@micha.bigler/ui-core-micha 2.3.0 → 2.3.2

package/dist/auth/authApi.js

@@ -359,6 +359,22 @@ export async function submitRegistrationRequest({ email, mode, accessCode, regis
         throw normaliseApiError(error, 'Auth.INVITE_FAILED');
     }
 }
+/**
+ * S13: confirm a pending registration. The token comes from the email link;
+ * the password is the new account's first password.
+ */
+export async function confirmRegistration({ token, password }) {
+    try {
+        const res = await apiClient.post(`${USERS_BASE}/register-confirm/`, {
+            token,
+            password,
+        });
+        return res.data;
+    }
+    catch (error) {
+        throw normaliseApiError(error, 'Auth.PENDING_TOKEN_INVALID');
+    }
+}
 export async function createSignupQr(payload = {}) {
     try {
         const res = await apiClient.post(`${USERS_BASE}/signup-qr/`, payload);

package/dist/components/QrSignupManager.js

@@ -1,10 +1,11 @@
 import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 import React, { useEffect, useMemo, useRef, useState } from 'react';
-import { Alert, Box, Button, Stack, Typography, } from '@mui/material';
+import { Alert, Box, Button, Stack, TextField, Typography, } from '@mui/material';
 import { useTranslation } from 'react-i18next';
 import { QRCodeSVG } from 'qrcode.react';
 import { createSignupQr } from '../auth/authApi';
 const DEFAULT_EXPIRY_DAYS = 90;
+const DEFAULT_MAX_REDEMPTIONS = 1;
 function clampExpiryDays(value) {
     const parsed = parseInt(value, 10);
     if (!Number.isFinite(parsed) || parsed < 1) {
@@ -12,6 +13,13 @@ function clampExpiryDays(value) {
     }
     return parsed;
 }
+function clampMaxRedemptions(value) {
+    const parsed = parseInt(value, 10);
+    if (!Number.isFinite(parsed) || parsed < 1) {
+        return DEFAULT_MAX_REDEMPTIONS;
+    }
+    return parsed;
+}
 function escapeHtml(value) {
     return String(value !== null && value !== void 0 ? value : '')
         .replace(/&/g, '&amp;')
@@ -28,6 +36,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
     const [success, setSuccess] = useState('');
     const [result, setResult] = useState(null);
     const [copyState, setCopyState] = useState('idle');
+    const [maxRedemptions, setMaxRedemptions] = useState(DEFAULT_MAX_REDEMPTIONS);
     const hasGeneratedRef = useRef(false);
     const formattedExpiry = useMemo(() => {
         if (!(result === null || result === void 0 ? void 0 : result.expires_at)) {
@@ -51,6 +60,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
             return;
         }
         const nextDays = clampExpiryDays(daysOverride !== null && daysOverride !== void 0 ? daysOverride : expiryDays);
+        const nextRedemptions = clampMaxRedemptions(maxRedemptions);
         setBusy(true);
         setError('');
         setSuccess('');
@@ -58,6 +68,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
         try {
             const data = await createSignupQr({
                 expires_minutes: nextDays * 24 * 60,
+                max_redemptions: nextRedemptions,
             });
             setResult(data);
             hasGeneratedRef.current = true;
@@ -76,6 +87,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
             setError('');
             setSuccess('');
             setCopyState('idle');
+            setMaxRedemptions(DEFAULT_MAX_REDEMPTIONS);
             hasGeneratedRef.current = false;
             return;
         }
@@ -92,6 +104,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
                 const days = clampExpiryDays(expiryDays);
                 const data = await createSignupQr({
                     expires_minutes: days * 24 * 60,
+                    max_redemptions: clampMaxRedemptions(maxRedemptions),
                 });
                 if (!active)
                     return;
@@ -244,7 +257,7 @@ export function QrSignupManager({ enabled = false, expiryDays = DEFAULT_EXPIRY_D
     if (!enabled) {
         return null;
     }
-    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.SIGNUP_QR_MANAGER_TITLE', 'QR Signup') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.SIGNUP_QR_MANAGER_HINT', 'Generate and share QR signup links below.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), copyState === 'copied' && (_jsx(Alert, { severity: "success", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_LINK_COPIED', 'Signup link copied.') })), copyState === 'error' && (_jsx(Alert, { severity: "warning", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_COPY_UNAVAILABLE', 'Copying the link is not available in this browser.') })), (result === null || result === void 0 ? void 0 : result.signup_url) && (_jsxs(Box, { sx: { mt: 1 }, children: [_jsx(Box, { sx: {
+    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.SIGNUP_QR_MANAGER_TITLE', 'QR Signup') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.SIGNUP_QR_MANAGER_HINT', 'Generate and share QR signup links below.') }), _jsx(Box, { sx: { mb: 2 }, children: _jsx(TextField, { label: t('Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL', 'Max redemptions'), type: "number", size: "small", value: maxRedemptions, onChange: (e) => setMaxRedemptions(e.target.value), inputProps: { min: 1, step: 1 }, helperText: t('Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT', 'How many people may sign up with the same QR. Default: 1.'), disabled: busy }) }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), copyState === 'copied' && (_jsx(Alert, { severity: "success", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_LINK_COPIED', 'Signup link copied.') })), copyState === 'error' && (_jsx(Alert, { severity: "warning", sx: { mb: 2 }, children: t('Auth.SIGNUP_QR_COPY_UNAVAILABLE', 'Copying the link is not available in this browser.') })), (result === null || result === void 0 ? void 0 : result.signup_url) && (_jsxs(Box, { sx: { mt: 1 }, children: [_jsx(Box, { sx: {
                             display: 'flex',
                             justifyContent: 'center',
                             alignItems: 'center',

