From a3aed11654184b9be57b8966a7882dc7e5cc1d69 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 18 Apr 2024 15:40:26 +0700
Subject: [PATCH 01/42] Add "Create User" button to admin dashboard

Doesn't do anything... yet.
---
 frontend/src/lib/i18n/locales/en.json         |  1 +
 .../routes/(authenticated)/admin/+page.svelte | 26 +++++++++++++------
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 25e5d57f0..db5cd9ee7 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -13,6 +13,7 @@
     "column_edit": "Edit",
     "project_table_title": "Projects",
     "user_table_title": "Users",
+    "create_user": "Create User",
     "is_draft": "Draft",
     "email_not_verified": "Not Verified",
     "notifications": {
diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index 553f4beeb..da56c4fb4 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -104,14 +104,24 @@
 
     <div class:admin-tabs:hidden={tab !== 'users'}>
       <AdminTabs activeTab="users" on:clickTab={(event) => $queryParamValues.tab = event.detail}>
-        {$t('admin_dashboard.user_table_title')}
-        <Badge>
-          <span class="inline-flex gap-2">
-            {$number(shownUsers.length)}
-            <span>/</span>
-            {$number(filteredUserCount)}
-          </span>
-        </Badge>
+        <div class="flex gap-4 justify-between grow">
+          <div class="flex gap-4 items-center">
+            {$t('admin_dashboard.user_table_title')}
+            <Badge>
+              <span class="inline-flex gap-2">
+                {$number(shownUsers.length)}
+                <span>/</span>
+                {$number(filteredUserCount)}
+              </span>
+            </Badge>
+          </div>
+          <button class="btn btn-sm btn-success max-xs:btn-square">
+            <span class="admin-tabs:hidden">
+              {$t('admin_dashboard.create_user')}
+            </span>
+            <span class="i-mdi-plus text-2xl" />
+          </button>
+        </div>
       </AdminTabs>
       <div class="mt-4">
         <FilterBar

From 8d71023e662f897e83565379f87ac2bfa37e7dff Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 18 Apr 2024 15:49:49 +0700
Subject: [PATCH 02/42] Extract register page into component

---
 .../lib/components/Users/CreateUser.svelte    | 81 +++++++++++++++++++
 .../(unauthenticated)/register/+page.svelte   | 80 +-----------------
 2 files changed, 83 insertions(+), 78 deletions(-)
 create mode 100644 frontend/src/lib/components/Users/CreateUser.svelte

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
new file mode 100644
index 000000000..2bf8bb643
--- /dev/null
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -0,0 +1,81 @@
+<script lang="ts">
+  import { goto } from '$app/navigation';
+  import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
+  import { SubmitButton, FormError, Input, ProtectedForm, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
+  import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
+  import { TitlePage } from '$lib/layout';
+  import { register } from '$lib/user';
+  import { getSearchParamValues } from '$lib/util/query-params';
+  import { onMount } from 'svelte';
+  import { z } from 'zod';
+
+  type RegisterPageQueryParams = {
+    name: string;
+    email: string;
+  };
+  let turnstileToken = '';
+  // $locale is the locale that our i18n is using for them (i.e. the best available option we have for them)
+  // getLanguageCodeFromNavigator() gives us the language/locale they probably actually want. Maybe we'll support it in the future.
+  const userLocale = getLanguageCodeFromNavigator() ?? $locale;
+  const formSchema = z.object({
+    name: z.string().min(1, $t('register.name_missing')),
+    email: z.string().email($t('form.invalid_email')),
+    password: passwordFormRules($t),
+    score: z.number(),
+    locale: z.string().min(2).default(userLocale),
+  });
+
+  let { form, errors, message, enhance, submitting } = lexSuperForm(formSchema, async () => {
+    const { user, error } = await register($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken);
+    if (error) {
+      if (error.turnstile) {
+        $message = $t('turnstile.invalid');
+      }
+      if (error.accountExists) {
+        $errors.email = [$t('register.account_exists')];
+      }
+      return;
+    }
+    if (user) {
+      await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
+      return;
+    }
+    throw new Error('Unknown error, no error from server, but also no user.');
+  });
+  onMount(() => { // query params not available during SSR
+    const urlValues = getSearchParamValues<RegisterPageQueryParams>();
+    form.update((form) => {
+      if (urlValues.name) form.name = urlValues.name;
+      if (urlValues.email) form.email = urlValues.email;
+      return form;
+    }, { taint: true });
+  });
+</script>
+
+<TitlePage title={$t('register.title')}>
+  <ProtectedForm {enhance} bind:turnstileToken>
+    <Input autofocus id="name" label={$t('register.label_name')} bind:value={$form.name} error={$errors.name} />
+    <Input
+      id="email"
+      label={$t('register.label_email')}
+      description={$t('register.description_email')}
+      type="email"
+      bind:value={$form.email}
+      error={$errors.email}
+    />
+    <Input
+      id="password"
+      label={$t('register.label_password')}
+      type="password"
+      bind:value={$form.password}
+      error={$errors.password}
+      autocomplete="new-password"
+    />
+    <PasswordStrengthMeter bind:score={$form.score} password={$form.password} />
+    <DisplayLanguageSelect
+      bind:value={$form.locale}
+    />
+    <FormError error={$message} />
+    <SubmitButton loading={$submitting}>{$t('register.button_register')}</SubmitButton>
+  </ProtectedForm>
+</TitlePage>
diff --git a/frontend/src/routes/(unauthenticated)/register/+page.svelte b/frontend/src/routes/(unauthenticated)/register/+page.svelte
index 2bf8bb643..3a59aca66 100644
--- a/frontend/src/routes/(unauthenticated)/register/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/register/+page.svelte
@@ -1,81 +1,5 @@
 <script lang="ts">
-  import { goto } from '$app/navigation';
-  import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
-  import { SubmitButton, FormError, Input, ProtectedForm, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
-  import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
-  import { TitlePage } from '$lib/layout';
-  import { register } from '$lib/user';
-  import { getSearchParamValues } from '$lib/util/query-params';
-  import { onMount } from 'svelte';
-  import { z } from 'zod';
-
-  type RegisterPageQueryParams = {
-    name: string;
-    email: string;
-  };
-  let turnstileToken = '';
-  // $locale is the locale that our i18n is using for them (i.e. the best available option we have for them)
-  // getLanguageCodeFromNavigator() gives us the language/locale they probably actually want. Maybe we'll support it in the future.
-  const userLocale = getLanguageCodeFromNavigator() ?? $locale;
-  const formSchema = z.object({
-    name: z.string().min(1, $t('register.name_missing')),
-    email: z.string().email($t('form.invalid_email')),
-    password: passwordFormRules($t),
-    score: z.number(),
-    locale: z.string().min(2).default(userLocale),
-  });
-
-  let { form, errors, message, enhance, submitting } = lexSuperForm(formSchema, async () => {
-    const { user, error } = await register($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken);
-    if (error) {
-      if (error.turnstile) {
-        $message = $t('turnstile.invalid');
-      }
-      if (error.accountExists) {
-        $errors.email = [$t('register.account_exists')];
-      }
-      return;
-    }
-    if (user) {
-      await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
-      return;
-    }
-    throw new Error('Unknown error, no error from server, but also no user.');
-  });
-  onMount(() => { // query params not available during SSR
-    const urlValues = getSearchParamValues<RegisterPageQueryParams>();
-    form.update((form) => {
-      if (urlValues.name) form.name = urlValues.name;
-      if (urlValues.email) form.email = urlValues.email;
-      return form;
-    }, { taint: true });
-  });
+  import CreateUser from '$lib/components/Users/CreateUser.svelte';
 </script>
 
-<TitlePage title={$t('register.title')}>
-  <ProtectedForm {enhance} bind:turnstileToken>
-    <Input autofocus id="name" label={$t('register.label_name')} bind:value={$form.name} error={$errors.name} />
-    <Input
-      id="email"
-      label={$t('register.label_email')}
-      description={$t('register.description_email')}
-      type="email"
-      bind:value={$form.email}
-      error={$errors.email}
-    />
-    <Input
-      id="password"
-      label={$t('register.label_password')}
-      type="password"
-      bind:value={$form.password}
-      error={$errors.password}
-      autocomplete="new-password"
-    />
-    <PasswordStrengthMeter bind:score={$form.score} password={$form.password} />
-    <DisplayLanguageSelect
-      bind:value={$form.locale}
-    />
-    <FormError error={$message} />
-    <SubmitButton loading={$submitting}>{$t('register.button_register')}</SubmitButton>
-  </ProtectedForm>
-</TitlePage>
+<CreateUser />

From 02bc9e3b603ad56b5790c7c2b1a54a054b7fc092 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 18 Apr 2024 16:03:01 +0700
Subject: [PATCH 03/42] Use register page in create-user modal for admins

