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
+      {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
+      <FormControlLabel
+        control={
+          <Switch
+            checked={value}
+            disabled={busy || !canEdit}
+            onChange={handleChange}
+          />
+        }
+        label={t('Auth.ACCESS_CODE_SINGLE_USE_TOGGLE', 'Codes are single-use')}
+      />
+    </Box>
+  );
+}

package/src/components/EmailVerificationRequirementCard.jsx

@@ -0,0 +1,89 @@
+import React, { useEffect, useState } from 'react';
+import {
+  Alert,
+  Box,
+  FormControlLabel,
+  Switch,
+  Typography,
+} from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+
+export function EmailVerificationRequirementCard({ canEdit = true, policy = null, onPolicyChange = null }) {
+  const { t } = useTranslation();
+  const [value, setValue] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState('');
+  const [success, setSuccess] = useState('');
+
+  useEffect(() => {
+    if (policy) {
+      setValue(Boolean(policy?.require_email_verification));
+      return undefined;
+    }
+    let active = true;
+    (async () => {
+      try {
+        const data = await fetchAuthPolicy();
+        if (active) {
+          setValue(Boolean(data?.require_email_verification));
+        }
+      } catch {
+        // Keep defaults when policy is unavailable.
+      }
+    })();
+    return () => {
+      active = false;
+    };
+  }, [policy]);
+
+  const handleChange = async (event) => {
+    if (!canEdit) {
+      return;
+    }
+    const nextValue = event.target.checked;
+    const previous = value;
+    setValue(nextValue);
+    setBusy(true);
+    setError('');
+    setSuccess('');
+    try {
+      const updated = await updateAuthPolicy({ require_email_verification: nextValue });
+      if (onPolicyChange) {
+        onPolicyChange((current) => ({ ...(current || {}), ...(updated || {}) }));
+      }
+      setSuccess(t('Auth.EMAIL_VERIFICATION_SAVE_SUCCESS', 'Email verification requirement saved.'));
+    } catch (err) {
+      setValue(previous);
+      setError(t(err?.code || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save email verification requirement.'));
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <Box>
+      <Typography variant="h6" gutterBottom>
+        {t('Auth.EMAIL_VERIFICATION_TITLE', 'Email Verification')}
+      </Typography>
+      <Typography variant="body2" sx={{ mb: 2, color: 'text.secondary' }}>
+        {t(
+          'Auth.EMAIL_VERIFICATION_HINT',
+          'Require verified email ownership before social sign-in can link to an account. Recommended.',
+        )}
+      </Typography>
+      {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
+      {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
+      <FormControlLabel
+        control={
+          <Switch
+            checked={value}
+            disabled={busy || !canEdit}
+            onChange={handleChange}
+          />
+        }
+        label={t('Auth.EMAIL_VERIFICATION_TOGGLE', 'Require email verification')}
+      />
+    </Box>
+  );
+}

