@micha.bigler/ui-core-micha 2.2.14 → 2.3.0

package/dist/components/AccessCodeSingleUseToggle.js

@@ -0,0 +1,59 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import React, { useEffect, useState } from 'react';
+import { Alert, Box, FormControlLabel, Switch, Typography, } from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+export function AccessCodeSingleUseToggle({ canEdit = true, policy = null, onPolicyChange = null }) {
+    const { t } = useTranslation();
+    const [value, setValue] = useState(false);
+    const [busy, setBusy] = useState(false);
+    const [error, setError] = useState('');
+    const [success, setSuccess] = useState('');
+    useEffect(() => {
+        if (policy) {
+            setValue(Boolean(policy === null || policy === void 0 ? void 0 : policy.access_code_single_use));
+            return undefined;
+        }
+        let active = true;
+        (async () => {
+            try {
+                const data = await fetchAuthPolicy();
+                if (active) {
+                    setValue(Boolean(data === null || data === void 0 ? void 0 : data.access_code_single_use));
+                }
+            }
+            catch (_a) {
+                // Keep defaults when policy is unavailable.
+            }
+        })();
+        return () => {
+            active = false;
+        };
+    }, [policy]);
+    const handleChange = async (event) => {
+        if (!canEdit) {
+            return;
+        }
+        const nextValue = event.target.checked;
+        const previous = value;
+        setValue(nextValue);
+        setBusy(true);
+        setError('');
+        setSuccess('');
+        try {
+            const updated = await updateAuthPolicy({ access_code_single_use: nextValue });
+            if (onPolicyChange) {
+                onPolicyChange((current) => (Object.assign(Object.assign({}, (current || {})), (updated || {}))));
+            }
+            setSuccess(t('Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS', 'Access code policy saved.'));
+        }
+        catch (err) {
+            setValue(previous);
+            setError(t((err === null || err === void 0 ? void 0 : err.code) || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save access code policy.'));
+        }
+        finally {
+            setBusy(false);
+        }
+    };
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_SINGLE_USE_TITLE', 'Access Code Single-Use') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.ACCESS_CODE_SINGLE_USE_HINT', 'When enabled, each access code can be redeemed only once. Recommended.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), _jsx(FormControlLabel, { control: _jsx(Switch, { checked: value, disabled: busy || !canEdit, onChange: handleChange }), label: t('Auth.ACCESS_CODE_SINGLE_USE_TOGGLE', 'Codes are single-use') })] }));
+}

package/dist/components/EmailVerificationRequirementCard.js

@@ -0,0 +1,59 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import React, { useEffect, useState } from 'react';
+import { Alert, Box, FormControlLabel, Switch, Typography, } from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+export function EmailVerificationRequirementCard({ canEdit = true, policy = null, onPolicyChange = null }) {
+    const { t } = useTranslation();
+    const [value, setValue] = useState(false);
+    const [busy, setBusy] = useState(false);
+    const [error, setError] = useState('');
+    const [success, setSuccess] = useState('');
+    useEffect(() => {
+        if (policy) {
+            setValue(Boolean(policy === null || policy === void 0 ? void 0 : policy.require_email_verification));
+            return undefined;
+        }
+        let active = true;
+        (async () => {
+            try {
+                const data = await fetchAuthPolicy();
+                if (active) {
+                    setValue(Boolean(data === null || data === void 0 ? void 0 : data.require_email_verification));
+                }
+            }
+            catch (_a) {
+                // Keep defaults when policy is unavailable.
+            }
+        })();
+        return () => {
+            active = false;
+        };
+    }, [policy]);
+    const handleChange = async (event) => {
+        if (!canEdit) {
+            return;
+        }
+        const nextValue = event.target.checked;
+        const previous = value;
+        setValue(nextValue);
+        setBusy(true);
+        setError('');
+        setSuccess('');
+        try {
+            const updated = await updateAuthPolicy({ require_email_verification: nextValue });
+            if (onPolicyChange) {
+                onPolicyChange((current) => (Object.assign(Object.assign({}, (current || {})), (updated || {}))));
+            }
+            setSuccess(t('Auth.EMAIL_VERIFICATION_SAVE_SUCCESS', 'Email verification requirement saved.'));
+        }
+        catch (err) {
+            setValue(previous);
+            setError(t((err === null || err === void 0 ? void 0 : err.code) || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save email verification requirement.'));
+        }
+        finally {
+            setBusy(false);
+        }
+    };
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.EMAIL_VERIFICATION_TITLE', 'Email Verification') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.EMAIL_VERIFICATION_HINT', 'Require verified email ownership before social sign-in can link to an account. Recommended.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), _jsx(FormControlLabel, { control: _jsx(Switch, { checked: value, disabled: busy || !canEdit, onChange: handleChange }), label: t('Auth.EMAIL_VERIFICATION_TOGGLE', 'Require email verification') })] }));
+}