Currently the "sign out and sign back in" behavior of the register page
still works as it used to, which is not what we want when an admin is
creating the user. We'll change that next.
---
 .../lib/components/Users/CreateUserModal.svelte    | 14 ++++++++++++++
 frontend/src/lib/i18n/locales/en.json              |  4 +++-
 .../src/routes/(authenticated)/admin/+page.svelte  |  8 ++++++--
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 frontend/src/lib/components/Users/CreateUserModal.svelte

diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
new file mode 100644
index 000000000..a9b97737b
--- /dev/null
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -0,0 +1,14 @@
+<script lang="ts">
+  import { Modal } from '$lib/components/modals';
+  import CreateUser from '$lib/components/Users/CreateUser.svelte';
+
+  let createUserModal: Modal;
+
+  export async function open(): Promise<void> {
+    await createUserModal.openModal(true, true);
+  }
+</script>
+
+<Modal bind:this={createUserModal} bottom>
+  <CreateUser />
+</Modal>
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index db5cd9ee7..ccccfa6db 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -13,7 +13,6 @@
     "column_edit": "Edit",
     "project_table_title": "Projects",
     "user_table_title": "Users",
-    "create_user": "Create User",
     "is_draft": "Draft",
     "email_not_verified": "Not Verified",
     "notifications": {
@@ -39,6 +38,9 @@
         }
       }
     },
+    "create_user_modal": {
+      "create_user": "Create User",
+    },
     "user_details_modal": {
       "registered": "Registered",
       "locked": "Locked",
diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index da56c4fb4..a93f5435a 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -21,6 +21,7 @@
   import { Button } from '$lib/forms';
   import { PageBreadcrumb } from '$lib/layout';
   import AdminTabs, { type AdminTabId } from './AdminTabs.svelte';
+  import CreateUserModal from '$lib/components/Users/CreateUserModal.svelte';
 
   export let data: PageData;
   $: projects = data.projects;
@@ -62,6 +63,7 @@
   }
 
   let userModal: UserModal;
+  let createUserModal: CreateUserModal;
   let deleteUserModal: DeleteUserModal;
   let formModal: EditUserAccount;
 
@@ -115,9 +117,10 @@
               </span>
             </Badge>
           </div>
-          <button class="btn btn-sm btn-success max-xs:btn-square">
+          <button class="btn btn-sm btn-success max-xs:btn-square"
+            on:click={() => createUserModal.open()}>
             <span class="admin-tabs:hidden">
-              {$t('admin_dashboard.create_user')}
+              {$t('admin_dashboard.create_user_modal.create_user')}
             </span>
             <span class="i-mdi-plus text-2xl" />
           </button>
@@ -234,4 +237,5 @@
   <EditUserAccount bind:this={formModal} {deleteUser} currUser={data.user} />
   <DeleteUserModal bind:this={deleteUserModal} i18nScope="admin_dashboard.form_modal.delete_user" />
   <UserModal bind:this={userModal}/>
+  <CreateUserModal bind:this={createUserModal}/>
 </main>

From 8536fd2db3196e29d9eef2c6d8769a91ec4e735c Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 18 Apr 2024 16:12:21 +0700
Subject: [PATCH 04/42] Don't auto-login user if created by admin

---
 backend/LexBoxApi/Controllers/UserController.cs          | 7 +++++--
 backend/LexBoxApi/Models/RegisterAccountInput.cs         | 3 ++-
 frontend/src/lib/components/Users/CreateUser.svelte      | 6 ++++--
 frontend/src/lib/components/Users/CreateUserModal.svelte | 2 +-
 frontend/src/lib/user.ts                                 | 3 ++-
 5 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index 01fc14a95..aa480feef 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -92,8 +92,11 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
         await _lexBoxDbContext.SaveChangesAsync();
 
         var user = new LexAuthUser(userEntity);
-        await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
-            new AuthenticationProperties { IsPersistent = true });
+        if (accountInput.AutoLogin)
+        {
+            await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
+                new AuthenticationProperties { IsPersistent = true });
+        }
 
         if (!emailVerified) await _emailService.SendVerifyAddressEmail(userEntity);
         return Ok(user);
diff --git a/backend/LexBoxApi/Models/RegisterAccountInput.cs b/backend/LexBoxApi/Models/RegisterAccountInput.cs
index b29304da7..ddf3b1576 100644
--- a/backend/LexBoxApi/Models/RegisterAccountInput.cs
+++ b/backend/LexBoxApi/Models/RegisterAccountInput.cs
@@ -7,4 +7,5 @@ public record RegisterAccountInput([Required(AllowEmptyStrings = false)] string
     [Required(AllowEmptyStrings = false)] string Locale,
     [Required(AllowEmptyStrings = false)] string PasswordHash,
     int? PasswordStrength,
-    string TurnstileToken);
+    string TurnstileToken,
+    bool AutoLogin = true);
diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 2bf8bb643..77e1477ce 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -9,6 +9,8 @@
   import { onMount } from 'svelte';
   import { z } from 'zod';
 
+  export let autoLogin = true;
+
   type RegisterPageQueryParams = {
     name: string;
     email: string;
@@ -26,7 +28,7 @@
   });
 
   let { form, errors, message, enhance, submitting } = lexSuperForm(formSchema, async () => {
-    const { user, error } = await register($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken);
+    const { user, error } = await register($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken, autoLogin);
     if (error) {
       if (error.turnstile) {
         $message = $t('turnstile.invalid');
@@ -37,7 +39,7 @@
       return;
     }
     if (user) {
-      await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
+      if (autoLogin) await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
       return;
     }
     throw new Error('Unknown error, no error from server, but also no user.');
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index a9b97737b..edc45bdf9 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -10,5 +10,5 @@
 </script>
 
 <Modal bind:this={createUserModal} bottom>
-  <CreateUser />
+  <CreateUser autoLogin={false} />
 </Modal>
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index fdd9bcedc..fe3868839 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -87,7 +87,7 @@ export async function login(userId: string, password: string): Promise<LoginResu
 }
 
 type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean }, user?: LexAuthUser };
-export async function register(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string): Promise<RegisterResponse> {
+export async function register(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
   const response = await fetch('/api/User/registerAccount', {
     method: 'post',
     headers: {
@@ -99,6 +99,7 @@ export async function register(password: string, passwordStrength: number, name:
       locale,
       turnstileToken,
       passwordStrength,
+      autoLogin,
       passwordHash: await hash(password),
     })
   });

From 5d72b13998ea43136470c27b8f5dc4ee889b293d Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 18 Apr 2024 16:22:01 +0700
Subject: [PATCH 05/42] Hide create-user modal when submit button clicked

---
 frontend/src/lib/components/Users/CreateUser.svelte      | 2 ++
 frontend/src/lib/components/Users/CreateUserModal.svelte | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 77e1477ce..35e485305 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -10,6 +10,7 @@
   import { z } from 'zod';
 
   export let autoLogin = true;
+  export let onSubmit: (() => void) | undefined = undefined;
 
   type RegisterPageQueryParams = {
     name: string;
@@ -39,6 +40,7 @@
       return;
     }
     if (user) {
+      if (onSubmit) onSubmit();
       if (autoLogin) await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
       return;
     }
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index edc45bdf9..ea70cb344 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -10,5 +10,5 @@
 </script>
 
 <Modal bind:this={createUserModal} bottom>
-  <CreateUser autoLogin={false} />
+  <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} />
 </Modal>

From cc8668023c8f2f2497739982458b53d97cfd9aab Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 11:50:32 +0700
Subject: [PATCH 06/42] Add helpful tips to top of create-user modal

---
 .../src/lib/components/Users/CreateUserModal.svelte    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index ea70cb344..1e86858e9 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -1,5 +1,7 @@
 <script lang="ts">
   import { Modal } from '$lib/components/modals';
+  // import t from '$lib/i18n'; // TODO
+  import { helpLinks } from '$lib/components/help';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
 
   let createUserModal: Modal;
@@ -10,5 +12,13 @@
 </script>
 
 <Modal bind:this={createUserModal} bottom>
+  <!-- TODO: Move to en.json and use $t -->
+  <p>
+    Did you know you can also <a class="link" rel="external" href={helpLinks.addProjectMember}>create users on a project page</a>? That also allows you to make those users members of the project in one step;
+    users created here will not be members of any project and will need a second step to add them to a project.
+  </p>
+  <p>
+    If you want to create multiple users at once, the best way is probably to use the <a class="link" rel="external" href={helpLinks.bulkAddCreate}>Bulk Add/Create Project Members</a> tool.
+  </p>
   <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} />
 </Modal>

From 2606313e0956bd055bef89808370fc4d68082c7e Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 11:58:57 +0700
Subject: [PATCH 07/42] Don't change browser title in modal

When clicking on "Create User" in admin dashboard, we don't want the
modal to change the browser title; that should be reserved for the
dedicated Register page.
---
 frontend/src/lib/components/Users/CreateUser.svelte         | 3 ---
 frontend/src/routes/(unauthenticated)/register/+page.svelte | 6 +++++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index c140f37fd..497561668 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -3,7 +3,6 @@
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
   import { SubmitButton, FormError, Input, ProtectedForm, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
-  import { TitlePage } from '$lib/layout';
   import { register } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
   import { onMount } from 'svelte';
@@ -56,7 +55,6 @@
   });
 </script>
 
-<TitlePage title={$t('register.title')}>
   <ProtectedForm {enhance} bind:turnstileToken>
     <Input autofocus id="name" label={$t('register.label_name')} bind:value={$form.name} error={$errors.name} />
     <div class="contents email">
@@ -84,7 +82,6 @@
     <FormError error={$message} />
     <SubmitButton loading={$submitting}>{$t('register.button_register')}</SubmitButton>
   </ProtectedForm>
-</TitlePage>
 
 <style lang="postcss">
   .email :global(.description) {
diff --git a/frontend/src/routes/(unauthenticated)/register/+page.svelte b/frontend/src/routes/(unauthenticated)/register/+page.svelte
index 3a59aca66..a2fab3786 100644
--- a/frontend/src/routes/(unauthenticated)/register/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/register/+page.svelte
@@ -1,5 +1,9 @@
 <script lang="ts">
+  import { TitlePage } from '$lib/layout';
+  import t from '$lib/i18n';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
 </script>
 
-<CreateUser />
+<TitlePage title={$t('register.title')}>
+  <CreateUser />
+</TitlePage>