package/dist/i18n/authTranslations.js

@@ -1644,29 +1644,95 @@ export const authTranslations = {
         "en": "Loading…",
         "sw": "Inapakia..."
     },
-    "Auth.EMAIL_VERIFICATION_TITLE": {
-        "de": "E-Mail-Verifizierung",
-        "fr": "Vérification de l'e-mail",
-        "en": "Email Verification",
-        "sw": "Uthibitishaji wa Barua Pepe"
-    },
-    "Auth.EMAIL_VERIFICATION_HINT": {
-        "de": "Verlangt einen Nachweis des E-Mail-Besitzes, bevor ein Social-Login mit einem Konto verknüpft werden kann. Empfohlen.",
-        "fr": "Exige une preuve de propriété de l'adresse e-mail avant qu'une connexion sociale ne puisse être liée à un compte. Recommandé.",
-        "en": "Require verified email ownership before social sign-in can link to an account. Recommended.",
-        "sw": "Inahitaji uthibitishaji wa umiliki wa barua pepe kabla ya kuingia kwa mitandao kuunganishwa na akaunti. Inapendekezwa."
-    },
-    "Auth.EMAIL_VERIFICATION_TOGGLE": {
-        "de": "E-Mail-Verifizierung erforderlich",
-        "fr": "Vérification de l'e-mail requise",
-        "en": "Require email verification",
-        "sw": "Hitaji uthibitishaji wa barua pepe"
-    },
-    "Auth.EMAIL_VERIFICATION_SAVE_SUCCESS": {
-        "de": "Anforderung zur E-Mail-Verifizierung gespeichert.",
-        "fr": "Exigence de vérification de l'e-mail enregistrée.",
-        "en": "Email verification requirement saved.",
-        "sw": "Mahitaji ya uthibitishaji wa barua pepe yamehifadhiwa."
+    "Auth.SIGNUP_CONFIRM_TITLE": {
+        "de": "Registrierung bestätigen",
+        "fr": "Confirmer l'inscription",
+        "en": "Confirm your registration",
+        "sw": "Thibitisha usajili wako"
+    },
+    "Auth.SIGNUP_CONFIRM_SUBTITLE": {
+        "de": "Wähle ein Passwort, um dein Konto zu erstellen.",
+        "fr": "Choisissez un mot de passe pour finaliser votre compte.",
+        "en": "Choose a password to finish creating your account.",
+        "sw": "Chagua nenosiri ili kukamilisha kuunda akaunti yako."
+    },
+    "Auth.SIGNUP_CONFIRM_SUBMIT": {
+        "de": "Registrierung abschließen",
+        "fr": "Confirmer l'inscription",
+        "en": "Confirm registration",
+        "sw": "Thibitisha usajili"
+    },
+    "Auth.SIGNUP_CONFIRM_SUBMITTING": {
+        "de": "Wird bestätigt …",
+        "fr": "Confirmation en cours…",
+        "en": "Confirming…",
+        "sw": "Inathibitisha…"
+    },
+    "Auth.PASSWORD_TOO_SHORT": {
+        "de": "Das Passwort muss mindestens 8 Zeichen lang sein.",
+        "fr": "Le mot de passe doit comporter au moins 8 caractères.",
+        "en": "Password must be at least 8 characters long.",
+        "sw": "Nenosiri lazima liwe na herufi 8 au zaidi."
+    },
+    "Auth.PASSWORD_MISMATCH": {
+        "de": "Die Passwörter stimmen nicht überein.",
+        "fr": "Les mots de passe ne correspondent pas.",
+        "en": "Passwords do not match.",
+        "sw": "Manenosiri hayalingani."
+    },
+    "Auth.SIGNUP_REQUEST_NEW": {
+        "de": "Neue Einladung anfordern",
+        "fr": "Demander une nouvelle invitation",
+        "en": "Request a new invitation",
+        "sw": "Omba mwaliko mpya"
+    },
+    "Auth.PASSWORD_INVALID": {
+        "de": "Das Passwort erfüllt die Sicherheitsanforderungen nicht.",
+        "fr": "Le mot de passe ne respecte pas les exigences de sécurité.",
+        "en": "The password does not meet the security requirements.",
+        "sw": "Nenosiri halikidhi mahitaji ya usalama."
+    },
+    "Auth.PENDING_TOKEN_INVALID": {
+        "de": "Dieser Bestätigungslink ist ungültig oder abgelaufen.",
+        "fr": "Ce lien de confirmation est invalide ou expiré.",
+        "en": "This confirmation link is invalid or expired.",
+        "sw": "Kiungo hiki cha uthibitishaji si halali au kimemalizika muda."
+    },
+    "Auth.PENDING_TOKEN_EXPIRED": {
+        "de": "Diese Einladung ist abgelaufen. Bitte fordere eine neue an.",
+        "fr": "Cette invitation a expiré. Veuillez en demander une nouvelle.",
+        "en": "This invitation has expired. Please request a new one.",
+        "sw": "Mwaliko huu umemalizika muda. Tafadhali omba mpya."
+    },
+    "Auth.ACCESS_CODE_ALREADY_USED": {
+        "de": "Der verwendete Zugangscode ist nicht mehr gültig.",
+        "fr": "Le code d'accès utilisé n'est plus valide.",
+        "en": "The access code used is no longer valid.",
+        "sw": "Msimbo wa ufikiaji uliotumika hauwezi kutumika tena."
+    },
+    "Auth.QR_TOKEN_EXHAUSTED": {
+        "de": "Dieser QR-Code wurde bereits vollständig genutzt.",
+        "fr": "Ce QR-code a déjà été entièrement utilisé.",
+        "en": "This QR code has already been fully used.",
+        "sw": "Msimbo huu wa QR tayari umetumika kabisa."
+    },
+    "Auth.USER_ALREADY_EXISTS": {
+        "de": "Für diese E-Mail-Adresse existiert bereits ein Konto. Bitte melde dich an.",
+        "fr": "Un compte existe déjà pour cette adresse e-mail. Veuillez vous connecter.",
+        "en": "An account already exists for this email address. Please log in.",
+        "sw": "Akaunti tayari ipo kwa anwani hii ya barua pepe. Tafadhali ingia."
+    },
+    "Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL": {
+        "de": "Max. Verwendungen",
+        "fr": "Utilisations max.",
+        "en": "Max redemptions",
+        "sw": "Idadi ya juu ya matumizi"
+    },
+    "Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT": {
+        "de": "Wie viele Personen dürfen sich mit demselben QR registrieren. Standard: 1.",
+        "fr": "Combien de personnes peuvent s'inscrire avec le même QR. Par défaut : 1.",
+        "en": "How many people may sign up with the same QR. Default: 1.",
+        "sw": "Watu wangapi wanaweza kujisajili na QR sawa. Chaguo-msingi: 1."
     },
     "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
         "de": "Zugangscode: Einmalverwendung",

