@micha.bigler/ui-core-micha 2.2.14 → 2.3.1

package/dist/auth/authApi.js

@@ -359,6 +359,22 @@ export async function submitRegistrationRequest({ email, mode, accessCode, regis
         throw normaliseApiError(error, 'Auth.INVITE_FAILED');
     }
 }
+/**
+ * S13: confirm a pending registration. The token comes from the email link;
+ * the password is the new account's first password.
+ */
+export async function confirmRegistration({ token, password }) {
+    try {
+        const res = await apiClient.post(`${USERS_BASE}/register-confirm/`, {
+            token,
+            password,
+        });
+        return res.data;
+    }
+    catch (error) {
+        throw normaliseApiError(error, 'Auth.PENDING_TOKEN_INVALID');
+    }
+}
 export async function createSignupQr(payload = {}) {
     try {
         const res = await apiClient.post(`${USERS_BASE}/signup-qr/`, payload);

package/dist/components/AccessCodeSingleUseToggle.js

@@ -0,0 +1,59 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import React, { useEffect, useState } from 'react';
+import { Alert, Box, FormControlLabel, Switch, Typography, } from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+export function AccessCodeSingleUseToggle({ canEdit = true, policy = null, onPolicyChange = null }) {
+    const { t } = useTranslation();
+    const [value, setValue] = useState(false);
+    const [busy, setBusy] = useState(false);
+    const [error, setError] = useState('');
+    const [success, setSuccess] = useState('');
+    useEffect(() => {
+        if (policy) {
+            setValue(Boolean(policy === null || policy === void 0 ? void 0 : policy.access_code_single_use));
+            return undefined;
+        }
+        let active = true;
+        (async () => {
+            try {
+                const data = await fetchAuthPolicy();
+                if (active) {
+                    setValue(Boolean(data === null || data === void 0 ? void 0 : data.access_code_single_use));
+                }
+            }
+            catch (_a) {
+                // Keep defaults when policy is unavailable.
+            }
+        })();
+        return () => {
+            active = false;
+        };
+    }, [policy]);
+    const handleChange = async (event) => {
+        if (!canEdit) {
+            return;
+        }
+        const nextValue = event.target.checked;
+        const previous = value;
+        setValue(nextValue);
+        setBusy(true);
+        setError('');
+        setSuccess('');
+        try {
+            const updated = await updateAuthPolicy({ access_code_single_use: nextValue });
+            if (onPolicyChange) {
+                onPolicyChange((current) => (Object.assign(Object.assign({}, (current || {})), (updated || {}))));
+            }
+            setSuccess(t('Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS', 'Access code policy saved.'));
+        }
+        catch (err) {
+            setValue(previous);
+            setError(t((err === null || err === void 0 ? void 0 : err.code) || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save access code policy.'));
+        }
+        finally {
+            setBusy(false);
+        }
+    };
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_SINGLE_USE_TITLE', 'Access Code Single-Use') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.ACCESS_CODE_SINGLE_USE_HINT', 'When enabled, each access code can be redeemed only once. Recommended.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), _jsx(FormControlLabel, { control: _jsx(Switch, { checked: value, disabled: busy || !canEdit, onChange: handleChange }), label: t('Auth.ACCESS_CODE_SINGLE_USE_TOGGLE', 'Codes are single-use') })] }));
+}