From b9e0b8ea1fe88421b78df0a32fe401cc9796cd61 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 11:59:45 +0700
Subject: [PATCH 08/42] De-indent CreateUser component HTML

Pushed as a separate commit from the previous one so that the whitespace
changes are isolated in their own commit, which should help a little bit
with avoiding merge conflicts later.
---
 .../lib/components/Users/CreateUser.svelte    | 50 +++++++++----------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 497561668..5e5e3d4b1 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -55,33 +55,33 @@
   });
 </script>
 
-  <ProtectedForm {enhance} bind:turnstileToken>
-    <Input autofocus id="name" label={$t('register.label_name')} bind:value={$form.name} error={$errors.name} />
-    <div class="contents email">
-      <Input
-        id="email"
-        label={$t('register.label_email')}
-        description={$t('register.description_email')}
-        type="email"
-        bind:value={$form.email}
-        error={$errors.email}
-      />
-    </div>
+<ProtectedForm {enhance} bind:turnstileToken>
+  <Input autofocus id="name" label={$t('register.label_name')} bind:value={$form.name} error={$errors.name} />
+  <div class="contents email">
     <Input
-      id="password"
-      label={$t('register.label_password')}
-      type="password"
-      bind:value={$form.password}
-      error={$errors.password}
-      autocomplete="new-password"
+      id="email"
+      label={$t('register.label_email')}
+      description={$t('register.description_email')}
+      type="email"
+      bind:value={$form.email}
+      error={$errors.email}
     />
-    <PasswordStrengthMeter bind:score={$form.score} password={$form.password} />
-    <DisplayLanguageSelect
-      bind:value={$form.locale}
-    />
-    <FormError error={$message} />
-    <SubmitButton loading={$submitting}>{$t('register.button_register')}</SubmitButton>
-  </ProtectedForm>
+  </div>
+  <Input
+    id="password"
+    label={$t('register.label_password')}
+    type="password"
+    bind:value={$form.password}
+    error={$errors.password}
+    autocomplete="new-password"
+  />
+  <PasswordStrengthMeter bind:score={$form.score} password={$form.password} />
+  <DisplayLanguageSelect
+    bind:value={$form.locale}
+  />
+  <FormError error={$message} />
+  <SubmitButton loading={$submitting}>{$t('register.button_register')}</SubmitButton>
+</ProtectedForm>
 
 <style lang="postcss">
   .email :global(.description) {

From 4b0d557360053ec8e085ed651a8d3f71f0037990 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 12:10:38 +0700
Subject: [PATCH 09/42] Admins now create guest users

If an admin is logged in and creating a user on the register page, we
set that user's CreatedById to the admin, so that the user will count as
a "guest user", just as if their account was created through the bulk
add/create users tool.
---
 backend/LexBoxApi/Controllers/UserController.cs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index aa480feef..00319e7e5 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -67,6 +67,7 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
 
         var jwtUser = _loggedInContext.MaybeUser;
         var emailVerified = jwtUser?.Email == accountInput.Email;
+        var createdByAdmin = jwtUser?.IsAdmin ?? false;
 
         var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
         var userEntity = new User
@@ -80,12 +81,13 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
             PasswordStrength = UserService.ClampPasswordStrength(accountInput.PasswordStrength),
             IsAdmin = false,
             EmailVerified = emailVerified,
+            CreatedById = createdByAdmin ? jwtUser?.Id : null,
             Locked = false,
             CanCreateProjects = false
         };
         registerActivity?.AddTag("app.user.id", userEntity.Id);
         _lexBoxDbContext.Users.Add(userEntity);
-        if (jwtUser is not null && jwtUser.Projects.Length > 0)
+        if (jwtUser is not null && !createdByAdmin && jwtUser.Projects.Length > 0)
         {
             userEntity.Projects = jwtUser.Projects.Select(p => new ProjectUsers { Role = p.Role, ProjectId = p.ProjectId }).ToList();
         }

From a3e2e5dd49f93d7c4c0c52adf11b069944bfc683 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 13:05:05 +0700
Subject: [PATCH 10/42] Set up Create User modal help for translation

Implements the TODO comment I had added earlier.
---
 .../lib/components/Users/CreateUserModal.svelte    | 14 +++++---------
 frontend/src/lib/i18n/locales/en.json              |  2 ++
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index 1e86858e9..2334d66a6 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -1,8 +1,10 @@
 <script lang="ts">
   import { Modal } from '$lib/components/modals';
-  // import t from '$lib/i18n'; // TODO
+  import t from '$lib/i18n';
   import { helpLinks } from '$lib/components/help';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
+  import Markdown from 'svelte-exmarkdown';
+  import { NewTabLinkRenderer } from '$lib/components/Markdown';
 
   let createUserModal: Modal;
 
@@ -12,13 +14,7 @@
 </script>
 
 <Modal bind:this={createUserModal} bottom>
-  <!-- TODO: Move to en.json and use $t -->
-  <p>
-    Did you know you can also <a class="link" rel="external" href={helpLinks.addProjectMember}>create users on a project page</a>? That also allows you to make those users members of the project in one step;
-    users created here will not be members of any project and will need a second step to add them to a project.
-  </p>
-  <p>
-    If you want to create multiple users at once, the best way is probably to use the <a class="link" rel="external" href={helpLinks.bulkAddCreate}>Bulk Add/Create Project Members</a> tool.
-  </p>
+  <Markdown md={$t('admin_dashboard.create_user_modal.help_create_single_guest_user', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
+  <Markdown md={$t('admin_dashboard.create_user_modal.help_create_bulk_guest_users', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
   <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} />
 </Modal>
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 966f34e53..454c823cb 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -41,6 +41,8 @@
     },
     "create_user_modal": {
       "create_user": "Create User",
+      "help_create_single_guest_user": "Did you know you can also [create users on a project page]({addProjectMember})? That also allows you to make those users members of the project in one step; users created here will not be members of any project and will need a second step to add them to a project.",
+      "help_create_bulk_guest_users": "If you want to create multiple users at once, the best way is probably to use the [Bulk Add/Create Project Members]({bulkAddCreate}) tool.",
     },
     "user_details_modal": {
       "registered": "Registered",

From cf11cd757e1c722e96833a325854b56528c8556f Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 13:07:08 +0700
Subject: [PATCH 11/42] Remove now-redundant "how to create uesrs" link

That info is now in the Create Users modal, so we don't need it here.
---
 frontend/src/routes/(authenticated)/admin/+page.svelte | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index 42ad7bc33..993ca6d8b 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -127,14 +127,6 @@
               </Badge>
             </div>
           </div>
-          <a class="btn btn-sm btn-success btn-outline max-xs:btn-square group"
-            href={helpLinks.bulkAddCreate}
-            target="_blank" rel="external">
-            <span class="admin-tabs:hidden">
-              {$t('admin_dashboard.how_to_create_users')}
-            </span>
-            <span class="i-mdi-plus text-2xl group-hover:i-mdi-open-in-new" />
-          </a>
           <button class="btn btn-sm btn-success max-xs:btn-square"
             on:click={() => createUserModal.open()}>
             <span class="admin-tabs:hidden">

From efd16998e36a26fc661e249fbf29153fc5cde680 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 13:09:07 +0700
Subject: [PATCH 12/42] Give Create User modal a proper title

Now that we've removed the "Register" title from the modal, we should
give it a proper title.
---
 frontend/src/lib/components/Users/CreateUserModal.svelte | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index 2334d66a6..05e2d43d4 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -16,5 +16,6 @@
 <Modal bind:this={createUserModal} bottom>
   <Markdown md={$t('admin_dashboard.create_user_modal.help_create_single_guest_user', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
   <Markdown md={$t('admin_dashboard.create_user_modal.help_create_bulk_guest_users', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
+  <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
   <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} />
 </Modal>

From 77c58533276c760f00bb286cc64358fc6c7ab85a Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 13 May 2024 13:54:15 +0700
Subject: [PATCH 13/42] Fix submit button text in Create User modal

---
 frontend/src/lib/components/Users/CreateUser.svelte      | 3 ++-
 frontend/src/lib/components/Users/CreateUserModal.svelte | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 5e5e3d4b1..b984aeef6 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -10,6 +10,7 @@
 
   export let autoLogin = true;
   export let onSubmit: (() => void) | undefined = undefined;
+  export let submitButtonText = $t('register.button_register');
 
   type RegisterPageQueryParams = {
     name: string;
@@ -80,7 +81,7 @@
     bind:value={$form.locale}
   />
   <FormError error={$message} />
-  <SubmitButton loading={$submitting}>{$t('register.button_register')}</SubmitButton>
+  <SubmitButton loading={$submitting}>{submitButtonText}</SubmitButton>
 </ProtectedForm>
 
 <style lang="postcss">
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index 05e2d43d4..9ceb3349c 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -17,5 +17,5 @@
   <Markdown md={$t('admin_dashboard.create_user_modal.help_create_single_guest_user', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
   <Markdown md={$t('admin_dashboard.create_user_modal.help_create_bulk_guest_users', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} />
+  <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} submitButtonText={$t('admin_dashboard.create_user_modal.create_user')} />
 </Modal>

From 0499c4d15690bbf6ffca5ae4413e69ae58ce7998 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Tue, 14 May 2024 09:00:54 +0700
Subject: [PATCH 14/42] Fix lint errors

---
 frontend/src/routes/(authenticated)/admin/+page.svelte | 1 -
 1 file changed, 1 deletion(-)

diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index 993ca6d8b..4aa8e8929 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -23,7 +23,6 @@
   import AdminTabs, { type AdminTabId } from './AdminTabs.svelte';
   import CreateUserModal from '$lib/components/Users/CreateUserModal.svelte';
   import type { Confidentiality } from '$lib/components/Projects';
-  import { helpLinks } from '$lib/components/help';
 
   export let data: PageData;
   $: projects = data.projects;