package/dist/index.js

@@ -15,6 +15,7 @@ export { PasswordResetRequestPage } from './pages/PasswordResetRequestPage';
 export { PasswordChangePage } from './pages/PasswordChangePage';
 export { PasswordInvitePage } from './pages/PasswordInvitePage';
 export { SignUpPage } from './pages/SignUpPage';
+export { SignupConfirmPage } from './pages/SignupConfirmPage';
 export { AccountPage } from './pages/AccountPage';
 // --- 5. Components (Wiederverwendbare UI-Teile) ---
 export { ProfileComponent } from './components/ProfileComponent';
@@ -24,7 +25,6 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
-export { EmailVerificationRequirementCard } from './components/EmailVerificationRequirementCard';
 export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 // --- 6. Translations ---

package/dist/pages/AccountPage.js

@@ -16,7 +16,6 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
-import { EmailVerificationRequirementCard } from '../components/EmailVerificationRequirementCard';
 import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
@@ -131,5 +130,5 @@ export function AccountPage({ userListExtraColumns = [], userListExtraRowActions
     const activeExtraTab = builtInTabValues.has(safeTab)
         ? null
         : extraTabs.find((tab) => tab.value === safeTab);
-    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(EmailVerificationRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AccessCodeSingleUseToggle, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
+    return (_jsxs(WidePage, { title: t('Account.TITLE', 'Account & Administration'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('Account.PAGE_TITLE', 'Account'), " \u2013 ", user.email] }) }), _jsx(Tabs, { value: safeTab, onChange: handleTabChange, variant: "scrollable", scrollButtons: "auto", sx: { mb: 3, borderBottom: 1, borderColor: 'divider' }, children: tabs.map((tab) => (_jsx(Tab, { label: tab.label, value: tab.value }, tab.value))) }), safeTab === 'profile' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(ProfileComponent, { onSubmit: handleProfileSubmit, showName: true, showPrivacy: true, showCookies: true }) })), safeTab === 'security' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SecurityComponent, { fromRecovery: fromRecovery, fromWeakLogin: fromWeakLogin }) })), safeTab === 'users' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(UserListComponent, { roles: activeRoles, currentUser: user, extraColumns: userListExtraColumns, extraRowActions: userListExtraRowActions, extraContext: userListExtraContext, refreshTrigger: userListRefreshTrigger, canEditUser: userListCanEditUser, showNewColumn: userListShowNewColumn, showSuccessfulLoginColumn: userListShowSuccessfulLoginColumn, showRoleColumn: userListShowRoleColumn, onChangeRole: userListOnChangeRole, showDeleteAction: userListShowDeleteAction, canDeleteUser: userListCanDeleteUser, onDeleteUser: userListOnDeleteUser }) })), safeTab === 'invite' && (_jsx(Box, { sx: { mt: 2 }, children: _jsxs(Stack, { spacing: 2.5, children: [canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AuthFactorRequirementCard, { canEdit: canWriteAuthPolicy, policy: authPolicy }) })), canViewAuthPolicy && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(RegistrationMethodsManager, { policy: authPolicy, error: authPolicyError, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canSendInvites && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(UserInviteComponent, {}) })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsxs(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.ACCESS_CODE_MANAGER_TITLE', 'Access Codes') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Account.ACCESS_CODES_HINT', 'Manage access codes for self-registration.') }), _jsx(AccessCodeManager, {})] })), canManageAccessCodes && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_access_code) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AccessCodeSingleUseToggle, { canEdit: canWriteAuthPolicy, policy: authPolicy, onPolicyChange: setAuthPolicy }) })), canSendInvites && showBulkInviteCsvTab && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_admin_invite) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(BulkInviteCsvTab, Object.assign({}, bulkInviteCsvProps)) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(AllowedEmailDomainsManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_email_domain), domains: (authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allowed_email_domains) || [], onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canViewAuthPolicy && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupValidityManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days, onPolicyChange: setAuthPolicy, canEdit: canWriteAuthPolicy }) })), canManageSignupQr && Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr) && (_jsx(Paper, { variant: "outlined", sx: { p: 2.5, borderRadius: 2 }, children: _jsx(QrSignupManager, { enabled: Boolean(authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.allow_self_signup_qr), expiryDays: authPolicy === null || authPolicy === void 0 ? void 0 : authPolicy.signup_qr_expiry_days }) }))] }) })), safeTab === 'support' && (_jsx(Box, { sx: { mt: 2 }, children: _jsx(SupportRecoveryRequestsTab, {}) })), activeExtraTab && (_jsx(Box, { sx: { mt: 2 }, children: (_a = activeExtraTab.render) === null || _a === void 0 ? void 0 : _a.call(activeExtraTab, { user, perms, isSuperUser, t }) }))] }));
 }