package/dist/components/QrSignupManager.js

@@ -1,10 +1,11 @@
 import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 import React, { useEffect, useMemo, useRef, useState } from 'react';
-import { Alert, Box, Button, Stack, Typography, } from '@mui/material';
+import { Alert, Box, Button, Stack, TextField, Typography, } from '@mui/material';
 import { useTranslation } from 'react-i18next';
 import { QRCodeSVG } from 'qrcode.react';
 import { createSignupQr } from '../auth/authApi';
 const DEFAULT_EXPIRY_DAYS = 90;
+const DEFAULT_MAX_REDEMPTIONS = 1;
 function clampExpiryDays(value) {
     const parsed = parseInt(value, 10);
     if (!Number.isFinite(parsed) || parsed < 1) {
@@ -12,6 +13,13 @@ function clampExpiryDays(value) {
     }
     return parsed;
 }
+function clampMaxRedemptions(value) {
+    const parsed = parseInt(value, 10);
+    if (!Number.isFinite(parsed) || parsed < 1) {
+        return DEFAULT_MAX_REDEMPTIONS;
+    }
+    return parsed;
+}
 function escapeHtml(value) {
     return String(value !== null && value !== void 0 ? value : '')
         .replace(/&/g, '&amp;')
@@ -28,6 +36,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
     const [success, setSuccess] = useState('');
     const [result, setResult] = useState(null);
     const [copyState, setCopyState] = useState('idle');
+    const [maxRedemptions, setMaxRedemptions] = useState(DEFAULT_MAX_REDEMPTIONS);
     const hasGeneratedRef = useRef(false);
     const formattedExpiry = useMemo(() => {
         if (!(result === null || result === void 0 ? void 0 : result.expires_at)) {
@@ -51,6 +60,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
             return;
         }
         const nextDays = clampExpiryDays(daysOverride !== null && daysOverride !== void 0 ? daysOverride : expiryDays);
+        const nextRedemptions = clampMaxRedemptions(maxRedemptions);
         setBusy(true);
         setError('');
         setSuccess('');
@@ -58,6 +68,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
         try {
             const data = await createSignupQr({
                 expires_minutes: nextDays * 24 * 60,
+                max_redemptions: nextRedemptions,
             });
             setResult(data);
             hasGeneratedRef.current = true;
@@ -76,6 +87,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
             setError('');
             setSuccess('');
             setCopyState('idle');
+            setMaxRedemptions(DEFAULT_MAX_REDEMPTIONS);
             hasGeneratedRef.current = false;
             return;
         }
@@ -92,6 +104,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
                 const days = clampExpiryDays(expiryDays);
                 const data = await createSignupQr({
                     expires_minutes: days * 24 * 60,
+                    max_redemptions: clampMaxRedemptions(maxRedemptions),
                 });
                 if (!active)
                     return;
@@ -244,7 +257,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
     if (!enabled) {
         return null;
     }
-    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.SIGNUP_QR_MANAGER_TITLE', 'QR Signup') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.SIGNUP_QR_MANAGER_HINT', 'Generate and share QR signup links below.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), copyState === 'copied' && (_jsx(Alert, { severity: "success", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_LINK_COPIED', 'Signup link copied.') })), copyState === 'error' && (_jsx(Alert, { severity: "warning", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_COPY_UNAVAILABLE', 'Copying the link is not available in this browser.') })), (result === null || result === void 0 ? void 0 : result.signup_url) && (_jsxs(Box, { sx: { mt: 1 }, children: [_jsx(Box, { sx: {
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.SIGNUP_QR_MANAGER_TITLE', 'QR Signup') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.SIGNUP_QR_MANAGER_HINT', 'Generate and share QR signup links below.') }), _jsx(Box, { sx: { mb: 2 }, children: _jsx(TextField, { label: t('Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL', 'Max redemptions'), type: "number", size: "small", value: maxRedemptions, onChange: (e) => setMaxRedemptions(e.target.value), inputProps: { min: 1, step: 1 }, helperText: t('Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT', 'How many people may sign up with the same QR. Default: 1.'), disabled: busy }) }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), copyState === 'copied' && (_jsx(Alert, { severity: "success", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_LINK_COPIED', 'Signup link copied.') })), copyState === 'error' && (_jsx(Alert, { severity: "warning", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_COPY_UNAVAILABLE', 'Copying the link is not available in this browser.') })), (result === null || result === void 0 ? void 0 : result.signup_url) && (_jsxs(Box, { sx: { mt: 1 }, children: [_jsx(Box, { sx: {
                             display: 'flex',
                             justifyContent: 'center',
                             alignItems: 'center',