From 974743aa6fb7c8a4273e8833d2d55376a3ce09e6 Mon Sep 17 00:00:00 2001
From: Tim Haasdyk <tim_haasdyk@sil.org>
Date: Tue, 14 May 2024 15:21:43 +0200
Subject: [PATCH 15/42] Improve alert-link contrast

---
 frontend/src/lib/app.postcss | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/frontend/src/lib/app.postcss b/frontend/src/lib/app.postcss
index bbef11b2a..7d170db1f 100644
--- a/frontend/src/lib/app.postcss
+++ b/frontend/src/lib/app.postcss
@@ -2,6 +2,18 @@
 @tailwind components;
 @tailwind utilities;
 
+@layer base {
+  :root {
+    --alert-link-color: #4100ff;
+  }
+
+  @media (prefers-color-scheme: dark) {
+    :root {
+      --alert-link-color: #4dd0ff;
+    }
+  }
+}
+
 html,
 body,
 .drawer-side,
@@ -151,8 +163,8 @@ input[readonly]:focus {
   border-radius: var(--rounded-badge);
 }
 
-.alert a {
-  color: #0024b9;
+.alert a:not(.btn) {
+  color: var(--alert-link-color, #0024b9);
 }
 
 .collapse input:hover ~ .collapse-title {

From 908ecb321331d63311f0e78752126377da01fc85 Mon Sep 17 00:00:00 2001
From: Tim Haasdyk <tim_haasdyk@sil.org>
Date: Tue, 14 May 2024 15:22:17 +0200
Subject: [PATCH 16/42] Adapt wording and style it

---
 .../components/Projects/ProjectFilter.svelte  |  4 ++--
 .../components/Users/CreateUserModal.svelte   | 24 ++++++++++++++++---
 frontend/src/lib/i18n/locales/en.json         |  5 ++--
 3 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/frontend/src/lib/components/Projects/ProjectFilter.svelte b/frontend/src/lib/components/Projects/ProjectFilter.svelte
index 04ff9b8c6..a208813e5 100644
--- a/frontend/src/lib/components/Projects/ProjectFilter.svelte
+++ b/frontend/src/lib/components/Projects/ProjectFilter.svelte
@@ -118,8 +118,8 @@
           </div>
         {:else}
           <div class="alert alert-info gap-2">
-            <span class="i-mdi-info-outline text-xl"></span>
-            <div class="flex_ items-center gap-2">
+            <Icon icon="i-mdi-info-outline" size="text-2xl" />
+            <div>
               <span class="mr-1">{$t('project.filter.select_user_from_table')}</span>
               <span class="btn btn-sm btn-square pointer-events-none">
                 <span class="i-mdi-dots-vertical"></span>
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index 9ceb3349c..c9decc12f 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -5,6 +5,7 @@
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
   import Markdown from 'svelte-exmarkdown';
   import { NewTabLinkRenderer } from '$lib/components/Markdown';
+  import Icon from '$lib/icons/Icon.svelte';
 
   let createUserModal: Modal;
 
@@ -14,8 +15,25 @@
 </script>
 
 <Modal bind:this={createUserModal} bottom>
-  <Markdown md={$t('admin_dashboard.create_user_modal.help_create_single_guest_user', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
-  <Markdown md={$t('admin_dashboard.create_user_modal.help_create_bulk_guest_users', helpLinks)} plugins={[{ renderer: { a: NewTabLinkRenderer } }]} />
+  <div class="alert alert-info gap-4 mb-4">
+    <Icon icon="i-mdi-info-outline" size="text-2xl" />
+    <div>
+      <h3 class="text-lg">{$t('common.did_you_know')}</h3>
+      <div>
+        <Markdown
+          md={$t('admin_dashboard.create_user_modal.help_create_single_guest_user', { helpLink: helpLinks.addProjectMember })}
+          plugins={[{ renderer: { a: NewTabLinkRenderer } }]}
+        />
+        <Markdown
+          md={$t('admin_dashboard.create_user_modal.help_create_bulk_guest_users', { helpLink: helpLinks.bulkAddCreate })}
+          plugins={[{ renderer: { a: NewTabLinkRenderer } }]}
+        />
+      </div>
+    </div>
+  </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser autoLogin={false} onSubmit={() => createUserModal.submitModal()} submitButtonText={$t('admin_dashboard.create_user_modal.create_user')} />
+  <CreateUser autoLogin={false}
+    onSubmit={() => createUserModal.submitModal()}
+    submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
+  />
 </Modal>
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 454c823cb..fa035d57e 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -41,8 +41,8 @@
     },
     "create_user_modal": {
       "create_user": "Create User",
-      "help_create_single_guest_user": "Did you know you can also [create users on a project page]({addProjectMember})? That also allows you to make those users members of the project in one step; users created here will not be members of any project and will need a second step to add them to a project.",
-      "help_create_bulk_guest_users": "If you want to create multiple users at once, the best way is probably to use the [Bulk Add/Create Project Members]({bulkAddCreate}) tool.",
+      "help_create_single_guest_user": "You can invite users to register and join a project by themselves with the **Add Project Member** button. See [Add Project Member]({helpLink}) for details.",
+      "help_create_bulk_guest_users": "You can also create and add users to a project in bulk. Look for the **Bulk Add/Create Members** button or see [Bulk Add/Create Project Members]({helpLink}) for details.",
     },
     "user_details_modal": {
       "registered": "Registered",
@@ -528,5 +528,6 @@ If you don't see a dialog or already closed it, click the button below:",
     "any": "Any",
     "yes_no": "{value, select, true {Yes} false {No} other {Unknown}}",
     "any": "Any",
+    "did_you_know": "Did you know?",
   }
 }

From f9d2be7bacf6e7bc975b8366f65017ecc7976983 Mon Sep 17 00:00:00 2001
From: Tim Haasdyk <tim_haasdyk@sil.org>
Date: Tue, 14 May 2024 15:30:25 +0200
Subject: [PATCH 17/42] Only add jwt-token projects to invited users

---
 backend/LexBoxApi/Controllers/UserController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index 00319e7e5..d7ae44cff 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -87,7 +87,7 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
         };
         registerActivity?.AddTag("app.user.id", userEntity.Id);
         _lexBoxDbContext.Users.Add(userEntity);
-        if (jwtUser is not null && !createdByAdmin && jwtUser.Projects.Length > 0)
+        if (jwtUser?.Audience == LexboxAudience.RegisterAccount)
         {
             userEntity.Projects = jwtUser.Projects.Select(p => new ProjectUsers { Role = p.Role, ProjectId = p.ProjectId }).ToList();
         }

From e21373d79b8907ce281245bbe6336882e443cf4c Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 16 May 2024 15:58:03 +0700
Subject: [PATCH 18/42] Add GQL mutation for creating guest users

The BulkAdd model will soon be switched to use this mutation
---
 backend/LexBoxApi/GraphQL/UserMutations.cs | 55 ++++++++++++++++++++++
 frontend/schema.graphql                    | 17 +++++++
 2 files changed, 72 insertions(+)

diff --git a/backend/LexBoxApi/GraphQL/UserMutations.cs b/backend/LexBoxApi/GraphQL/UserMutations.cs
index faea9fc8b..bf9e39d20 100644
--- a/backend/LexBoxApi/GraphQL/UserMutations.cs
+++ b/backend/LexBoxApi/GraphQL/UserMutations.cs
@@ -1,14 +1,18 @@
 using System.ComponentModel.DataAnnotations;
+using System.Security.Cryptography;
 using LexBoxApi.Auth;
 using LexBoxApi.Auth.Attributes;
 using LexBoxApi.GraphQL.CustomTypes;
 using LexBoxApi.Models.Project;
+using LexBoxApi.Otel;
 using LexBoxApi.Services;
+using LexCore;
 using LexCore.Auth;
 using LexCore.Entities;
 using LexCore.Exceptions;
 using LexCore.ServiceInterfaces;
 using LexData;
+using LexData.Entities;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.IdentityModel.Tokens;
@@ -23,6 +27,13 @@ public record ChangeUserAccountBySelfInput(Guid UserId, string? Email, string Na
         : ChangeUserAccountDataInput(UserId, Email, Name);
     public record ChangeUserAccountByAdminInput(Guid UserId, string? Email, string Name, UserRole Role)
         : ChangeUserAccountDataInput(UserId, Email, Name);
+    public record CreateGuestUserByAdminInput(
+        string? Email,
+        string? Name,
+        string? Username,
+        string Locale,
+        string PasswordHash,
+        int? PasswordStrength);
 
     [Error<NotFoundException>]
     [Error<DbError>]
@@ -63,6 +74,50 @@ EmailService emailService
         return UpdateUser(loggedInContext, permissionService, input, dbContext, emailService);
     }
 