package/dist/pages/SignupConfirmPage.js

@@ -0,0 +1,63 @@
+import { jsxs as _jsxs, jsx as _jsx, Fragment as _Fragment } from "react/jsx-runtime";
+// src/pages/SignupConfirmPage.jsx
+//
+// S13: Completes a pending registration. Reads the signed pending-token from
+// the URL (`?token=...`), asks the user for a password, and POSTs to
+// `register_confirm`. On success, the backend has set the session cookie; we
+// trigger a full page reload to `/` so AuthProvider re-initialises and picks
+// the user up at mount — avoids React-state races inside the SPA.
+import React, { useMemo, useState } from 'react';
+import { useLocation, useNavigate } from 'react-router-dom';
+import { Alert, Box, Button, Stack, TextField, Typography, } from '@mui/material';
+import { Helmet } from 'react-helmet';
+import { useTranslation } from 'react-i18next';
+import { NarrowPage } from '../layout/PageLayout';
+import { confirmRegistration } from '../auth/authApi';
+export function SignupConfirmPage() {
+    const { t } = useTranslation();
+    const location = useLocation();
+    const navigate = useNavigate();
+    const tokenFromUrl = useMemo(() => {
+        const query = new URLSearchParams(location.search);
+        return query.get('token') || '';
+    }, [location.search]);
+    const [password, setPassword] = useState('');
+    const [confirmPassword, setConfirmPassword] = useState('');
+    const [submitting, setSubmitting] = useState(false);
+    const [errorKey, setErrorKey] = useState(null);
+    const handleSubmit = async (event) => {
+        event.preventDefault();
+        setErrorKey(null);
+        if (!tokenFromUrl) {
+            setErrorKey('Auth.PENDING_TOKEN_INVALID');
+            return;
+        }
+        if (!password || password.length < 8) {
+            setErrorKey('Auth.PASSWORD_TOO_SHORT');
+            return;
+        }
+        if (password !== confirmPassword) {
+            setErrorKey('Auth.PASSWORD_MISMATCH');
+            return;
+        }
+        setSubmitting(true);
+        try {
+            await confirmRegistration({ token: tokenFromUrl, password });
+            // Full page reload so AuthProvider re-initialises with the just-set
+            // session cookie. Avoids React-state races where the SPA's route guard
+            // could read a stale (null) user between login() and navigate('/').
+            window.location.assign('/');
+            return;
+        }
+        catch (err) {
+            setErrorKey((err === null || err === void 0 ? void 0 : err.code) || 'Auth.PENDING_TOKEN_INVALID');
+        }
+        finally {
+            setSubmitting(false);
+        }
+    };
+    const tokenMissing = !tokenFromUrl;
+    return (_jsxs(NarrowPage, { title: t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration'), subtitle: t('Auth.SIGNUP_CONFIRM_SUBTITLE', 'Choose a password to finish creating your account.'), children: [_jsx(Helmet, { children: _jsxs("title", { children: [t('App.NAME'), " \u2013 ", t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration')] }) }), tokenMissing ? (_jsxs(_Fragment, { children: [_jsx(Alert, { severity: "error", sx: { mb: 2 }, children: t('Auth.PENDING_TOKEN_INVALID', 'This confirmation link is invalid or expired.') }), _jsxs(Stack, { direction: "row", spacing: 1, sx: { mt: 1 }, children: [_jsx(Button, { onClick: () => navigate('/signup'), variant: "contained", children: t('Auth.SIGNUP_REQUEST_NEW', 'Request a new invitation') }), _jsx(Button, { onClick: () => navigate('/login'), variant: "text", children: t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login') })] })] })) : (_jsxs(_Fragment, { children: [errorKey && (_jsx(Alert, { severity: "error", sx: { mb: 2 }, children: t(errorKey, t('Auth.PENDING_TOKEN_INVALID', 'Could not confirm registration.')) })), _jsxs(Box, { component: "form", onSubmit: handleSubmit, sx: { display: 'flex', flexDirection: 'column', gap: 2 }, children: [_jsx(TextField, { label: t('Auth.NEW_PASSWORD_LABEL', 'New password'), type: "password", required: true, fullWidth: true, value: password, onChange: (e) => setPassword(e.target.value), disabled: submitting, autoComplete: "new-password" }), _jsx(TextField, { label: t('Auth.PASSWORD_CONFIRM_LABEL', 'Confirm new password'), type: "password", required: true, fullWidth: true, value: confirmPassword, onChange: (e) => setConfirmPassword(e.target.value), disabled: submitting, autoComplete: "new-password" }), _jsx(Button, { type: "submit", variant: "contained", disabled: submitting, children: submitting
+                                    ? t('Auth.SIGNUP_CONFIRM_SUBMITTING', 'Confirming…')
+                                    : t('Auth.SIGNUP_CONFIRM_SUBMIT', 'Confirm registration') })] }), _jsxs(Stack, { direction: "row", spacing: 1, sx: { mt: 3 }, children: [_jsx(Typography, { variant: "body2", children: t('Auth.SIGNUP_ALREADY_HAVE_ACCOUNT', 'Already have an account?') }), _jsx(Button, { onClick: () => navigate('/login'), variant: "text", size: "small", children: t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login') })] })] }))] }));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@micha.bigler/ui-core-micha",
-  "version": "2.3.0",
+  "version": "2.3.2",
   "main": "dist/index.js",
   "module": "dist/index.js",
   "repository": {

package/src/auth/authApi.jsx

@@ -377,6 +377,22 @@ export async function submitRegistrationRequest({
   }
 }
 
+/**
+ * S13: confirm a pending registration. The token comes from the email link;
+ * the password is the new account's first password.
+ */
+export async function confirmRegistration({ token, password }) {
+  try {
+    const res = await apiClient.post(`${USERS_BASE}/register-confirm/`, {
+      token,
+      password,
+    });
+    return res.data;
+  } catch (error) {
+    throw normaliseApiError(error, 'Auth.PENDING_TOKEN_INVALID');
+  }
+}
+
 export async function createSignupQr(payload = {}) {
   try {
     const res = await apiClient.post(`${USERS_BASE}/signup-qr/`, payload);

package/src/components/QrSignupManager.jsx

@@ -4,6 +4,7 @@ import {
   Box,
   Button,
   Stack,
+  TextField,
   Typography,
 } from '@mui/material';
 import { useTranslation } from 'react-i18next';
@@ -11,6 +12,7 @@ import { QRCodeSVG } from 'qrcode.react';
 import { createSignupQr } from '../auth/authApi';
 
 const DEFAULT_EXPIRY_DAYS = 90;
+const DEFAULT_MAX_REDEMPTIONS = 1;
 
 function clampExpiryDays(value) {
   const parsed = parseInt(value, 10);
@@ -20,6 +22,14 @@ function clampExpiryDays(value) {
   return parsed;
 }
 