package/dist/i18n/authTranslations.js

@@ -1643,5 +1643,119 @@ export const authTranslations = {
         "fr": "Chargement…",
         "en": "Loading…",
         "sw": "Inapakia..."
+    },
+    "Auth.SIGNUP_CONFIRM_TITLE": {
+        "de": "Registrierung bestätigen",
+        "fr": "Confirmer l'inscription",
+        "en": "Confirm your registration",
+        "sw": "Thibitisha usajili wako"
+    },
+    "Auth.SIGNUP_CONFIRM_SUBTITLE": {
+        "de": "Wähle ein Passwort, um dein Konto zu erstellen.",
+        "fr": "Choisissez un mot de passe pour finaliser votre compte.",
+        "en": "Choose a password to finish creating your account.",
+        "sw": "Chagua nenosiri ili kukamilisha kuunda akaunti yako."
+    },
+    "Auth.SIGNUP_CONFIRM_SUBMIT": {
+        "de": "Registrierung abschließen",
+        "fr": "Confirmer l'inscription",
+        "en": "Confirm registration",
+        "sw": "Thibitisha usajili"
+    },
+    "Auth.SIGNUP_CONFIRM_SUBMITTING": {
+        "de": "Wird bestätigt …",
+        "fr": "Confirmation en cours…",
+        "en": "Confirming…",
+        "sw": "Inathibitisha…"
+    },
+    "Auth.PASSWORD_TOO_SHORT": {
+        "de": "Das Passwort muss mindestens 8 Zeichen lang sein.",
+        "fr": "Le mot de passe doit comporter au moins 8 caractères.",
+        "en": "Password must be at least 8 characters long.",
+        "sw": "Nenosiri lazima liwe na herufi 8 au zaidi."
+    },
+    "Auth.PASSWORD_MISMATCH": {
+        "de": "Die Passwörter stimmen nicht überein.",
+        "fr": "Les mots de passe ne correspondent pas.",
+        "en": "Passwords do not match.",
+        "sw": "Manenosiri hayalingani."
+    },
+    "Auth.SIGNUP_REQUEST_NEW": {
+        "de": "Neue Einladung anfordern",
+        "fr": "Demander une nouvelle invitation",
+        "en": "Request a new invitation",
+        "sw": "Omba mwaliko mpya"
+    },
+    "Auth.PASSWORD_INVALID": {
+        "de": "Das Passwort erfüllt die Sicherheitsanforderungen nicht.",
+        "fr": "Le mot de passe ne respecte pas les exigences de sécurité.",
+        "en": "The password does not meet the security requirements.",
+        "sw": "Nenosiri halikidhi mahitaji ya usalama."
+    },
+    "Auth.PENDING_TOKEN_INVALID": {
+        "de": "Dieser Bestätigungslink ist ungültig oder abgelaufen.",
+        "fr": "Ce lien de confirmation est invalide ou expiré.",
+        "en": "This confirmation link is invalid or expired.",
+        "sw": "Kiungo hiki cha uthibitishaji si halali au kimemalizika muda."
+    },
+    "Auth.PENDING_TOKEN_EXPIRED": {
+        "de": "Diese Einladung ist abgelaufen. Bitte fordere eine neue an.",
+        "fr": "Cette invitation a expiré. Veuillez en demander une nouvelle.",
+        "en": "This invitation has expired. Please request a new one.",
+        "sw": "Mwaliko huu umemalizika muda. Tafadhali omba mpya."
+    },
+    "Auth.ACCESS_CODE_ALREADY_USED": {
+        "de": "Der verwendete Zugangscode ist nicht mehr gültig.",
+        "fr": "Le code d'accès utilisé n'est plus valide.",
+        "en": "The access code used is no longer valid.",
+        "sw": "Msimbo wa ufikiaji uliotumika hauwezi kutumika tena."
+    },
+    "Auth.QR_TOKEN_EXHAUSTED": {
+        "de": "Dieser QR-Code wurde bereits vollständig genutzt.",
+        "fr": "Ce QR-code a déjà été entièrement utilisé.",
+        "en": "This QR code has already been fully used.",
+        "sw": "Msimbo huu wa QR tayari umetumika kabisa."
+    },
+    "Auth.USER_ALREADY_EXISTS": {
+        "de": "Für diese E-Mail-Adresse existiert bereits ein Konto. Bitte melde dich an.",
+        "fr": "Un compte existe déjà pour cette adresse e-mail. Veuillez vous connecter.",
+        "en": "An account already exists for this email address. Please log in.",
+        "sw": "Akaunti tayari ipo kwa anwani hii ya barua pepe. Tafadhali ingia."
+    },
+    "Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL": {
+        "de": "Max. Verwendungen",
+        "fr": "Utilisations max.",
+        "en": "Max redemptions",
+        "sw": "Idadi ya juu ya matumizi"
+    },
+    "Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT": {
+        "de": "Wie viele Personen dürfen sich mit demselben QR registrieren. Standard: 1.",
+        "fr": "Combien de personnes peuvent s'inscrire avec le même QR. Par défaut : 1.",
+        "en": "How many people may sign up with the same QR. Default: 1.",
+        "sw": "Watu wangapi wanaweza kujisajili na QR sawa. Chaguo-msingi: 1."
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
+        "de": "Zugangscode: Einmalverwendung",
+        "fr": "Code d'accès : usage unique",
+        "en": "Access Code Single-Use",
+        "sw": "Msimbo wa Ufikiaji: Matumizi ya Mara Moja"
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_HINT": {
+        "de": "Wenn aktiviert, kann jeder Zugangscode nur einmal eingelöst werden. Empfohlen.",
+        "fr": "Lorsqu'activé, chaque code d'accès ne peut être utilisé qu'une seule fois. Recommandé.",
+        "en": "When enabled, each access code can be redeemed only once. Recommended.",
+        "sw": "Ikiwa imewashwa, kila msimbo wa ufikiaji unaweza kutumika mara moja tu. Inapendekezwa."
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_TOGGLE": {
+        "de": "Codes sind einmalig verwendbar",
+        "fr": "Codes à usage unique",
+        "en": "Codes are single-use",
+        "sw": "Misimbo ni ya matumizi ya mara moja"
+    },
+    "Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS": {
+        "de": "Zugangscode-Richtlinie gespeichert.",
+        "fr": "Politique de code d'accès enregistrée.",
+        "en": "Access code policy saved.",
+        "sw": "Sera ya msimbo wa ufikiaji imehifadhiwa."
     }
 };

package/dist/index.js

@@ -15,6 +15,7 @@ export { PasswordResetRequestPage } from './pages/PasswordResetRequestPage';
 export { PasswordChangePage } from './pages/PasswordChangePage';
 export { PasswordInvitePage } from './pages/PasswordInvitePage';
 export { SignUpPage } from './pages/SignUpPage';
+export { SignupConfirmPage } from './pages/SignupConfirmPage';
 export { AccountPage } from './pages/AccountPage';
 // --- 5. Components (Wiederverwendbare UI-Teile) ---
 export { ProfileComponent } from './components/ProfileComponent';
@@ -24,6 +25,7 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
+export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 // --- 6. Translations ---
 export { authTranslations } from './i18n/authTranslations';

package/dist/pages/AccountPage.js

@@ -16,6 +16,7 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
+import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
 import { SupportRecoveryRequestsTab } from '../components/SupportRecoveryRequestsTab';
@@ -129,5 +130,5 @@ export function AccountPage({ userListExtraColumns = [], userListExtraRowActions
     const activeExtraTab = builtInTabValues.has(safeTab)
         ? null
         : extraTabs.find((tab) => tab.value === safeTab);
-    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
+    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AccessCodeSingleUseToggle, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
 }