+    [Error<NotFoundException>]
+    [Error<DbError>]
+    [Error<UniqueValueException>]
+    [Error<RequiredException>]
+    [AdminRequired]
+    public async Task<User> CreateGuestUserByAdmin(
+        LoggedInContext loggedInContext,
+        CreateGuestUserByAdminInput input,
+        LexBoxDbContext dbContext
+    )
+    {
+        using var createGuestUserActivity = LexBoxActivitySource.Get().StartActivity("CreateGuestUser");
+
+        var hasExistingUser = input.Email is null && input.Username is null
+            ? throw new RequiredException("Guest users must have either an email or a username")
+            : await dbContext.Users.FilterByEmailOrUsername(input.Email ?? input.Username!).AnyAsync();
+        createGuestUserActivity?.AddTag("app.email_available", !hasExistingUser);
+        if (hasExistingUser) throw new UniqueValueException("Email");
+
+        var admin = loggedInContext.User;
+
+        var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
+        var userEntity = new User
+        {
+            Id = Guid.NewGuid(),
+            Name = input.Name ?? input.Username ?? input.Email!,
+            Email = input.Email,
+            Username = input.Username,
+            LocalizationCode = input.Locale,
+            Salt = salt,
+            PasswordHash = PasswordHashing.HashPassword(input.PasswordHash, salt, true),
+            PasswordStrength = UserService.ClampPasswordStrength(input.PasswordStrength),
+            IsAdmin = false,
+            EmailVerified = false,
+            CreatedById = admin.Id,
+            Locked = false,
+            CanCreateProjects = false
+        };
+        createGuestUserActivity?.AddTag("app.user.id", userEntity.Id);
+        dbContext.Users.Add(userEntity);
+        await dbContext.SaveChangesAsync();
+        return userEntity;
+    }
+
     private static async Task<User> UpdateUser(
         LoggedInContext loggedInContext,
         IPermissionService permissionService,
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
index dddbfd48d..2fe3846f5 100644
--- a/frontend/schema.graphql
+++ b/frontend/schema.graphql
@@ -77,6 +77,11 @@ type CollectionSegmentInfo {
   hasPreviousPage: Boolean!
 }
 
+type CreateGuestUserByAdminPayload {
+  user: User
+  errors: [CreateGuestUserByAdminError!]
+}
+
 type CreateOrganizationPayload {
   organization: Organization
   errors: [CreateOrganizationError!]
@@ -179,6 +184,7 @@ type Mutation {
   softDeleteProject(input: SoftDeleteProjectInput!): SoftDeleteProjectPayload!
   changeUserAccountBySelf(input: ChangeUserAccountBySelfInput!): ChangeUserAccountBySelfPayload!
   changeUserAccountByAdmin(input: ChangeUserAccountByAdminInput!): ChangeUserAccountByAdminPayload! @authorize(policy: "AdminRequiredPolicy")
+  createGuestUserByAdmin(input: CreateGuestUserByAdminInput!): CreateGuestUserByAdminPayload! @authorize(policy: "AdminRequiredPolicy")
   deleteUserByAdminOrSelf(input: DeleteUserByAdminOrSelfInput!): DeleteUserByAdminOrSelfPayload!
   setUserLocked(input: SetUserLockedInput!): SetUserLockedPayload! @authorize(policy: "AdminRequiredPolicy")
 }
@@ -357,6 +363,8 @@ union ChangeUserAccountByAdminError = NotFoundError | DbError | UniqueValueError
 
 union ChangeUserAccountBySelfError = NotFoundError | DbError | UniqueValueError
 
+union CreateGuestUserByAdminError = NotFoundError | DbError | UniqueValueError | RequiredError
+
 union CreateOrganizationError = DbError
 
 union CreateProjectError = DbError | AlreadyExistsError | ProjectCreatorsMustHaveEmail
@@ -421,6 +429,15 @@ input ChangeUserAccountBySelfInput {
   name: String!
 }
 
+input CreateGuestUserByAdminInput {
+  email: String
+  name: String
+  username: String
+  locale: String!
+  passwordHash: String!
+  passwordStrength: Int
+}
+
 input CreateOrganizationInput {
   name: String!
 }

From 1e1bf8d745a68a76e7840902568e9f9169aa9245 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 16 May 2024 16:06:48 +0700
Subject: [PATCH 19/42] Add flow for accepting invitation email

This obviously shares a LOT of common code with RegisterAccount; the
difference is that RegisterAccount now requires that one *not* be logged
in, to avoid any possible issues with projects being incorrectly
inherited from the JWT of the logged-in user.
---
 .../LexBoxApi/Controllers/UserController.cs   | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index d7ae44cff..e5fceb928 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -104,6 +104,70 @@ await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
         return Ok(user);
     }
 
+    // TODO: Refactor common code between this and RegisterAccount
+    [HttpPost("acceptInvitation")]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    [ProducesErrorResponseType(typeof(Dictionary<string, string[]>))]
+    [ProducesDefaultResponseType]
+    public async Task<ActionResult<LexAuthUser>> AcceptEmailInvitation(RegisterAccountInput accountInput)
+    {
+        using var acceptActivity = LexBoxActivitySource.Get().StartActivity("AcceptInvitation");
+        var validToken = await _turnstileService.IsTokenValid(accountInput.TurnstileToken, accountInput.Email);
+        acceptActivity?.AddTag("app.turnstile_token_valid", validToken);
+        if (!validToken)
+        {
+            ModelState.AddModelError<RegisterAccountInput>(r => r.TurnstileToken, "token invalid");
+            return ValidationProblem(ModelState);
+        }
+
+        var jwtUser = _loggedInContext.User;
+        if (jwtUser.Audience != LexboxAudience.RegisterAccount)
+        {
+            // TODO: Figure out how to register this error (AddModelError<RegisterAccountInput> isn't correct, obviously)
+            ModelState.AddModelError<RegisterAccountInput>(r => r.Email, "invitation page accessed via invalid JWT");
+        }
+
+        var hasExistingUser = await _lexBoxDbContext.Users.FilterByEmailOrUsername(accountInput.Email).AnyAsync();
+        acceptActivity?.AddTag("app.email_available", !hasExistingUser);
+        if (hasExistingUser)
+        {
+            ModelState.AddModelError<RegisterAccountInput>(r => r.Email, "email already in use");
+            return ValidationProblem(ModelState);
+        }
+
+        var emailVerified = jwtUser.Email == accountInput.Email;
+
+        var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
+        var userEntity = new User
+        {
+            Id = Guid.NewGuid(),
+            Name = accountInput.Name,
+            Email = accountInput.Email,
+            LocalizationCode = accountInput.Locale,
+            Salt = salt,
+            PasswordHash = PasswordHashing.HashPassword(accountInput.PasswordHash, salt, true),
+            PasswordStrength = UserService.ClampPasswordStrength(accountInput.PasswordStrength),
+            IsAdmin = false,
+            EmailVerified = emailVerified,
+            Locked = false,
+            CanCreateProjects = false
+        };
+        acceptActivity?.AddTag("app.user.id", userEntity.Id);
+        _lexBoxDbContext.Users.Add(userEntity);
+        if (jwtUser.Audience == LexboxAudience.RegisterAccount && jwtUser.Projects.Length > 0)
+        {
+            userEntity.Projects = jwtUser.Projects.Select(p => new ProjectUsers { Role = p.Role, ProjectId = p.ProjectId }).ToList();
+        }
+        await _lexBoxDbContext.SaveChangesAsync();
+
+        var user = new LexAuthUser(userEntity);
+        await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
+            new AuthenticationProperties { IsPersistent = true });
+
+        if (!emailVerified) await _emailService.SendVerifyAddressEmail(userEntity);
+        return Ok(user);
+    }
+
     [HttpPost("sendVerificationEmail")]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]

From 4c7da1d0c2040dd8ccb5042b5b3bcec7f58d8eb3 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 16 May 2024 16:14:12 +0700
Subject: [PATCH 20/42] Refactor some common code in user controller

More refactoring could be done, but this is the low-hanging fruit that
makes the rest of the code logic a little easier to follow.
---
 .../LexBoxApi/Controllers/UserController.cs   | 61 +++++++------------
 1 file changed, 23 insertions(+), 38 deletions(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index e5fceb928..898b46745 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -68,29 +68,9 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
         var jwtUser = _loggedInContext.MaybeUser;
         var emailVerified = jwtUser?.Email == accountInput.Email;
         var createdByAdmin = jwtUser?.IsAdmin ?? false;
-
-        var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
-        var userEntity = new User
-        {
-            Id = Guid.NewGuid(),
-            Name = accountInput.Name,
-            Email = accountInput.Email,
-            LocalizationCode = accountInput.Locale,
-            Salt = salt,
-            PasswordHash = PasswordHashing.HashPassword(accountInput.PasswordHash, salt, true),
-            PasswordStrength = UserService.ClampPasswordStrength(accountInput.PasswordStrength),
-            IsAdmin = false,
-            EmailVerified = emailVerified,
-            CreatedById = createdByAdmin ? jwtUser?.Id : null,
-            Locked = false,
-            CanCreateProjects = false
-        };
+        var userEntity = CreateUserEntity(accountInput, emailVerified, createdByAdmin ? jwtUser?.Id : null);
         registerActivity?.AddTag("app.user.id", userEntity.Id);
         _lexBoxDbContext.Users.Add(userEntity);
-        if (jwtUser?.Audience == LexboxAudience.RegisterAccount)
-        {
-            userEntity.Projects = jwtUser.Projects.Select(p => new ProjectUsers { Role = p.Role, ProjectId = p.ProjectId }).ToList();
-        }
         await _lexBoxDbContext.SaveChangesAsync();
 
         var user = new LexAuthUser(userEntity);
@@ -104,7 +84,6 @@ await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
         return Ok(user);
     }
 