package/dist/i18n/authTranslations.js

@@ -1643,5 +1643,53 @@ export const authTranslations = {
         "fr": "Chargement…",
         "en": "Loading…",
         "sw": "Inapakia..."
+    },
+    "Auth.EMAIL_VERIFICATION_TITLE": {
+        "de": "E-Mail-Verifizierung",
+        "fr": "Vérification de l'e-mail",
+        "en": "Email Verification",
+        "sw": "Uthibitishaji wa Barua Pepe"
+    },
+    "Auth.EMAIL_VERIFICATION_HINT": {
+        "de": "Verlangt einen Nachweis des E-Mail-Besitzes, bevor ein Social-Login mit einem Konto verknüpft werden kann. Empfohlen.",
+        "fr": "Exige une preuve de propriété de l'adresse e-mail avant qu'une connexion sociale ne puisse être liée à un compte. Recommandé.",
+        "en": "Require verified email ownership before social sign-in can link to an account. Recommended.",
+        "sw": "Inahitaji uthibitishaji wa umiliki wa barua pepe kabla ya kuingia kwa mitandao kuunganishwa na akaunti. Inapendekezwa."
+    },
+    "Auth.EMAIL_VERIFICATION_TOGGLE": {
+        "de": "E-Mail-Verifizierung erforderlich",
+        "fr": "Vérification de l'e-mail requise",
+        "en": "Require email verification",
+        "sw": "Hitaji uthibitishaji wa barua pepe"
+    },
+    "Auth.EMAIL_VERIFICATION_SAVE_SUCCESS": {
+        "de": "Anforderung zur E-Mail-Verifizierung gespeichert.",
+        "fr": "Exigence de vérification de l'e-mail enregistrée.",
+        "en": "Email verification requirement saved.",
+        "sw": "Mahitaji ya uthibitishaji wa barua pepe yamehifadhiwa."
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
+        "de": "Zugangscode: Einmalverwendung",
+        "fr": "Code d'accès : usage unique",
+        "en": "Access Code Single-Use",
+        "sw": "Msimbo wa Ufikiaji: Matumizi ya Mara Moja"
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_HINT": {
+        "de": "Wenn aktiviert, kann jeder Zugangscode nur einmal eingelöst werden. Empfohlen.",
+        "fr": "Lorsqu'activé, chaque code d'accès ne peut être utilisé qu'une seule fois. Recommandé.",
+        "en": "When enabled, each access code can be redeemed only once. Recommended.",
+        "sw": "Ikiwa imewashwa, kila msimbo wa ufikiaji unaweza kutumika mara moja tu. Inapendekezwa."
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_TOGGLE": {
+        "de": "Codes sind einmalig verwendbar",
+        "fr": "Codes à usage unique",
+        "en": "Codes are single-use",
+        "sw": "Misimbo ni ya matumizi ya mara moja"
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS": {
+        "de": "Zugangscode-Richtlinie gespeichert.",
+        "fr": "Politique de code d'accès enregistrée.",
+        "en": "Access code policy saved.",
+        "sw": "Sera ya msimbo wa ufikiaji imehifadhiwa."
     }
 };

package/dist/index.js

@@ -24,6 +24,8 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
+export { EmailVerificationRequirementCard } from './components/EmailVerificationRequirementCard';
+export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 // --- 6. Translations ---
 export { authTranslations } from './i18n/authTranslations';

package/dist/pages/AccountPage.js

@@ -16,6 +16,8 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
+import { EmailVerificationRequirementCard } from '../components/EmailVerificationRequirementCard';
+import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
 import { SupportRecoveryRequestsTab } from '../components/SupportRecoveryRequestsTab';
@@ -129,5 +131,5 @@ export function AccountPage({ userListExtraColumns = [], userListExtraRowActions
     const activeExtraTab = builtInTabValues.has(safeTab)
         ? null
         : extraTabs.find((tab) => tab.value === safeTab);
-    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
+    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(EmailVerificationRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AccessCodeSingleUseToggle, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@micha.bigler/ui-core-micha",
-  "version": "2.2.14",
+  "version": "2.3.0",
   "main": "dist/index.js",
   "module": "dist/index.js",
   "repository": {
@@ -24,10 +24,10 @@
     "build": "tsc -p tsconfig.build.json"
   },
   "devDependencies": {
+    "@mui/icons-material": "^7.3.11",
     "typescript": "^5.9.3"
   },
   "dependencies": {
     "react-i18next": "^16.3.5"
   }
 }
-