package/dist/pages/SignupConfirmPage.js

@@ -0,0 +1,69 @@
+import { jsxs as _jsxs, jsx as _jsx, Fragment as _Fragment } from "react/jsx-runtime";
+// src/pages/SignupConfirmPage.jsx
+//
+// S13: Completes a pending registration. Reads the signed pending-token from
+// the URL (`?token=...`), asks the user for a password, and POSTs to
+// `register_confirm`. On success, the user is logged in by the backend session
+// cookie; we hand off to AuthContext.login so the SPA picks it up immediately.
+import React, { useContext, useMemo, useState } from 'react';
+import { useLocation, useNavigate } from 'react-router-dom';
+import { Alert, Box, Button, Stack, TextField, Typography, } from '@mui/material';
+import { Helmet } from 'react-helmet';
+import { useTranslation } from 'react-i18next';
+import { NarrowPage } from '../layout/PageLayout';
+import { AuthContext } from '../auth/AuthContext';
+import { confirmRegistration, fetchCurrentUser } from '../auth/authApi';
+export function SignupConfirmPage() {
+    const { t } = useTranslation();
+    const location = useLocation();
+    const navigate = useNavigate();
+    const { login } = useContext(AuthContext);
+    const tokenFromUrl = useMemo(() => {
+        const query = new URLSearchParams(location.search);
+        return query.get('token') || '';
+    }, [location.search]);
+    const [password, setPassword] = useState('');
+    const [confirmPassword, setConfirmPassword] = useState('');
+    const [submitting, setSubmitting] = useState(false);
+    const [errorKey, setErrorKey] = useState(null);
+    const handleSubmit = async (event) => {
+        event.preventDefault();
+        setErrorKey(null);
+        if (!tokenFromUrl) {
+            setErrorKey('Auth.PENDING_TOKEN_INVALID');
+            return;
+        }
+        if (!password || password.length < 8) {
+            setErrorKey('Auth.PASSWORD_TOO_SHORT');
+            return;
+        }
+        if (password !== confirmPassword) {
+            setErrorKey('Auth.PASSWORD_MISMATCH');
+            return;
+        }
+        setSubmitting(true);
+        try {
+            await confirmRegistration({ token: tokenFromUrl, password });
+            // Refresh user state from session before navigating home.
+            try {
+                const user = await fetchCurrentUser();
+                login(user);
+            }
+            catch (_a) {
+                // If user fetch fails, still navigate — the session cookie is set
+                // server-side and the next page-load will pick the user up.
+            }
+            navigate('/', { replace: true });
+        }
+        catch (err) {
+            setErrorKey((err === null || err === void 0 ? void 0 : err.code) || 'Auth.PENDING_TOKEN_INVALID');
+        }
+        finally {
+            setSubmitting(false);
+        }
+    };
+    const tokenMissing = !tokenFromUrl;
+    return (_jsxs(NarrowPage, { title: t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration'), subtitle: t('Auth.SIGNUP_CONFIRM_SUBTITLE', 'Choose a password to finish creating your account.'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('App.NAME'), " \u2013 ", t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration')] }) }), tokenMissing ? (_jsxs(_Fragment, { children: [_jsx(Alert, { severity: "error", sx: { mb: 2 }, children: t('Auth.PENDING_TOKEN_INVALID', 'This confirmation link is invalid or expired.') }), _jsxs(Stack, { direction: "row", spacing: 1, sx: { mt: 1 }, children: [_jsx(Button, { onClick: () => navigate('/signup'), variant: "contained", children: t('Auth.SIGNUP_REQUEST_NEW', 'Request a new invitation') }), _jsx(Button, { onClick: () => navigate('/login'), variant: "text", children: t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login') })] })] })) : (_jsxs(_Fragment, { children: [errorKey && (_jsx(Alert, { severity: "error", sx: { mb: 2 }, children: t(errorKey, t('Auth.PENDING_TOKEN_INVALID', 'Could not confirm registration.')) })), _jsxs(Box, { component: "form", onSubmit: handleSubmit, sx: { display: 'flex', flexDirection: 'column', gap: 2 }, children: [_jsx(TextField, { label: t('Auth.NEW_PASSWORD_LABEL', 'New password'), type: "password", required: true, fullWidth: true, value: password, onChange: (e) => setPassword(e.target.value), disabled: submitting, autoComplete: "new-password" }), _jsx(TextField, { label: t('Auth.PASSWORD_CONFIRM_LABEL', 'Confirm new password'), type: "password", required: true, fullWidth: true, value: confirmPassword, onChange: (e) => setConfirmPassword(e.target.value), disabled: submitting, autoComplete: "new-password" }), _jsx(Button, { type: "submit", variant: "contained", disabled: submitting, children: submitting
+                                    ? t('Auth.SIGNUP_CONFIRM_SUBMITTING', 'Confirming…')
+                                    : t('Auth.SIGNUP_CONFIRM_SUBMIT', 'Confirm registration') })] }), _jsxs(Stack, { direction: "row", spacing: 1, sx: { mt: 3 }, children: [_jsx(Typography, { variant: "body2", children: t('Auth.SIGNUP_ALREADY_HAVE_ACCOUNT', 'Already have an account?') }), _jsx(Button, { onClick: () => navigate('/login'), variant: "text", size: "small", children: t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login') })] })] }))] }));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@micha.bigler/ui-core-micha",
-  "version": "2.2.14",
+  "version": "2.3.1",
   "main": "dist/index.js",
   "module": "dist/index.js",
   "repository": {
@@ -24,10 +24,10 @@
     "build": "tsc -p tsconfig.build.json"
   },
   "devDependencies": {
+    "@mui/icons-material": "^7.3.11",
     "typescript": "^5.9.3"
   },
   "dependencies": {
     "react-i18next": "^16.3.5"
   }
 }
-