-    // TODO: Refactor common code between this and RegisterAccount
     [HttpPost("acceptInvitation")]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesErrorResponseType(typeof(Dictionary<string, string[]>))]
@@ -136,22 +115,7 @@ public async Task<ActionResult<LexAuthUser>> AcceptEmailInvitation(RegisterAccou
         }
 
         var emailVerified = jwtUser.Email == accountInput.Email;
-
-        var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
-        var userEntity = new User
-        {
-            Id = Guid.NewGuid(),
-            Name = accountInput.Name,
-            Email = accountInput.Email,
-            LocalizationCode = accountInput.Locale,
-            Salt = salt,
-            PasswordHash = PasswordHashing.HashPassword(accountInput.PasswordHash, salt, true),
-            PasswordStrength = UserService.ClampPasswordStrength(accountInput.PasswordStrength),
-            IsAdmin = false,
-            EmailVerified = emailVerified,
-            Locked = false,
-            CanCreateProjects = false
-        };
+        var userEntity = CreateUserEntity(accountInput, emailVerified);
         acceptActivity?.AddTag("app.user.id", userEntity.Id);
         _lexBoxDbContext.Users.Add(userEntity);
         if (jwtUser.Audience == LexboxAudience.RegisterAccount && jwtUser.Projects.Length > 0)
@@ -168,6 +132,27 @@ await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
         return Ok(user);
     }
 
+    public User CreateUserEntity(RegisterAccountInput input, bool emailVerified, Guid? creatorId = null)
+    {
+        var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
+        var userEntity = new User
+        {
+            Id = Guid.NewGuid(),
+            Name = input.Name,
+            Email = input.Email,
+            LocalizationCode = input.Locale,
+            Salt = salt,
+            PasswordHash = PasswordHashing.HashPassword(input.PasswordHash, salt, true),
+            PasswordStrength = UserService.ClampPasswordStrength(input.PasswordStrength),
+            IsAdmin = false,
+            EmailVerified = emailVerified,
+            CreatedById = creatorId,
+            Locked = false,
+            CanCreateProjects = false
+        };
+        return userEntity;
+    }
+
     [HttpPost("sendVerificationEmail")]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]

From f19c43a9f94e3fb91ccb7aa14089da005645c663 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 16 May 2024 16:18:21 +0700
Subject: [PATCH 21/42] Require registerAccount flow to be unauthenticated

---
 .../LexBoxApi/Controllers/UserController.cs   | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index 898b46745..dcf50089e 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -42,7 +42,7 @@ LexAuthService lexAuthService
     }
 
     [HttpPost("registerAccount")]
-    [AllowAnonymous]
+    [AllowAnonymous] // Is there a RequireAnonymous attribute?
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesErrorResponseType(typeof(Dictionary<string, string[]>))]
     [ProducesDefaultResponseType]
@@ -57,6 +57,13 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
             return ValidationProblem(ModelState);
         }
 
+        var jwtUser = _loggedInContext.MaybeUser;
+        if (jwtUser is not null)
+        {
+            // TODO: Figure out how to register this error (AddModelError<RegisterAccountInput> isn't correct, obviously)
+            ModelState.AddModelError<RegisterAccountInput>(r => r.Email, "must not access register flow while logged in");
+        }
+
         var hasExistingUser = await _lexBoxDbContext.Users.FilterByEmailOrUsername(accountInput.Email).AnyAsync();
         registerActivity?.AddTag("app.email_available", !hasExistingUser);
         if (hasExistingUser)
@@ -65,22 +72,16 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
             return ValidationProblem(ModelState);
         }
 
-        var jwtUser = _loggedInContext.MaybeUser;
-        var emailVerified = jwtUser?.Email == accountInput.Email;
-        var createdByAdmin = jwtUser?.IsAdmin ?? false;
-        var userEntity = CreateUserEntity(accountInput, emailVerified, createdByAdmin ? jwtUser?.Id : null);
+        var userEntity = CreateUserEntity(accountInput, emailVerified: false);
         registerActivity?.AddTag("app.user.id", userEntity.Id);
         _lexBoxDbContext.Users.Add(userEntity);
         await _lexBoxDbContext.SaveChangesAsync();
 
         var user = new LexAuthUser(userEntity);
-        if (accountInput.AutoLogin)
-        {
-            await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
-                new AuthenticationProperties { IsPersistent = true });
-        }
+        await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
+            new AuthenticationProperties { IsPersistent = true });
 
-        if (!emailVerified) await _emailService.SendVerifyAddressEmail(userEntity);
+        await _emailService.SendVerifyAddressEmail(userEntity);
         return Ok(user);
     }
 

From 04cc4ebfd4a25160e12588b2c2ed2ec4dd93f0b9 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 16 May 2024 16:24:36 +0700
Subject: [PATCH 22/42] Changed my mind about unauth in register flow

Rather than forcing you to not be logged in to use the registerAccount
flow, it's probably better to just ignore any login tokens in that flow,
especially since you're going to be logged out of your current session
at the end of the flow anyway when it logs you into the new token.
---
 backend/LexBoxApi/Controllers/UserController.cs | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index dcf50089e..c1c4c3825 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -42,7 +42,7 @@ LexAuthService lexAuthService
     }
 
     [HttpPost("registerAccount")]
-    [AllowAnonymous] // Is there a RequireAnonymous attribute?
+    [AllowAnonymous]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesErrorResponseType(typeof(Dictionary<string, string[]>))]
     [ProducesDefaultResponseType]
@@ -57,13 +57,6 @@ public async Task<ActionResult<LexAuthUser>> RegisterAccount(RegisterAccountInpu
             return ValidationProblem(ModelState);
         }
 
-        var jwtUser = _loggedInContext.MaybeUser;
-        if (jwtUser is not null)
-        {
-            // TODO: Figure out how to register this error (AddModelError<RegisterAccountInput> isn't correct, obviously)
-            ModelState.AddModelError<RegisterAccountInput>(r => r.Email, "must not access register flow while logged in");
-        }
-
         var hasExistingUser = await _lexBoxDbContext.Users.FilterByEmailOrUsername(accountInput.Email).AnyAsync();
         registerActivity?.AddTag("app.email_available", !hasExistingUser);
         if (hasExistingUser)

From 327e86386ba7fb24006eb5c3f01a28ac2e96b680 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Fri, 17 May 2024 09:55:15 +0700
Subject: [PATCH 23/42] Prep bulk add for being used with no project ID

We will probably end up using the bulk-add mutation for orgs, so for
starters, we should be ready to handle the case where there is no
project ID. Later we'll allow the GUID to reference either a project or
an organization.
---
 backend/LexBoxApi/GraphQL/ProjectMutations.cs | 21 ++++++++++++++-----
 .../Models/Project/ProjectMemberInputs.cs     |  2 +-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/backend/LexBoxApi/GraphQL/ProjectMutations.cs b/backend/LexBoxApi/GraphQL/ProjectMutations.cs
index 49ba58e5e..2daa9cffd 100644
--- a/backend/LexBoxApi/GraphQL/ProjectMutations.cs
+++ b/backend/LexBoxApi/GraphQL/ProjectMutations.cs
@@ -122,8 +122,11 @@ public async Task<BulkAddProjectMembersResult> BulkAddProjectMembers(
         BulkAddProjectMembersInput input,
         LexBoxDbContext dbContext)
     {
-        var project = await dbContext.Projects.FindAsync(input.ProjectId);
-        if (project is null) throw new NotFoundException("Project not found", "project");
+        if (input.ProjectId.HasValue)
+        {
+            var projectExists = await dbContext.Projects.AnyAsync(p => p.Id == input.ProjectId.Value);
+            if (!projectExists) throw new NotFoundException("Project not found", "project");
+        }
         List<UserProjectRole> AddedMembers = [];
         List<UserProjectRole> CreatedMembers = [];
         List<UserProjectRole> ExistingMembers = [];
@@ -154,10 +157,13 @@ public async Task<BulkAddProjectMembersResult> BulkAddProjectMembers(
                     CanCreateProjects = false
                 };
                 CreatedMembers.Add(new UserProjectRole(usernameOrEmail, input.Role));
-                user.Projects.Add(new ProjectUsers { Role = input.Role, ProjectId = input.ProjectId, UserId = user.Id });
+                if (input.ProjectId.HasValue)
+                {
+                    user.Projects.Add(new ProjectUsers { Role = input.Role, ProjectId = input.ProjectId.Value, UserId = user.Id });
+                }
                 dbContext.Add(user);
             }
-            else
+            else if (input.ProjectId.HasValue)
             {
                 var userProject = user.Projects.FirstOrDefault(p => p.ProjectId == input.ProjectId);
                 if (userProject is not null)
@@ -168,9 +174,14 @@ public async Task<BulkAddProjectMembersResult> BulkAddProjectMembers(
                 {
                     AddedMembers.Add(new UserProjectRole(user.Username ?? user.Email!, input.Role));
                     // Not yet a member, so add a membership. We don't want to touch existing memberships, which might have other roles
-                    user.Projects.Add(new ProjectUsers { Role = input.Role, ProjectId = input.ProjectId, UserId = user.Id });
+                    user.Projects.Add(new ProjectUsers { Role = input.Role, ProjectId = input.ProjectId.Value, UserId = user.Id });
                 }
             }
+            else
+            {
+                // No project ID specified, user already exists. This is probably part of bulk-adding through the admin dashboard or org page.
+                ExistingMembers.Add(new UserProjectRole(user.Username ?? user.Email!, ProjectRole.Unknown));
+            }
         }
         await dbContext.SaveChangesAsync();
         return new BulkAddProjectMembersResult(AddedMembers, CreatedMembers, ExistingMembers);
diff --git a/backend/LexBoxApi/Models/Project/ProjectMemberInputs.cs b/backend/LexBoxApi/Models/Project/ProjectMemberInputs.cs
index 2bcdd5a19..13a787fba 100644
--- a/backend/LexBoxApi/Models/Project/ProjectMemberInputs.cs
+++ b/backend/LexBoxApi/Models/Project/ProjectMemberInputs.cs
@@ -5,6 +5,6 @@ namespace LexBoxApi.Models.Project;
 
 public record AddProjectMemberInput(Guid ProjectId, string UsernameOrEmail, ProjectRole Role);
 
