feat(registration): anonymous self-signup with email-domain allow-list (#62)

[martinydeAI]

Links to issues

Closes #62.

do-not-merge — depends on PR #88 (#63) which depends on PR #86
(#45 + #83).

This branch is stacked on feature/issue-63-account-status-checker
because:

1. It creates users with status = Pending (needs the column from
   PR feat(user): add name and status fields per ADR 006 (#45, #83) #86).
2. Without PR feat(security): reject pending and blocked users at login (#63) #88's UserCheckerInterface, a freshly-registered
   user could sign in before approval — which defeats the point.

Rebase order once those PRs land:

1. PR feat(user): add name and status fields per ADR 006 (#45, #83) #86 lands → PR feat(security): reject pending and blocked users at login (#63) #88 rebases onto develop.
2. PR feat(security): reject pending and blocked users at login (#63) #88 lands → this PR rebases onto develop, do-not-merge
   label removed.

Description

Anonymous self-signup at /register

• GET /register — render the form (email, name, password, password
  confirmation, CSRF token).
• POST /register — validate input, create the user with
  status = Pending, redirect to /register/pending. On validation
  failure: 422 + re-render with a localised error.
• GET /register/pending — "thanks, your account is awaiting
  approval" page.

The validation logic lives in App\Security\Registration (service);
the controller stays thin per project conventions. Each failure
raises a RegistrationException carrying a translation key, which
the controller renders through |trans. CSRF-protected via Symfony's
csrf_token('register') helper.

Allow-list: comma-separated env var
REGISTRATION_ALLOWED_EMAIL_DOMAINS=aarhus.dk,kk.dk,…
Bound via %env(default:…:REGISTRATION_ALLOWED_EMAIL_DOMAINS)% with
example.test as the dev / test default so the app boots without
the var set. Parsing happens once in
App\Security\AllowedEmailDomains (lowercase + trim + dedup + drop
empties).

A pending user created by this route cannot sign in: the
integration test covers the hand-off through PR #88's
AccountStatusChecker.

Screenshot of the result

n/a — form re-uses the same Form/* components and base layout as
/login. Manual screenshot can be added on request.

Checklist

• My code is covered by test cases.
• My code passes our test (all our tests).
• My code passes our static analysis suite.
• My code passes our continuous integration process.

Additional comments or questions

The plan also lists a Domain entity follow-up: once PR #80
(Organization entity) lands, User.organization is added (separate
issue), and the registration allow-list switches from this env-var
to Organization.emailDomains. That swap is not in scope for
this PR.

UserManager::createUser() is reused as the persistence step — no
duplication of the password-hashing / unique-email logic.

The domain-extraction helper from PR #87 (App\Security\EmailDomain)
isn't pulled in here to keep the stack chain clean — the same one-
line extraction is inlined in Registration with a comment pointing
at PR #87 so it can be folded back once both PRs land.

---

Details - AI specificities

• ADR: docs/adr/006-user-approval-and-account-state.md
  (Draft; lands via docs: add ADR 004 — user registration, approval, and account state #61). Specifically the "Registration" section.
• No existing tests modified. The PR adds three new test files:
  • tests/Integration/Controller/RegistrationControllerTest.php
    (functional end-to-end)
  • tests/Unit/Security/RegistrationTest.php (service unit)
  • tests/Unit/Security/AllowedEmailDomainsTest.php (value-object
    unit)
• Out of scope:
  • Email verification — separate decision (per ADR 006).
  • CAPTCHA / rate limiting — defer until abuse becomes an issue
    (per ADR 006).
  • Organization-backed allow-list — separate work after feat: admin CRUD for Organization #76 lands.
  • Admin approval queue — PR 5 (feat: approval queue for domain managers #64 + feat: scoped user-management list view for admins and domain managers #85), not yet open.
• Test design. Service-level unit tests exercise the validation
  matrix with mocked collaborators (fast). The functional test
  exercises the route end-to-end against the real firewall, the
  real password hasher (cheap cost in test), and the
  AccountStatusChecker from PR feat(security): reject pending and blocked users at login (#63) #88 so the "register → can't log in
  yet" hand-off is genuinely covered.

[martinyde]

Does this need a helper class to keep controller thin as per CLAUD.md directions

[martinyde]

@tuj

[tuj]

We need an extra step where the user email is validated, to make sure the user actually owns the email it registers with.

[martinyde]

We need an extra step where the user email is validated, to make sure the user actually owns the email it registers with.

That is addressed in #103 , and future PRs holding email and email confirmation step form

[martinydeAI]

Superseded by #106 — rebased onto PR #105 (the replacement for PR #88), targeting develop directly. This PR's branch was based on PR #88's stacked branch which got orphaned when its content never reached develop. The registration code itself is preserved in #106.