package/src/auth/authApi.jsx

@@ -377,6 +377,22 @@ export async function submitRegistrationRequest({
   }
 }
 
+/**
+ * S13: confirm a pending registration. The token comes from the email link;
+ * the password is the new account's first password.
+ */
+export async function confirmRegistration({ token, password }) {
+  try {
+    const res = await apiClient.post(`${USERS_BASE}/register-confirm/`, {
+      token,
+      password,
+    });
+    return res.data;
+  } catch (error) {
+    throw normaliseApiError(error, 'Auth.PENDING_TOKEN_INVALID');
+  }
+}
+
 export async function createSignupQr(payload = {}) {
   try {
     const res = await apiClient.post(`${USERS_BASE}/signup-qr/`, payload);

package/src/components/AccessCodeSingleUseToggle.jsx

@@ -0,0 +1,89 @@
+import React, { useEffect, useState } from 'react';
+import {
+  Alert,
+  Box,
+  FormControlLabel,
+  Switch,
+  Typography,
+} from '@mui/material';
+import { useTranslation } from 'react-i18next';
+import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
+
+export function AccessCodeSingleUseToggle({ canEdit = true, policy = null, onPolicyChange = null }) {
+  const { t } = useTranslation();
+  const [value, setValue] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState('');
+  const [success, setSuccess] = useState('');
+
+  useEffect(() => {
+    if (policy) {
+      setValue(Boolean(policy?.access_code_single_use));
+      return undefined;
+    }
+    let active = true;
+    (async () => {
+      try {
+        const data = await fetchAuthPolicy();
+        if (active) {
+          setValue(Boolean(data?.access_code_single_use));
+        }
+      } catch {
+        // Keep defaults when policy is unavailable.
+      }
+    })();
+    return () => {
+      active = false;
+    };
+  }, [policy]);
+
+  const handleChange = async (event) => {
+    if (!canEdit) {
+      return;
+    }
+    const nextValue = event.target.checked;
+    const previous = value;
+    setValue(nextValue);
+    setBusy(true);
+    setError('');
+    setSuccess('');
+    try {
+      const updated = await updateAuthPolicy({ access_code_single_use: nextValue });
+      if (onPolicyChange) {
+        onPolicyChange((current) => ({ ...(current || {}), ...(updated || {}) }));
+      }
+      setSuccess(t('Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS', 'Access code policy saved.'));
+    } catch (err) {
+      setValue(previous);
+      setError(t(err?.code || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save access code policy.'));
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <Box>
+      <Typography variant="h6" gutterBottom>
+        {t('Auth.ACCESS_CODE_SINGLE_USE_TITLE', 'Access Code Single-Use')}
+      </Typography>
+      <Typography variant="body2" sx={{ mb: 2, color: 'text.secondary' }}>
+        {t(
+          'Auth.ACCESS_CODE_SINGLE_USE_HINT',
+          'When enabled, each access code can be redeemed only once. Recommended.',
+        )}
+      </Typography>
+      {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
+      {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
+      <FormControlLabel
+        control={
+          <Switch
+            checked={value}
+            disabled={busy || !canEdit}
+            onChange={handleChange}
+          />
+        }
+        label={t('Auth.ACCESS_CODE_SINGLE_USE_TOGGLE', 'Codes are single-use')}
+      />
+    </Box>
+  );
+}

package/src/components/QrSignupManager.jsx

@@ -4,6 +4,7 @@ import {
   Box,
   Button,
   Stack,
+  TextField,
   Typography,
 } from '@mui/material';
 import { useTranslation } from 'react-i18next';
@@ -11,6 +12,7 @@ import { QRCodeSVG } from 'qrcode.react';
 import { createSignupQr } from '../auth/authApi';
 
 const DEFAULT_EXPIRY_DAYS = 90;
+const DEFAULT_MAX_REDEMPTIONS = 1;
 
 function clampExpiryDays(value) {
   const parsed = parseInt(value, 10);
@@ -20,6 +22,14 @@ function clampExpiryDays(value) {
   return parsed;
 }
 