-public record BulkAddProjectMembersInput(Guid ProjectId, string[] Usernames, ProjectRole Role, string PasswordHash);
+public record BulkAddProjectMembersInput(Guid? ProjectId, string[] Usernames, ProjectRole Role, string PasswordHash);
 
 public record ChangeProjectMemberRoleInput(Guid ProjectId, Guid UserId, ProjectRole Role);

From 9a3eb02677bf455d2e2ecdbb77e2a82d91497a1c Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Fri, 17 May 2024 10:59:06 +0700
Subject: [PATCH 24/42] Make refactored method private

If it's a public method, Swagger API generator wants to know what HTTP
verb should be exposed. I didn't intend this to be part of the public
API, so the method shouldn't be public.
---
 backend/LexBoxApi/Controllers/UserController.cs | 2 +-
 frontend/schema.graphql                         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index c1c4c3825..858dd37e3 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -126,7 +126,7 @@ await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
         return Ok(user);
     }
 
-    public User CreateUserEntity(RegisterAccountInput input, bool emailVerified, Guid? creatorId = null)
+    private User CreateUserEntity(RegisterAccountInput input, bool emailVerified, Guid? creatorId = null)
     {
         var salt = Convert.ToHexString(RandomNumberGenerator.GetBytes(SHA1.HashSizeInBytes));
         var userEntity = new User
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
index 2fe3846f5..a293aaff5 100644
--- a/frontend/schema.graphql
+++ b/frontend/schema.graphql
@@ -393,7 +393,7 @@ input BooleanOperationFilterInput {
 }
 
 input BulkAddProjectMembersInput {
-  projectId: UUID!
+  projectId: UUID
   usernames: [String!]!
   role: ProjectRole!
   passwordHash: String!

From 2b6c2b8a0619f5296657763fd75c801ea48b0bbb Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Fri, 17 May 2024 11:47:48 +0700
Subject: [PATCH 25/42] Update API endpoints for register and invite flows

Now the register page will ignore any logged-in tokens, and won't take a
projects list from them. Whereas the accept-invitation flow (which looks
very similar to the register page except for the different title) only
accepts JWTs with the Register audience (better not to change the
audience name), and will extract project lists from them.

Meanwhile, the CreateGuestUserByAdmin GraphQL endpoint changes to return
a LexAuthUser just like the register and acceptInvitation endpoints, so
that the code in CreateUser.svelte doesn't have to deal with multiple
return types.

Everything appears to still be working: registering oneself, accepting
an email invitation, and admins creating guest users.
---
 .../LexBoxApi/Controllers/UserController.cs   |  8 ++-
 backend/LexBoxApi/GraphQL/UserMutations.cs    |  4 +-
 backend/LexBoxApi/Services/EmailService.cs    |  2 +-
 frontend/schema.graphql                       |  2 +-
 .../lib/components/Users/CreateUser.svelte    | 14 ++++-
 .../components/Users/CreateUserModal.svelte   |  3 +-
 frontend/src/lib/i18n/locales/en.json         |  4 ++
 frontend/src/lib/user.ts                      | 51 +++++++++++++++++--
 .../routes/(authenticated)/admin/+page.svelte |  2 +-
 .../src/routes/(authenticated)/admin/+page.ts | 40 +++++++++++++++
 .../acceptInvitation/+page.svelte             |  9 ++++
 .../(unauthenticated)/register/+page.svelte   |  2 +-
 frontend/tests/emailWorkflow.test.ts          | 10 ++--
 frontend/tests/pages/acceptInvitationPage.ts  | 18 +++++++
 14 files changed, 145 insertions(+), 24 deletions(-)
 create mode 100644 frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
 create mode 100644 frontend/tests/pages/acceptInvitationPage.ts

diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
index 858dd37e3..92b6c7020 100644
--- a/backend/LexBoxApi/Controllers/UserController.cs
+++ b/backend/LexBoxApi/Controllers/UserController.cs
@@ -1,5 +1,6 @@
 using System.Security.Cryptography;
 using LexBoxApi.Auth;
+using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Models;
 using LexBoxApi.Otel;
 using LexBoxApi.Services;
@@ -79,6 +80,7 @@ await HttpContext.SignInAsync(user.GetPrincipal("Registration"),
     }
 
     [HttpPost("acceptInvitation")]
+    [RequireAudience(LexboxAudience.RegisterAccount, true)]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesErrorResponseType(typeof(Dictionary<string, string[]>))]
     [ProducesDefaultResponseType]
@@ -94,11 +96,6 @@ public async Task<ActionResult<LexAuthUser>> AcceptEmailInvitation(RegisterAccou
         }
 
         var jwtUser = _loggedInContext.User;
-        if (jwtUser.Audience != LexboxAudience.RegisterAccount)
-        {
-            // TODO: Figure out how to register this error (AddModelError<RegisterAccountInput> isn't correct, obviously)
-            ModelState.AddModelError<RegisterAccountInput>(r => r.Email, "invitation page accessed via invalid JWT");
-        }
 
         var hasExistingUser = await _lexBoxDbContext.Users.FilterByEmailOrUsername(accountInput.Email).AnyAsync();
         acceptActivity?.AddTag("app.email_available", !hasExistingUser);
@@ -112,6 +109,7 @@ public async Task<ActionResult<LexAuthUser>> AcceptEmailInvitation(RegisterAccou
         var userEntity = CreateUserEntity(accountInput, emailVerified);
         acceptActivity?.AddTag("app.user.id", userEntity.Id);
         _lexBoxDbContext.Users.Add(userEntity);
+        // This audience check is redundant now because of [RequireAudience(LexboxAudience.RegisterAccount, true)], but let's leave it in for safety
         if (jwtUser.Audience == LexboxAudience.RegisterAccount && jwtUser.Projects.Length > 0)
         {
             userEntity.Projects = jwtUser.Projects.Select(p => new ProjectUsers { Role = p.Role, ProjectId = p.ProjectId }).ToList();
diff --git a/backend/LexBoxApi/GraphQL/UserMutations.cs b/backend/LexBoxApi/GraphQL/UserMutations.cs
index bf9e39d20..1d4698618 100644
--- a/backend/LexBoxApi/GraphQL/UserMutations.cs
+++ b/backend/LexBoxApi/GraphQL/UserMutations.cs
@@ -79,7 +79,7 @@ EmailService emailService
     [Error<UniqueValueException>]
     [Error<RequiredException>]
     [AdminRequired]
-    public async Task<User> CreateGuestUserByAdmin(
+    public async Task<LexAuthUser> CreateGuestUserByAdmin(
         LoggedInContext loggedInContext,
         CreateGuestUserByAdminInput input,
         LexBoxDbContext dbContext
@@ -115,7 +115,7 @@ LexBoxDbContext dbContext
         createGuestUserActivity?.AddTag("app.user.id", userEntity.Id);
         dbContext.Users.Add(userEntity);
         await dbContext.SaveChangesAsync();
-        return userEntity;
+        return new LexAuthUser(userEntity);
     }
 
     private static async Task<User> UpdateUser(
diff --git a/backend/LexBoxApi/Services/EmailService.cs b/backend/LexBoxApi/Services/EmailService.cs
index b866dcd22..af8c46a93 100644
--- a/backend/LexBoxApi/Services/EmailService.cs
+++ b/backend/LexBoxApi/Services/EmailService.cs
@@ -127,7 +127,7 @@ public async Task SendCreateAccountEmail(string emailAddress,
         var httpContext = httpContextAccessor.HttpContext;
         ArgumentNullException.ThrowIfNull(httpContext);
         var queryString = QueryString.Create("email", emailAddress);
-        var returnTo = new UriBuilder() { Path = "/register", Query = queryString.Value }.Uri.PathAndQuery;
+        var returnTo = new UriBuilder() { Path = "/acceptInvitation", Query = queryString.Value }.Uri.PathAndQuery;
         var registerLink = _linkGenerator.GetUriByAction(httpContext,
             "LoginRedirect",
             "Login",
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
index a293aaff5..3d3d29438 100644
--- a/frontend/schema.graphql
+++ b/frontend/schema.graphql
@@ -78,7 +78,7 @@ type CollectionSegmentInfo {
 }
 
 type CreateGuestUserByAdminPayload {
-  user: User
+  lexAuthUser: LexAuthUser
   errors: [CreateGuestUserByAdminError!]
 }
 
diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index b984aeef6..070a6e270 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -3,7 +3,7 @@
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
   import { SubmitButton, FormError, Input, ProtectedForm, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
-  import { register } from '$lib/user';
+  import { register, acceptInvitation, createGuestUserByAdmin } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
   import { onMount } from 'svelte';
   import { z } from 'zod';
@@ -11,6 +11,7 @@
   export let autoLogin = true;
   export let onSubmit: (() => void) | undefined = undefined;
   export let submitButtonText = $t('register.button_register');
+  export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
 
   type RegisterPageQueryParams = {
     name: string;
@@ -29,7 +30,12 @@
   });
 