+function clampMaxRedemptions(value) {
+  const parsed = parseInt(value, 10);
+  if (!Number.isFinite(parsed) || parsed < 1) {
+    return DEFAULT_MAX_REDEMPTIONS;
+  }
+  return parsed;
+}
+
 function escapeHtml(value) {
   return String(value ?? '')
     .replace(/&/g, '&amp;')
@@ -40,6 +50,7 @@ export function QrSignupManager({
   const [success, setSuccess] = useState('');
   const [result, setResult] = useState(null);
   const [copyState, setCopyState] = useState('idle');
+  const [maxRedemptions, setMaxRedemptions] = useState(DEFAULT_MAX_REDEMPTIONS);
   const hasGeneratedRef = useRef(false);
 
   const formattedExpiry = useMemo(() => {
@@ -65,6 +76,7 @@ export function QrSignupManager({
       return;
     }
     const nextDays = clampExpiryDays(daysOverride ?? expiryDays);
+    const nextRedemptions = clampMaxRedemptions(maxRedemptions);
     setBusy(true);
     setError('');
     setSuccess('');
@@ -72,6 +84,7 @@ export function QrSignupManager({
     try {
       const data = await createSignupQr({
         expires_minutes: nextDays * 24 * 60,
+        max_redemptions: nextRedemptions,
       });
       setResult(data);
       hasGeneratedRef.current = true;
@@ -89,6 +102,7 @@ export function QrSignupManager({
       setError('');
       setSuccess('');
       setCopyState('idle');
+      setMaxRedemptions(DEFAULT_MAX_REDEMPTIONS);
       hasGeneratedRef.current = false;
       return;
     }
@@ -105,6 +119,7 @@ export function QrSignupManager({
         const days = clampExpiryDays(expiryDays);
         const data = await createSignupQr({
           expires_minutes: days * 24 * 60,
+          max_redemptions: clampMaxRedemptions(maxRedemptions),
         });
         if (!active) return;
         setResult(data);
@@ -266,6 +281,22 @@ export function QrSignupManager({
         {t('Auth.SIGNUP_QR_MANAGER_HINT', 'Generate and share QR signup links below.')}
       </Typography>
 
+      <Box sx={{ mb: 2 }}>
+        <TextField
+          label={t('Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL', 'Max redemptions')}
+          type="number"
+          size="small"
+          value={maxRedemptions}
+          onChange={(e) => setMaxRedemptions(e.target.value)}
+          inputProps={{ min: 1, step: 1 }}
+          helperText={t(
+            'Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT',
+            'How many people may sign up with the same QR. Default: 1.',
+          )}
+          disabled={busy}
+        />
+      </Box>
+
       {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
       {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
       {copyState === 'copied' && (