package/src/components/AccessCodeSingleUseToggle.jsx

@@ -0,0 +1,89 @@
+import React, { useEffect, useState } from 'react';
+import {
+  Alert,
+  Box,
+  FormControlLabel,
+  Switch,
+  Typography,
+} from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+
+export function AccessCodeSingleUseToggle({ canEdit = true, policy = null, onPolicyChange = null }) {
+  const { t } = useTranslation();
+  const [value, setValue] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState('');
+  const [success, setSuccess] = useState('');
+
+  useEffect(() => {
+    if (policy) {
+      setValue(Boolean(policy?.access_code_single_use));
+      return undefined;
+    }
+    let active = true;
+    (async () => {
+      try {
+        const data = await fetchAuthPolicy();
+        if (active) {
+          setValue(Boolean(data?.access_code_single_use));
+        }
+      } catch {
+        // Keep defaults when policy is unavailable.
+      }
+    })();
+    return () => {
+      active = false;
+    };
+  }, [policy]);
+
+  const handleChange = async (event) => {
+    if (!canEdit) {
+      return;
+    }
+    const nextValue = event.target.checked;
+    const previous = value;
+    setValue(nextValue);
+    setBusy(true);
+    setError('');
+    setSuccess('');
+    try {
+      const updated = await updateAuthPolicy({ access_code_single_use: nextValue });
+      if (onPolicyChange) {
+        onPolicyChange((current) => ({ ...(current || {}), ...(updated || {}) }));
+      }
+      setSuccess(t('Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS', 'Access code policy saved.'));
+    } catch (err) {
+      setValue(previous);
+      setError(t(err?.code || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save access code policy.'));
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <Box>
+      <Typography variant="h6" gutterBottom>
+        {t('Auth.ACCESS_CODE_SINGLE_USE_TITLE', 'Access Code Single-Use')}
+      </Typography>
+      <Typography variant="body2" sx={{ mb: 2, color: 'text.secondary' }}>
+        {t(
+          'Auth.ACCESS_CODE_SINGLE_USE_HINT',
+          'When enabled, each access code can be redeemed only once. Recommended.',
+        )}
+      </Typography>
+      {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
+      {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
+      <FormControlLabel
+        control={
+          <Switch
+            checked={value}
+            disabled={busy || !canEdit}
+            onChange={handleChange}
+          />
+        }
+        label={t('Auth.ACCESS_CODE_SINGLE_USE_TOGGLE', 'Codes are single-use')}
+      />
+    </Box>
+  );
+}

package/src/components/EmailVerificationRequirementCard.jsx

@@ -0,0 +1,89 @@
+import React, { useEffect, useState } from 'react';
+import {
+  Alert,
+  Box,
+  FormControlLabel,
+  Switch,
+  Typography,
+} from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+
+export function EmailVerificationRequirementCard({ canEdit = true, policy = null, onPolicyChange = null }) {
+  const { t } = useTranslation();
+  const [value, setValue] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState('');
+  const [success, setSuccess] = useState('');
+
+  useEffect(() => {
+    if (policy) {
+      setValue(Boolean(policy?.require_email_verification));
+      return undefined;
+    }
+    let active = true;
+    (async () => {
+      try {
+        const data = await fetchAuthPolicy();
+        if (active) {
+          setValue(Boolean(data?.require_email_verification));
+        }
+      } catch {
+        // Keep defaults when policy is unavailable.
+      }
+    })();
+    return () => {
+      active = false;
+    };
+  }, [policy]);
+
+  const handleChange = async (event) => {
+    if (!canEdit) {
+      return;
+    }
+    const nextValue = event.target.checked;
+    const previous = value;
+    setValue(nextValue);
+    setBusy(true);
+    setError('');
+    setSuccess('');
+    try {
+      const updated = await updateAuthPolicy({ require_email_verification: nextValue });
+      if (onPolicyChange) {
+        onPolicyChange((current) => ({ ...(current || {}), ...(updated || {}) }));
+      }
+      setSuccess(t('Auth.EMAIL_VERIFICATION_SAVE_SUCCESS', 'Email verification requirement saved.'));
+    } catch (err) {
+      setValue(previous);
+      setError(t(err?.code || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save email verification requirement.'));
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <Box>
+      <Typography variant="h6" gutterBottom>
+        {t('Auth.EMAIL_VERIFICATION_TITLE', 'Email Verification')}
+      </Typography>
+      <Typography variant="body2" sx={{ mb: 2, color: 'text.secondary' }}>
+        {t(
+          'Auth.EMAIL_VERIFICATION_HINT',
+          'Require verified email ownership before social sign-in can link to an account. Recommended.',
+        )}
+      </Typography>
+      {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
+      {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
+      <FormControlLabel
+        control={
+          <Switch
+            checked={value}
+            disabled={busy || !canEdit}
+            onChange={handleChange}
+          />
+        }
+        label={t('Auth.EMAIL_VERIFICATION_TOGGLE', 'Require email verification')}
+      />
+    </Box>
+  );
+}