package/src/i18n/authTranslations.ts

@@ -1691,5 +1691,53 @@ export const authTranslations = {
     "fr": "Chargement…",
     "en": "Loading…",
     "sw": "Inapakia..."
+  },
+  "Auth.EMAIL_VERIFICATION_TITLE": {
+    "de": "E-Mail-Verifizierung",
+    "fr": "Vérification de l'e-mail",
+    "en": "Email Verification",
+    "sw": "Uthibitishaji wa Barua Pepe"
+  },
+  "Auth.EMAIL_VERIFICATION_HINT": {
+    "de": "Verlangt einen Nachweis des E-Mail-Besitzes, bevor ein Social-Login mit einem Konto verknüpft werden kann. Empfohlen.",
+    "fr": "Exige une preuve de propriété de l'adresse e-mail avant qu'une connexion sociale ne puisse être liée à un compte. Recommandé.",
+    "en": "Require verified email ownership before social sign-in can link to an account. Recommended.",
+    "sw": "Inahitaji uthibitishaji wa umiliki wa barua pepe kabla ya kuingia kwa mitandao kuunganishwa na akaunti. Inapendekezwa."
+  },
+  "Auth.EMAIL_VERIFICATION_TOGGLE": {
+    "de": "E-Mail-Verifizierung erforderlich",
+    "fr": "Vérification de l'e-mail requise",
+    "en": "Require email verification",
+    "sw": "Hitaji uthibitishaji wa barua pepe"
+  },
+  "Auth.EMAIL_VERIFICATION_SAVE_SUCCESS": {
+    "de": "Anforderung zur E-Mail-Verifizierung gespeichert.",
+    "fr": "Exigence de vérification de l'e-mail enregistrée.",
+    "en": "Email verification requirement saved.",
+    "sw": "Mahitaji ya uthibitishaji wa barua pepe yamehifadhiwa."
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
+    "de": "Zugangscode: Einmalverwendung",
+    "fr": "Code d'accès : usage unique",
+    "en": "Access Code Single-Use",
+    "sw": "Msimbo wa Ufikiaji: Matumizi ya Mara Moja"
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_HINT": {
+    "de": "Wenn aktiviert, kann jeder Zugangscode nur einmal eingelöst werden. Empfohlen.",
+    "fr": "Lorsqu'activé, chaque code d'accès ne peut être utilisé qu'une seule fois. Recommandé.",
+    "en": "When enabled, each access code can be redeemed only once. Recommended.",
+    "sw": "Ikiwa imewashwa, kila msimbo wa ufikiaji unaweza kutumika mara moja tu. Inapendekezwa."
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_TOGGLE": {
+    "de": "Codes sind einmalig verwendbar",
+    "fr": "Codes à usage unique",
+    "en": "Codes are single-use",
+    "sw": "Misimbo ni ya matumizi ya mara moja"
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS": {
+    "de": "Zugangscode-Richtlinie gespeichert.",
+    "fr": "Politique de code d'accès enregistrée.",
+    "en": "Access code policy saved.",
+    "sw": "Sera ya msimbo wa ufikiaji imehifadhiwa."
   }
 };

package/src/index.js

@@ -3,7 +3,12 @@
 // --- 1. Auth Context (Essentiell für den Wrapper) ---
 export { AuthContext, AuthProvider } from './auth/AuthContext';
 
-export { default as apiClient, ensureCsrfToken } from "./auth/apiClient";
+export {
+  default as apiClient,
+  ensureCsrfToken,
+  addPublicPath,
+  removePublicPath,
+} from "./auth/apiClient";
 
 // --- 2. API & Services (Neue Struktur) ---
 // Statt dem 'authApi'-Objekt exportieren wir die Funktionen direkt.
@@ -30,6 +35,8 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
+export { EmailVerificationRequirementCard } from './components/EmailVerificationRequirementCard';
+export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 
 // --- 6. Translations ---

package/src/pages/AccountPage.jsx

@@ -26,6 +26,8 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
+import { EmailVerificationRequirementCard } from '../components/EmailVerificationRequirementCard';
+import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
 import { SupportRecoveryRequestsTab } from '../components/SupportRecoveryRequestsTab';
@@ -254,6 +256,16 @@ export function AccountPage({
               </Paper>
             )}
 
+            {canViewAuthPolicy && (
+              <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
+                <EmailVerificationRequirementCard
+                  canEdit={canWriteAuthPolicy}
+                  policy={authPolicy}
+                  onPolicyChange={setAuthPolicy}
+                />
+              </Paper>
+            )}
+
             {canViewAuthPolicy && (
               <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
                 <RegistrationMethodsManager
@@ -283,6 +295,16 @@ export function AccountPage({
               </Paper>
             )}
 
+            {canManageAccessCodes && Boolean(authPolicy?.allow_self_signup_access_code) && (
+              <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
+                <AccessCodeSingleUseToggle
+                  canEdit={canWriteAuthPolicy}
+                  policy={authPolicy}
+                  onPolicyChange={setAuthPolicy}
+                />
+              </Paper>
+            )}
+
             {canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy?.allow_admin_invite) && (
               <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
                 <BulkInviteCsvTab {...bulkInviteCsvProps} />