package/src/i18n/authTranslations.ts

@@ -1692,29 +1692,95 @@ export const authTranslations = {
     "en": "Loading…",
     "sw": "Inapakia..."
   },
-  "Auth.EMAIL_VERIFICATION_TITLE": {
-    "de": "E-Mail-Verifizierung",
-    "fr": "Vérification de l'e-mail",
-    "en": "Email Verification",
-    "sw": "Uthibitishaji wa Barua Pepe"
-  },
-  "Auth.EMAIL_VERIFICATION_HINT": {
-    "de": "Verlangt einen Nachweis des E-Mail-Besitzes, bevor ein Social-Login mit einem Konto verknüpft werden kann. Empfohlen.",
-    "fr": "Exige une preuve de propriété de l'adresse e-mail avant qu'une connexion sociale ne puisse être liée à un compte. Recommandé.",
-    "en": "Require verified email ownership before social sign-in can link to an account. Recommended.",
-    "sw": "Inahitaji uthibitishaji wa umiliki wa barua pepe kabla ya kuingia kwa mitandao kuunganishwa na akaunti. Inapendekezwa."
-  },
-  "Auth.EMAIL_VERIFICATION_TOGGLE": {
-    "de": "E-Mail-Verifizierung erforderlich",
-    "fr": "Vérification de l'e-mail requise",
-    "en": "Require email verification",
-    "sw": "Hitaji uthibitishaji wa barua pepe"
-  },
-  "Auth.EMAIL_VERIFICATION_SAVE_SUCCESS": {
-    "de": "Anforderung zur E-Mail-Verifizierung gespeichert.",
-    "fr": "Exigence de vérification de l'e-mail enregistrée.",
-    "en": "Email verification requirement saved.",
-    "sw": "Mahitaji ya uthibitishaji wa barua pepe yamehifadhiwa."
+  "Auth.SIGNUP_CONFIRM_TITLE": {
+    "de": "Registrierung bestätigen",
+    "fr": "Confirmer l'inscription",
+    "en": "Confirm your registration",
+    "sw": "Thibitisha usajili wako"
+  },
+  "Auth.SIGNUP_CONFIRM_SUBTITLE": {
+    "de": "Wähle ein Passwort, um dein Konto zu erstellen.",
+    "fr": "Choisissez un mot de passe pour finaliser votre compte.",
+    "en": "Choose a password to finish creating your account.",
+    "sw": "Chagua nenosiri ili kukamilisha kuunda akaunti yako."
+  },
+  "Auth.SIGNUP_CONFIRM_SUBMIT": {
+    "de": "Registrierung abschließen",
+    "fr": "Confirmer l'inscription",
+    "en": "Confirm registration",
+    "sw": "Thibitisha usajili"
+  },
+  "Auth.SIGNUP_CONFIRM_SUBMITTING": {
+    "de": "Wird bestätigt …",
+    "fr": "Confirmation en cours…",
+    "en": "Confirming…",
+    "sw": "Inathibitisha…"
+  },
+  "Auth.PASSWORD_TOO_SHORT": {
+    "de": "Das Passwort muss mindestens 8 Zeichen lang sein.",
+    "fr": "Le mot de passe doit comporter au moins 8 caractères.",
+    "en": "Password must be at least 8 characters long.",
+    "sw": "Nenosiri lazima liwe na herufi 8 au zaidi."
+  },
+  "Auth.PASSWORD_MISMATCH": {
+    "de": "Die Passwörter stimmen nicht überein.",
+    "fr": "Les mots de passe ne correspondent pas.",
+    "en": "Passwords do not match.",
+    "sw": "Manenosiri hayalingani."
+  },
+  "Auth.SIGNUP_REQUEST_NEW": {
+    "de": "Neue Einladung anfordern",
+    "fr": "Demander une nouvelle invitation",
+    "en": "Request a new invitation",
+    "sw": "Omba mwaliko mpya"
+  },
+  "Auth.PASSWORD_INVALID": {
+    "de": "Das Passwort erfüllt die Sicherheitsanforderungen nicht.",
+    "fr": "Le mot de passe ne respecte pas les exigences de sécurité.",
+    "en": "The password does not meet the security requirements.",
+    "sw": "Nenosiri halikidhi mahitaji ya usalama."
+  },
+  "Auth.PENDING_TOKEN_INVALID": {
+    "de": "Dieser Bestätigungslink ist ungültig oder abgelaufen.",
+    "fr": "Ce lien de confirmation est invalide ou expiré.",
+    "en": "This confirmation link is invalid or expired.",
+    "sw": "Kiungo hiki cha uthibitishaji si halali au kimemalizika muda."
+  },
+  "Auth.PENDING_TOKEN_EXPIRED": {
+    "de": "Diese Einladung ist abgelaufen. Bitte fordere eine neue an.",
+    "fr": "Cette invitation a expiré. Veuillez en demander une nouvelle.",
+    "en": "This invitation has expired. Please request a new one.",
+    "sw": "Mwaliko huu umemalizika muda. Tafadhali omba mpya."
+  },
+  "Auth.ACCESS_CODE_ALREADY_USED": {
+    "de": "Der verwendete Zugangscode ist nicht mehr gültig.",
+    "fr": "Le code d'accès utilisé n'est plus valide.",
+    "en": "The access code used is no longer valid.",
+    "sw": "Msimbo wa ufikiaji uliotumika hauwezi kutumika tena."
+  },
+  "Auth.QR_TOKEN_EXHAUSTED": {
+    "de": "Dieser QR-Code wurde bereits vollständig genutzt.",
+    "fr": "Ce QR-code a déjà été entièrement utilisé.",
+    "en": "This QR code has already been fully used.",
+    "sw": "Msimbo huu wa QR tayari umetumika kabisa."
+  },
+  "Auth.USER_ALREADY_EXISTS": {
+    "de": "Für diese E-Mail-Adresse existiert bereits ein Konto. Bitte melde dich an.",
+    "fr": "Un compte existe déjà pour cette adresse e-mail. Veuillez vous connecter.",
+    "en": "An account already exists for this email address. Please log in.",
+    "sw": "Akaunti tayari ipo kwa anwani hii ya barua pepe. Tafadhali ingia."
+  },
+  "Auth.SIGNUP_QR_MAX_REDEMPTIONS_LABEL": {
+    "de": "Max. Verwendungen",
+    "fr": "Utilisations max.",
+    "en": "Max redemptions",
+    "sw": "Idadi ya juu ya matumizi"
+  },
+  "Auth.SIGNUP_QR_MAX_REDEMPTIONS_HINT": {
+    "de": "Wie viele Personen dürfen sich mit demselben QR registrieren. Standard: 1.",
+    "fr": "Combien de personnes peuvent s'inscrire avec le même QR. Par défaut : 1.",
+    "en": "How many people may sign up with the same QR. Default: 1.",
+    "sw": "Watu wangapi wanaweza kujisajili na QR sawa. Chaguo-msingi: 1."
   },
   "Auth.ACCESS_CODE_SINGLE_USE_TITLE": {
     "de": "Zugangscode: Einmalverwendung",

package/src/index.js

@@ -25,6 +25,7 @@ export { PasswordResetRequestPage } from './pages/PasswordResetRequestPage';
 export { PasswordChangePage } from './pages/PasswordChangePage';
 export { PasswordInvitePage } from './pages/PasswordInvitePage';
 export { SignUpPage } from './pages/SignUpPage';
+export { SignupConfirmPage } from './pages/SignupConfirmPage';
 export { AccountPage } from './pages/AccountPage';
 
 // --- 5. Components (Wiederverwendbare UI-Teile) ---
@@ -35,7 +36,6 @@ export { UserInviteComponent } from './components/UserInviteComponent';
 export { BulkInviteCsvTab } from './components/BulkInviteCsvTab';
 export { RegistrationMethodsManager } from './components/RegistrationMethodsManager';
 export { AuthFactorRequirementCard } from './components/AuthFactorRequirementCard';
-export { EmailVerificationRequirementCard } from './components/EmailVerificationRequirementCard';
 export { AccessCodeSingleUseToggle } from './components/AccessCodeSingleUseToggle';
 export { QrSignupManager } from './components/QrSignupManager';
 

package/src/pages/AccountPage.jsx

@@ -26,7 +26,6 @@ import { AccessCodeManager } from '../components/AccessCodeManager';
 import { AllowedEmailDomainsManager } from '../components/AllowedEmailDomainsManager';
 import { RegistrationMethodsManager } from '../components/RegistrationMethodsManager';
 import { AuthFactorRequirementCard } from '../components/AuthFactorRequirementCard';
-import { EmailVerificationRequirementCard } from '../components/EmailVerificationRequirementCard';
 import { AccessCodeSingleUseToggle } from '../components/AccessCodeSingleUseToggle';
 import { QrSignupManager } from '../components/QrSignupManager';
 import { QrSignupValidityManager } from '../components/QrSignupValidityManager';
@@ -256,16 +255,6 @@ export function AccountPage({
               </Paper>
             )}
 