+function clampMaxRedemptions(value) {
+  const parsed = parseInt(value, 10);
+  if (!Number.isFinite(parsed) || parsed < 1) {
+    return DEFAULT_MAX_REDEMPTIONS;
+  }
+  return parsed;
+}
+
 function escapeHtml(value) {
   return String(value ?? '')
     .replace(/&/g, '&amp;')
@@ -40,6 +50,7 @@ export function QrSignupManager({
   const [success, setSuccess] = useState('');
   const [result, setResult] = useState(null);
   const [copyState, setCopyState] = useState('idle');
+  const [maxRedemptions, setMaxRedemptions] = useState(DEFAULT_MAX_REDEMPTIONS);
   const hasGeneratedRef = useRef(false);
 
   const formattedExpiry = useMemo(() => {
@@ -65,6 +76,7 @@ export function QrSignupManager({
       return;
     }
     const nextDays = clampExpiryDays(daysOverride ?? expiryDays);
+    const nextRedemptions = clampMaxRedemptions(maxRedemptions);
     setBusy(true);
     setError('');
     setSuccess('');
@@ -72,6 +84,7 @@ export function QrSignupManager({
     try {
       const data = await createSignupQr({
         expires_minutes: nextDays * 24 * 60,
+        max_redemptions: nextRedemptions,
       });
       setResult(data);
       hasGeneratedRef.current = true;
@@ -89,6 +102,7 @@ export function QrSignupManager({
       setError('');
       setSuccess('');
       setCopyState('idle');
+      setMaxRedemptions(DEFAULT_MAX_REDEMPTIONS);
       hasGeneratedRef.current = false;
       return;
     }
@@ -105,6 +119,7 @@ export function QrSignupManager({
         const days = clampExpiryDays(expiryDays);
         const data = await createSignupQr({
           expires_minutes: days * 24 * 60,
+          max_redemptions: clampMaxRedemptions(maxRedemptions),
         });
         if (!active) return;
         setResult(data);
@@ -266,6 +281,22 @@ export function QrSignupManager({
         {t('Auth.SIGNUP_QR_MANAGER_HINT', 'Generate and share QR signup links below.')}
       </Typography>
 
+      <Box sx={{ mb: 2 }}>
+        <TextField
+          label={t('Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL', 'Max redemptions')}
+          type="number"
+          size="small"
+          value={maxRedemptions}
+          onChange={(e) => setMaxRedemptions(e.target.value)}
+          inputProps={{ min: 1, step: 1 }}
+          helperText={t(
+            'Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT',
+            'How many people may sign up with the same QR. Default: 1.',
+          )}
+          disabled={busy}
+        />
+      </Box>
+
       {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
       {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
       {copyState === 'copied' && (