package/src/i18n/authTranslations.ts

@@ -1691,5 +1691,53 @@ export const authTranslations = {
     "fr": "Chargement…",
     "en": "Loading…",
     "sw": "Inapakia..."
+  },
+  "Auth.EMAIL_VERIFICATION_TITLE": {
+    "de": "E-Mail-Verifizierung",
+    "fr": "Vérification de l'e-mail",
+    "en": "Email Verification",
+    "sw": "Uthibitishaji wa Barua Pepe"
+  },
+  "Auth.EMAIL_VERIFICATION_HINT": {
+    "de": "Verlangt einen Nachweis des E-Mail-Besitzes, bevor ein Social-Login mit einem Konto verknüpft werden kann. Empfohlen.",
+    "fr": "Exige une preuve de propriété de l'adresse e-mail avant qu'une connexion sociale ne puisse être liée à un compte. Recommandé.",
+    "en": "Require verified email ownership before social sign-in can link to an account. Recommended.",
+    "sw": "Inahitaji uthibitishaji wa umiliki wa barua pepe kabla ya kuingia kwa mitandao kuunganishwa na akaunti. Inapendekezwa."
+  },
+  "Auth.EMAIL_VERIFICATION_TOGGLE": {
+    "de": "E-Mail-Verifizierung erforderlich",
+    "fr": "Vérification de l'e-mail requise",
+    "en": "Require email verification",
+    "sw": "Hitaji uthibitishaji wa barua pepe"
+  },
+  "Auth.EMAIL_VERIFICATION_SAVE_SUCCESS": {
+    "de": "Anforderung zur E-Mail-Verifizierung gespeichert.",
+    "fr": "Exigence de vérification de l'e-mail enregistrée.",
+    "en": "Email verification requirement saved.",
+    "sw": "Mahitaji ya uthibitishaji wa barua pepe yamehifadhiwa."
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
+    "de": "Zugangscode: Einmalverwendung",
+    "fr": "Code d'accès : usage unique",
+    "en": "Access Code Single-Use",
+    "sw": "Msimbo wa Ufikiaji: Matumizi ya Mara Moja"
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_HINT": {
+    "de": "Wenn aktiviert, kann jeder Zugangscode nur einmal eingelöst werden. Empfohlen.",
+    "fr": "Lorsqu'activé, chaque code d'accès ne peut être utilisé qu'une seule fois. Recommandé.",
+    "en": "When enabled, each access code can be redeemed only once. Recommended.",
+    "sw": "Ikiwa imewashwa, kila msimbo wa ufikiaji unaweza kutumika mara moja tu. Inapendekezwa."
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_TOGGLE": {
+    "de": "Codes sind einmalig verwendbar",
+    "fr": "Codes à usage unique",
+    "en": "Codes are single-use",
+    "sw": "Misimbo ni ya matumizi ya mara moja"
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS": {
+    "de": "Zugangscode-Richtlinie gespeichert.",
+    "fr": "Politique de code d'accès enregistrée.",
+    "en": "Access code policy saved.",
+    "sw": "Sera ya msimbo wa ufikiaji imehifadhiwa."
   }
 };

package/src/index.js

@@ -35,6 +35,8 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
+export { EmailVerificationRequirementCard } from './components/EmailVerificationRequirementCard';
+export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 
 // --- 6. Translations ---

package/src/pages/AccountPage.jsx

@@ -26,6 +26,8 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
+import { EmailVerificationRequirementCard } from '../components/EmailVerificationRequirementCard';
+import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
 import { SupportRecoveryRequestsTab } from '../components/SupportRecoveryRequestsTab';
@@ -254,6 +256,16 @@ export function AccountPage({
               </Paper>
             )}
 
+            {canViewAuthPolicy && (
+              <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
+                <EmailVerificationRequirementCard
+                  canEdit={canWriteAuthPolicy}
+                  policy={authPolicy}
+                  onPolicyChange={setAuthPolicy}
+                />
+              </Paper>
+            )}
+
             {canViewAuthPolicy && (
               <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
                 <RegistrationMethodsManager
@@ -283,6 +295,16 @@ export function AccountPage({
               </Paper>
             )}
 
+            {canManageAccessCodes && Boolean(authPolicy?.allow_self_signup_access_code) && (
+              <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
+                <AccessCodeSingleUseToggle
+                  canEdit={canWriteAuthPolicy}
+                  policy={authPolicy}
+                  onPolicyChange={setAuthPolicy}
+                />
+              </Paper>
+            )}
+
             {canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy?.allow_admin_invite) && (
               <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
                 <BulkInviteCsvTab {...bulkInviteCsvProps} />