-            {canViewAuthPolicy && (
-              <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
-                <EmailVerificationRequirementCard
-                  canEdit={canWriteAuthPolicy}
-                  policy={authPolicy}
-                  onPolicyChange={setAuthPolicy}
-                />
-              </Paper>
-            )}
-
             {canViewAuthPolicy && (
               <Paper variant="outlined" sx={{ p: 2.5, borderRadius: 2 }}>
                 <RegistrationMethodsManager

package/src/pages/SignupConfirmPage.jsx

@@ -0,0 +1,152 @@
+// src/pages/SignupConfirmPage.jsx
+//
+// S13: Completes a pending registration. Reads the signed pending-token from
+// the URL (`?token=...`), asks the user for a password, and POSTs to
+// `register_confirm`. On success, the backend has set the session cookie; we
+// trigger a full page reload to `/` so AuthProvider re-initialises and picks
+// the user up at mount — avoids React-state races inside the SPA.
+import React, { useMemo, useState } from 'react';
+import { useLocation, useNavigate } from 'react-router-dom';
+import {
+  Alert,
+  Box,
+  Button,
+  Stack,
+  TextField,
+  Typography,
+} from '@mui/material';
+import { Helmet } from 'react-helmet';
+import { useTranslation } from 'react-i18next';
+import { NarrowPage } from '../layout/PageLayout';
+import { confirmRegistration } from '../auth/authApi';
+
+export function SignupConfirmPage() {
+  const { t } = useTranslation();
+  const location = useLocation();
+  const navigate = useNavigate();
+
+  const tokenFromUrl = useMemo(() => {
+    const query = new URLSearchParams(location.search);
+    return query.get('token') || '';
+  }, [location.search]);
+
+  const [password, setPassword] = useState('');
+  const [confirmPassword, setConfirmPassword] = useState('');
+  const [submitting, setSubmitting] = useState(false);
+  const [errorKey, setErrorKey] = useState(null);
+
+  const handleSubmit = async (event) => {
+    event.preventDefault();
+    setErrorKey(null);
+
+    if (!tokenFromUrl) {
+      setErrorKey('Auth.PENDING_TOKEN_INVALID');
+      return;
+    }
+    if (!password || password.length < 8) {
+      setErrorKey('Auth.PASSWORD_TOO_SHORT');
+      return;
+    }
+    if (password !== confirmPassword) {
+      setErrorKey('Auth.PASSWORD_MISMATCH');
+      return;
+    }
+
+    setSubmitting(true);
+    try {
+      await confirmRegistration({ token: tokenFromUrl, password });
+      // Full page reload so AuthProvider re-initialises with the just-set
+      // session cookie. Avoids React-state races where the SPA's route guard
+      // could read a stale (null) user between login() and navigate('/').
+      window.location.assign('/');
+      return;
+    } catch (err) {
+      setErrorKey(err?.code || 'Auth.PENDING_TOKEN_INVALID');
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  const tokenMissing = !tokenFromUrl;
+
+  return (
+    <NarrowPage
+      title={t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration')}
+      subtitle={t(
+        'Auth.SIGNUP_CONFIRM_SUBTITLE',
+        'Choose a password to finish creating your account.',
+      )}
+    >
+      <Helmet>
+        <title>
+          {t('App.NAME')} – {t('Auth.SIGNUP_CONFIRM_TITLE', 'Confirm your registration')}
+        </title>
+      </Helmet>
+
+      {tokenMissing ? (
+        <>
+          <Alert severity="error" sx={{ mb: 2 }}>
+            {t('Auth.PENDING_TOKEN_INVALID', 'This confirmation link is invalid or expired.')}
+          </Alert>
+          <Stack direction="row" spacing={1} sx={{ mt: 1 }}>
+            <Button onClick={() => navigate('/signup')} variant="contained">
+              {t('Auth.SIGNUP_REQUEST_NEW', 'Request a new invitation')}
+            </Button>
+            <Button onClick={() => navigate('/login')} variant="text">
+              {t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login')}
+            </Button>
+          </Stack>
+        </>
+      ) : (
+        <>
+          {errorKey && (
+            <Alert severity="error" sx={{ mb: 2 }}>
+              {t(errorKey, t('Auth.PENDING_TOKEN_INVALID', 'Could not confirm registration.'))}
+            </Alert>
+          )}
+
+          <Box
+            component="form"
+            onSubmit={handleSubmit}
+            sx={{ display: 'flex', flexDirection: 'column', gap: 2 }}
+          >
+            <TextField
+              label={t('Auth.NEW_PASSWORD_LABEL', 'New password')}
+              type="password"
+              required
+              fullWidth
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              disabled={submitting}
+              autoComplete="new-password"
+            />
+            <TextField
+              label={t('Auth.PASSWORD_CONFIRM_LABEL', 'Confirm new password')}
+              type="password"
+              required
+              fullWidth
+              value={confirmPassword}
+              onChange={(e) => setConfirmPassword(e.target.value)}
+              disabled={submitting}
+              autoComplete="new-password"
+            />
+            <Button type="submit" variant="contained" disabled={submitting}>
+              {submitting
+                ? t('Auth.SIGNUP_CONFIRM_SUBMITTING', 'Confirming…')
+                : t('Auth.SIGNUP_CONFIRM_SUBMIT', 'Confirm registration')}
+            </Button>
+          </Box>
+
+          <Stack direction="row" spacing={1} sx={{ mt: 3 }}>
+            <Typography variant="body2">
+              {t('Auth.SIGNUP_ALREADY_HAVE_ACCOUNT', 'Already have an account?')}
+            </Typography>
+            <Button onClick={() => navigate('/login')} variant="text" size="small">
+              {t('Auth.SIGNUP_GO_TO_LOGIN', 'Go to login')}
+            </Button>
+          </Stack>
+        </>
+      )}
+    </NarrowPage>
+  );
+}