package/src/i18n/authTranslations.ts

@@ -1691,5 +1691,119 @@ export const authTranslations = {
     "fr": "Chargement…",
     "en": "Loading…",
     "sw": "Inapakia..."
+  },
+  "Auth.SIGNUP_CONFIRM_TITLE": {
+    "de": "Registrierung bestätigen",
+    "fr": "Confirmer l'inscription",
+    "en": "Confirm your registration",
+    "sw": "Thibitisha usajili wako"
+  },
+  "Auth.SIGNUP_CONFIRM_SUBTITLE": {
+    "de": "Wähle ein Passwort, um dein Konto zu erstellen.",
+    "fr": "Choisissez un mot de passe pour finaliser votre compte.",
+    "en": "Choose a password to finish creating your account.",
+    "sw": "Chagua nenosiri ili kukamilisha kuunda akaunti yako."
+  },
+  "Auth.SIGNUP_CONFIRM_SUBMIT": {
+    "de": "Registrierung abschließen",
+    "fr": "Confirmer l'inscription",
+    "en": "Confirm registration",
+    "sw": "Thibitisha usajili"
+  },
+  "Auth.SIGNUP_CONFIRM_SUBMITTING": {
+    "de": "Wird bestätigt …",
+    "fr": "Confirmation en cours…",
+    "en": "Confirming…",
+    "sw": "Inathibitisha…"
+  },
+  "Auth.PASSWORD_TOO_SHORT": {
+    "de": "Das Passwort muss mindestens 8 Zeichen lang sein.",
+    "fr": "Le mot de passe doit comporter au moins 8 caractères.",
+    "en": "Password must be at least 8 characters long.",
+    "sw": "Nenosiri lazima liwe na herufi 8 au zaidi."
+  },
+  "Auth.PASSWORD_MISMATCH": {
+    "de": "Die Passwörter stimmen nicht überein.",
+    "fr": "Les mots de passe ne correspondent pas.",
+    "en": "Passwords do not match.",
+    "sw": "Manenosiri hayalingani."
+  },
+  "Auth.SIGNUP_REQUEST_NEW": {
+    "de": "Neue Einladung anfordern",
+    "fr": "Demander une nouvelle invitation",
+    "en": "Request a new invitation",
+    "sw": "Omba mwaliko mpya"
+  },
+  "Auth.PASSWORD_INVALID": {
+    "de": "Das Passwort erfüllt die Sicherheitsanforderungen nicht.",
+    "fr": "Le mot de passe ne respecte pas les exigences de sécurité.",
+    "en": "The password does not meet the security requirements.",
+    "sw": "Nenosiri halikidhi mahitaji ya usalama."
+  },
+  "Auth.PENDING_TOKEN_INVALID": {
+    "de": "Dieser Bestätigungslink ist ungültig oder abgelaufen.",
+    "fr": "Ce lien de confirmation est invalide ou expiré.",
+    "en": "This confirmation link is invalid or expired.",
+    "sw": "Kiungo hiki cha uthibitishaji si halali au kimemalizika muda."
+  },
+  "Auth.PENDING_TOKEN_EXPIRED": {
+    "de": "Diese Einladung ist abgelaufen. Bitte fordere eine neue an.",
+    "fr": "Cette invitation a expiré. Veuillez en demander une nouvelle.",
+    "en": "This invitation has expired. Please request a new one.",
+    "sw": "Mwaliko huu umemalizika muda. Tafadhali omba mpya."
+  },
+  "Auth.ACCESS_CODE_ALREADY_USED": {
+    "de": "Der verwendete Zugangscode ist nicht mehr gültig.",
+    "fr": "Le code d'accès utilisé n'est plus valide.",
+    "en": "The access code used is no longer valid.",
+    "sw": "Msimbo wa ufikiaji uliotumika hauwezi kutumika tena."
+  },
+  "Auth.QR_TOKEN_EXHAUSTED": {
+    "de": "Dieser QR-Code wurde bereits vollständig genutzt.",
+    "fr": "Ce QR-code a déjà été entièrement utilisé.",
+    "en": "This QR code has already been fully used.",
+    "sw": "Msimbo huu wa QR tayari umetumika kabisa."
+  },
+  "Auth.USER_ALREADY_EXISTS": {
+    "de": "Für diese E-Mail-Adresse existiert bereits ein Konto. Bitte melde dich an.",
+    "fr": "Un compte existe déjà pour cette adresse e-mail. Veuillez vous connecter.",
+    "en": "An account already exists for this email address. Please log in.",
+    "sw": "Akaunti tayari ipo kwa anwani hii ya barua pepe. Tafadhali ingia."
+  },
+  "Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL": {
+    "de": "Max. Verwendungen",
+    "fr": "Utilisations max.",
+    "en": "Max redemptions",
+    "sw": "Idadi ya juu ya matumizi"
+  },
+  "Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT": {
+    "de": "Wie viele Personen dürfen sich mit demselben QR registrieren. Standard: 1.",
+    "fr": "Combien de personnes peuvent s'inscrire avec le même QR. Par défaut : 1.",
+    "en": "How many people may sign up with the same QR. Default: 1.",
+    "sw": "Watu wangapi wanaweza kujisajili na QR sawa. Chaguo-msingi: 1."
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
+    "de": "Zugangscode: Einmalverwendung",
+    "fr": "Code d'accès : usage unique",
+    "en": "Access Code Single-Use",
+    "sw": "Msimbo wa Ufikiaji: Matumizi ya Mara Moja"
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_HINT": {
+    "de": "Wenn aktiviert, kann jeder Zugangscode nur einmal eingelöst werden. Empfohlen.",
+    "fr": "Lorsqu'activé, chaque code d'accès ne peut être utilisé qu'une seule fois. Recommandé.",
+    "en": "When enabled, each access code can be redeemed only once. Recommended.",
+    "sw": "Ikiwa imewashwa, kila msimbo wa ufikiaji unaweza kutumika mara moja tu. Inapendekezwa."
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_TOGGLE": {
+    "de": "Codes sind einmalig verwendbar",
+    "fr": "Codes à usage unique",
+    "en": "Codes are single-use",
+    "sw": "Misimbo ni ya matumizi ya mara moja"
+  },
+  "Auth.ACCESS_CODE_SINGLE_USE_SAVE_SUCCESS": {
+    "de": "Zugangscode-Richtlinie gespeichert.",
+    "fr": "Politique de code d'accès enregistrée.",
+    "en": "Access code policy saved.",
+    "sw": "Sera ya msimbo wa ufikiaji imehifadhiwa."
   }
 };

package/src/index.js

@@ -25,6 +25,7 @@ export { PasswordResetRequestPage } from './pages/PasswordResetRequestPage';
 export { PasswordChangePage } from './pages/PasswordChangePage';
 export { PasswordInvitePage } from './pages/PasswordInvitePage';
 export { SignUpPage } from './pages/SignUpPage';
+export { SignupConfirmPage } from './pages/SignupConfirmPage';
 export { AccountPage } from './pages/AccountPage';
 
 // --- 5. Components (Wiederverwendbare UI-Teile) ---
@@ -35,6 +36,7 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
+export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 
 // --- 6. Translations ---

package/src/pages/AccountPage.jsx

@@ -26,6 +26,7 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
+import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
 import { SupportRecoveryRequestsTab } from '../components/SupportRecoveryRequestsTab';
@@ -283,6 +284,16 @@ export function AccountPage({
               </Paper>
             )}
 