package/dist/components/EmailVerificationRequirementCard.js

@@ -1,59 +0,0 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
-import React, { useEffect, useState } from 'react';
-import { Alert, Box, FormControlLabel, Switch, Typography, } from '@mui/material';
-import { useTranslation } from 'react-i18next';
-import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
-export function EmailVerificationRequirementCard({ canEdit = true, policy = null, onPolicyChange = null }) {
-    const { t } = useTranslation();
-    const [value, setValue] = useState(false);
-    const [busy, setBusy] = useState(false);
-    const [error, setError] = useState('');
-    const [success, setSuccess] = useState('');
-    useEffect(() => {
-        if (policy) {
-            setValue(Boolean(policy === null || policy === void 0 ? void 0 : policy.require_email_verification));
-            return undefined;
-        }
-        let active = true;
-        (async () => {
-            try {
-                const data = await fetchAuthPolicy();
-                if (active) {
-                    setValue(Boolean(data === null || data === void 0 ? void 0 : data.require_email_verification));
-                }
-            }
-            catch (_a) {
-                // Keep defaults when policy is unavailable.
-            }
-        })();
-        return () => {
-            active = false;
-        };
-    }, [policy]);
-    const handleChange = async (event) => {
-        if (!canEdit) {
-            return;
-        }
-        const nextValue = event.target.checked;
-        const previous = value;
-        setValue(nextValue);
-        setBusy(true);
-        setError('');
-        setSuccess('');
-        try {
-            const updated = await updateAuthPolicy({ require_email_verification: nextValue });
-            if (onPolicyChange) {
-                onPolicyChange((current) => (Object.assign(Object.assign({}, (current || {})), (updated || {}))));
-            }
-            setSuccess(t('Auth.EMAIL_VERIFICATION_SAVE_SUCCESS', 'Email verification requirement saved.'));
-        }
-        catch (err) {
-            setValue(previous);
-            setError(t((err === null || err === void 0 ? void 0 : err.code) || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save email verification requirement.'));
-        }
-        finally {
-            setBusy(false);
-        }
-    };
-    return (_jsxs(Box, { children: [_jsx(Typography, { variant: "h6", gutterBottom: true, children: t('Auth.EMAIL_VERIFICATION_TITLE', 'Email Verification') }), _jsx(Typography, { variant: "body2", sx: { mb: 2, color: 'text.secondary' }, children: t('Auth.EMAIL_VERIFICATION_HINT', 'Require verified email ownership before social sign-in can link to an account. Recommended.') }), error && _jsx(Alert, { severity: "error", sx: { mb: 2 }, children: error }), success && _jsx(Alert, { severity: "success", sx: { mb: 2 }, children: success }), _jsx(FormControlLabel, { control: _jsx(Switch, { checked: value, disabled: busy || !canEdit, onChange: handleChange }), label: t('Auth.EMAIL_VERIFICATION_TOGGLE', 'Require email verification') })] }));
-}

package/src/components/EmailVerificationRequirementCard.jsx

@@ -1,89 +0,0 @@
-import React, { useEffect, useState } from 'react';
-import {
-  Alert,
-  Box,
-  FormControlLabel,
-  Switch,
-  Typography,
-} from '@mui/material';
-import { useTranslation } from 'react-i18next';
-import { fetchAuthPolicy, updateAuthPolicy } from '../auth/authApi';
-
-export function EmailVerificationRequirementCard({ canEdit = true, policy = null, onPolicyChange = null }) {
-  const { t } = useTranslation();
-  const [value, setValue] = useState(false);
-  const [busy, setBusy] = useState(false);
-  const [error, setError] = useState('');
-  const [success, setSuccess] = useState('');
-
-  useEffect(() => {
-    if (policy) {
-      setValue(Boolean(policy?.require_email_verification));
-      return undefined;
-    }
-    let active = true;
-    (async () => {
-      try {
-        const data = await fetchAuthPolicy();
-        if (active) {
-          setValue(Boolean(data?.require_email_verification));
-        }
-      } catch {
-        // Keep defaults when policy is unavailable.
-      }
-    })();
-    return () => {
-      active = false;
-    };
-  }, [policy]);
-
-  const handleChange = async (event) => {
-    if (!canEdit) {
-      return;
-    }
-    const nextValue = event.target.checked;
-    const previous = value;
-    setValue(nextValue);
-    setBusy(true);
-    setError('');
-    setSuccess('');
-    try {
-      const updated = await updateAuthPolicy({ require_email_verification: nextValue });
-      if (onPolicyChange) {
-        onPolicyChange((current) => ({ ...(current || {}), ...(updated || {}) }));
-      }
-      setSuccess(t('Auth.EMAIL_VERIFICATION_SAVE_SUCCESS', 'Email verification requirement saved.'));
-    } catch (err) {
-      setValue(previous);
-      setError(t(err?.code || 'Auth.AUTH_POLICY_UPDATE_FAILED', 'Could not save email verification requirement.'));
-    } finally {
-      setBusy(false);
-    }
-  };
-
-  return (
-    <Box>
-      <Typography variant="h6" gutterBottom>
-        {t('Auth.EMAIL_VERIFICATION_TITLE', 'Email Verification')}
-      </Typography>
-      <Typography variant="body2" sx={{ mb: 2, color: 'text.secondary' }}>
-        {t(
-          'Auth.EMAIL_VERIFICATION_HINT',
-          'Require verified email ownership before social sign-in can link to an account. Recommended.',
-        )}
-      </Typography>
-      {error && <Alert severity="error" sx={{ mb: 2 }}>{error}</Alert>}
-      {success && <Alert severity="success" sx={{ mb: 2 }}>{success}</Alert>}
-      <FormControlLabel
-        control={
-          <Switch
-            checked={value}
-            disabled={busy || !canEdit}
-            onChange={handleChange}
-          />
-        }
-        label={t('Auth.EMAIL_VERIFICATION_TOGGLE', 'Require email verification')}
-      />
-    </Box>
-  );
-}