+            {canManageAccessCodes && Boolean(authPolicy?.allow_self_signup_access_code) && (
+              <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
+                <AccessCodeSingleUseToggle
+                  canEdit={canWriteAuthPolicy}
+                  policy={authPolicy}
+                  onPolicyChange={setAuthPolicy}
+                />
+              </Paper>
+            )}
+
             {canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy?.allow_admin_invite) && (
               <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
                 <BulkInviteCsvTab {...bulkInviteCsvProps} />

package/src/pages/SignupConfirmPage.jsx

@@ -0,0 +1,157 @@
+// src/pages/SignupConfirmPage.jsx
+//
+// S13: Completes a pending registration. Reads the signed pending-token from
+// the URL (`?token=...`), asks the user for a password, and POSTs to
+// `register_confirm`. On success, the user is logged in by the backend session
+// cookie; we hand off to AuthContext.login so the SPA picks it up immediately.
+import React, { useContext, useMemo, useState } from 'react';
+import { useLocation, useNavigate } from 'react-router-dom';
+import {
+  Alert,
+  Box,
+  Button,
+  Stack,
+  TextField,
+  Typography,
+} from '@mui/material';
+import { Helmet } from 'react-helmet';
+import { useTranslation } from 'react-i18next';
+import { NarrowPage } from '../layout/PageLayout';
+import { AuthContext } from '../auth/AuthContext';
+import { confirmRegistration, fetchCurrentUser } from '../auth/authApi';
+
+export function SignupConfirmPage() {
+  const { t } = useTranslation();
+  const location = useLocation();
+  const navigate = useNavigate();
+  const { login } = useContext(AuthContext);
+
+  const tokenFromUrl = useMemo(() => {
+    const query = new URLSearchParams(location.search);
+    return query.get('token') || '';
+  }, [location.search]);
+
+  const [password, setPassword] = useState('');
+  const [confirmPassword, setConfirmPassword] = useState('');
+  const [submitting, setSubmitting] = useState(false);
+  const [errorKey, setErrorKey] = useState(null);
+
+  const handleSubmit = async (event) => {
+    event.preventDefault();
+    setErrorKey(null);
+
+    if (!tokenFromUrl) {
+      setErrorKey('Auth.PENDING_TOKEN_INVALID');
+      return;
+    }
+    if (!password || password.length < 8) {
+      setErrorKey('Auth.PASSWORD_TOO_SHORT');
+      return;
+    }
+    if (password !== confirmPassword) {
+      setErrorKey('Auth.PASSWORD_MISMATCH');
+      return;
+    }
+
+    setSubmitting(true);
+    try {
+      await confirmRegistration({ token: tokenFromUrl, password });
+      // Refresh user state from session before navigating home.
+      try {
+        const user = await fetchCurrentUser();
+        login(user);
+      } catch {
+        // If user fetch fails, still navigate — the session cookie is set
+        // server-side and the next page-load will pick the user up.
+      }
+      navigate('/', { replace: true });
+    } catch (err) {
+      setErrorKey(err?.code || 'Auth.PENDING_TOKEN_INVALID');
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  const tokenMissing = !tokenFromUrl;
+
+  return (
+    <NarrowPage
+      title={t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration')}
+      subtitle={t(
+        'Auth.SIGNUP_CONFIRM_SUBTITLE',
+        'Choose a password to finish creating your account.',
+      )}
+    >
+      <Helmet>
+        <title>
+          {t('App.NAME')} – {t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration')}
+        </title>
+      </Helmet>
+
+      {tokenMissing ? (
+        <>
+          <Alert severity="error" sx={{ mb: 2 }}>
+            {t('Auth.PENDING_TOKEN_INVALID', 'This confirmation link is invalid or expired.')}
+          </Alert>
+          <Stack direction="row" spacing={1} sx={{ mt: 1 }}>
+            <Button onClick={() => navigate('/signup')} variant="contained">
+              {t('Auth.SIGNUP_REQUEST_NEW', 'Request a new invitation')}
+            </Button>
+            <Button onClick={() => navigate('/login')} variant="text">
+              {t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login')}
+            </Button>
+          </Stack>
+        </>
+      ) : (
+        <>
+          {errorKey && (
+            <Alert severity="error" sx={{ mb: 2 }}>
+              {t(errorKey, t('Auth.PENDING_TOKEN_INVALID', 'Could not confirm registration.'))}
+            </Alert>
+          )}
+
+          <Box
+            component="form"
+            onSubmit={handleSubmit}
+            sx={{ display: 'flex', flexDirection: 'column', gap: 2 }}
+          >
+            <TextField
+              label={t('Auth.NEW_PASSWORD_LABEL', 'New password')}
+              type="password"
+              required
+              fullWidth
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              disabled={submitting}
+              autoComplete="new-password"
+            />
+            <TextField
+              label={t('Auth.PASSWORD_CONFIRM_LABEL', 'Confirm new password')}
+              type="password"
+              required
+              fullWidth
+              value={confirmPassword}
+              onChange={(e) => setConfirmPassword(e.target.value)}
+              disabled={submitting}
+              autoComplete="new-password"
+            />
+            <Button type="submit" variant="contained" disabled={submitting}>
+              {submitting
+                ? t('Auth.SIGNUP_CONFIRM_SUBMITTING', 'Confirming…')
+                : t('Auth.SIGNUP_CONFIRM_SUBMIT', 'Confirm registration')}
+            </Button>
+          </Box>
+
+          <Stack direction="row" spacing={1} sx={{ mt: 3 }}>
+            <Typography variant="body2">
+              {t('Auth.SIGNUP_ALREADY_HAVE_ACCOUNT', 'Already have an account?')}
+            </Typography>
+            <Button onClick={() => navigate('/login')} variant="text" size="small">
+              {t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login')}
+            </Button>
+          </Stack>
+        </>
+      )}
+    </NarrowPage>
+  );
+}