   let { form, errors, message, enhance, submitting } = lexSuperForm(formSchema, async () => {
-    const { user, error } = await register($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken, autoLogin);
+    const endpointHandler =
+        endpoint === 'acceptInvitation' ? acceptInvitation
+      : endpoint === 'register' ? register
+      : endpoint === 'createGuestUserByAdmin' ? createGuestUserByAdmin
+      : () => { throw new Error(`CreateUser doesn't know how to handle endpoint type ${endpoint}`) };
+    const { user, error } = await endpointHandler($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken, autoLogin);
     if (error) {
       if (error.turnstile) {
         $message = $t('turnstile.invalid');
@@ -37,6 +43,10 @@
       if (error.accountExists) {
         $errors.email = [$t('register.account_exists')];
       }
+      if (error.invalidInput) {
+        $errors.email = [$t('register.invalid_input')];
+        // If we later allow username-only accounts to be created, add error message to $errors.username as well and change message to "specify email or username"
+      }
       return;
     }
     if (user) {
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index c9decc12f..ec1992879 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -8,6 +8,7 @@
   import Icon from '$lib/icons/Icon.svelte';
 
   let createUserModal: Modal;
+  export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
 
   export async function open(): Promise<void> {
     await createUserModal.openModal(true, true);
@@ -32,7 +33,7 @@
     </div>
   </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser autoLogin={false}
+  <CreateUser {endpoint} autoLogin={false}
     onSubmit={() => createUserModal.submitModal()}
     submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
   />
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index fa035d57e..0a91d071c 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -389,6 +389,7 @@ If you don't see a dialog or already closed it, click the button below:",
   "register": {
     "title": "Register",
     "account_exists": "An account with this email already exists",
+    "invalid_input": "Please specify an email address",
     "button_register": "Register",
     "label_email": "Email",
     "description_email": "This will be your **Send/Receive login**",
@@ -396,6 +397,9 @@ If you don't see a dialog or already closed it, click the button below:",
     "label_password": "Password",
     "name_missing": "Name missing",
   },
+  "accept_invitation": {
+    "title": "Accept Invitation",
+  },
   "reset_password": {
     "title": "Reset Password",
     "new_password": "New Password",
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index 49d7c67a2..84a227f7e 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -5,7 +5,8 @@ import { deleteCookie, getCookie } from './util/cookies'
 import {hash} from '$lib/util/hash';
 import { ensureErrorIsTraced, errorSourceTag } from './otel'
 import zxcvbn from 'zxcvbn';
-import { type AuthUserProject, ProjectRole, UserRole } from './gql/types';
+import { type AuthUserProject, ProjectRole, UserRole, type CreateGuestUserByAdminInput } from './gql/types';
+import { _createGuestUserByAdmin } from '../routes/(authenticated)/admin/+page';
 
 type LoginError = 'BadCredentials' | 'Locked';
 type LoginResult = {
@@ -18,6 +19,7 @@ type RegisterResponseErrors = {
     /* eslint-disable @typescript-eslint/naming-convention */
     TurnstileToken?: unknown,
     Email?: unknown,
+    Required?: unknown,
     /* eslint-enable @typescript-eslint/naming-convention */
   }
 }
@@ -81,9 +83,9 @@ export async function login(userId: string, password: string): Promise<LoginResu
     : { success: false, error: await response.text() as LoginError };
 }
 
-type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean }, user?: LexAuthUser };
-export async function register(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
-  const response = await fetch('/api/User/registerAccount', {
+type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean, invalidInput: boolean }, user?: LexAuthUser };
+export async function createUser(endpoint: string, password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
+  const response = await fetch(endpoint, {
     method: 'post',
     headers: {
       'content-type': 'application/json',
@@ -102,13 +104,52 @@ export async function register(password: string, passwordStrength: number, name:
   if (!response.ok) {
     const { errors } = await response.json() as RegisterResponseErrors;
     if (!errors) throw new Error('Missing error on non-ok response');
-    return { error: { turnstile: 'TurnstileToken' in errors, accountExists: 'Email' in errors } };
+    return { error: { turnstile: 'TurnstileToken' in errors, accountExists: 'Email' in errors, invalidInput: 'Required' in errors } };
   }
 
   const responseJson = await response.json() as JwtTokenUser;
   const userJson: LexAuthUser = jwtToUser(responseJson);
   return { user: userJson };
 }
+export function register(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
+  return createUser('/api/User/registerAccount', password, passwordStrength, name, email, locale, turnstileToken, autoLogin);
+}
+export function acceptInvitation(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
+  return createUser('/api/User/acceptInvitation', password, passwordStrength, name, email, locale, turnstileToken, autoLogin);
+}
+export async function createGuestUserByAdmin(password: string, passwordStrength: number, name: string, email: string, locale: string, _turnstileToken: string, _autoLogin: boolean): Promise<RegisterResponse> {
+  const passwordHash = await hash(password);
+  const gqlInput: CreateGuestUserByAdminInput = {
+    passwordHash,
+    passwordStrength,
+    name,
+    email,
+    locale,
+  };
+  const gqlResponse = await _createGuestUserByAdmin(gqlInput);
+  // const registerResponse = { error?: { turnstile: boolean, accountExists: boolean }, user?: LexAuthUser };
+  if (gqlResponse.error?.byType('UniqueValueError')) {
+    return { error: { invalidInput: false, turnstile: false, accountExists: true }};
+  }
+  if (gqlResponse.error?.byType('RequiredError')) {
+    return { error: { invalidInput: true, turnstile: false, accountExists: false }};
+  }
+  if (!gqlResponse.data?.createGuestUserByAdmin.lexAuthUser ) {
+    return { error: { invalidInput: true, turnstile: false, accountExists: false }};
+  }
+  const responseUser = gqlResponse.data?.createGuestUserByAdmin.lexAuthUser;
+  const user: LexAuthUser = {
+    ...responseUser,
+    email: responseUser.email ?? undefined,
+    username: responseUser.username ?? undefined,
+    locked: responseUser.locked ?? false,
+    emailVerified: responseUser.emailVerificationRequired ?? false,
+    canCreateProjects: responseUser.canCreateProjects ?? false,
+    createdByAdmin: responseUser.createdByAdmin ?? false,
+    emailOrUsername: (responseUser.email ?? responseUser.username) as string,
+  }
+  return { user }
+}
 
 export function getUser(cookies: Cookies): LexAuthUser | null {
   const token = getCookie(AUTH_COOKIE_NAME, cookies);
diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index 4aa8e8929..4688ffec0 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -245,5 +245,5 @@
   <EditUserAccount bind:this={formModal} {deleteUser} currUser={data.user} />
   <DeleteUserModal bind:this={deleteUserModal} i18nScope="admin_dashboard.form_modal.delete_user" />
   <UserModal bind:this={userModal}/>
-  <CreateUserModal bind:this={createUserModal}/>
+  <CreateUserModal endpoint="createGuestUserByAdmin" bind:this={createUserModal}/>
 </main>
diff --git a/frontend/src/routes/(authenticated)/admin/+page.ts b/frontend/src/routes/(authenticated)/admin/+page.ts
index e68f8c052..5a2ea2f7f 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.ts
+++ b/frontend/src/routes/(authenticated)/admin/+page.ts
@@ -9,6 +9,8 @@ import type {
   $OpResult,
   ChangeUserAccountByAdminInput,
   ChangeUserAccountByAdminMutation,
+  CreateGuestUserByAdminInput,
+  CreateGuestUserByAdminMutation,
   DraftProjectFilterInput,
   ProjectFilterInput,
   SetUserLockedInput,
@@ -161,6 +163,44 @@ export async function _changeUserAccountByAdmin(input: ChangeUserAccountByAdminI
   return result;
 }
 
+export async function _createGuestUserByAdmin(input: CreateGuestUserByAdminInput): $OpResult<CreateGuestUserByAdminMutation> {
+  //language=GraphQL
+  const result = await getClient()
+    .mutation(
+      graphql(`
+        mutation CreateGuestUserByAdmin($input: CreateGuestUserByAdminInput!) {
+          createGuestUserByAdmin(input: $input) {
+            lexAuthUser {
+              id
+              name
+              email
+              username
+              role
+              isAdmin
+              locked
+              emailVerificationRequired
+              canCreateProjects
+              createdByAdmin
+              locale
+              projects {
+                projectId
+                role
+              }
+            }
+            errors {
+                __typename
+              ... on Error {
+                message
+              }
+            }
+          }
+        }
+      `),
+      { input: input }
+    )
+  return result;
+}
+
 export async function _setUserLocked(input: SetUserLockedInput): $OpResult<SetUserLockedMutation> {
   //language=GraphQL
   const result = await getClient()
diff --git a/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte b/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
new file mode 100644
index 000000000..39a2cf97b
--- /dev/null
+++ b/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
@@ -0,0 +1,9 @@
+<script lang="ts">
+  import { TitlePage } from '$lib/layout';
+  import t from '$lib/i18n';
+  import CreateUser from '$lib/components/Users/CreateUser.svelte';
+</script>
+
+<TitlePage title={$t('accept_invitation.title')}>
+  <CreateUser endpoint="acceptInvitation" />
+</TitlePage>
diff --git a/frontend/src/routes/(unauthenticated)/register/+page.svelte b/frontend/src/routes/(unauthenticated)/register/+page.svelte
index a2fab3786..6ec88c33a 100644
--- a/frontend/src/routes/(unauthenticated)/register/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/register/+page.svelte
@@ -5,5 +5,5 @@
 </script>
 
 <TitlePage title={$t('register.title')}>
-  <CreateUser />
+  <CreateUser endpoint="register" />
 </TitlePage>
diff --git a/frontend/tests/emailWorkflow.test.ts b/frontend/tests/emailWorkflow.test.ts
index 934aa4700..54082019a 100644
--- a/frontend/tests/emailWorkflow.test.ts
+++ b/frontend/tests/emailWorkflow.test.ts
@@ -4,7 +4,7 @@ import { deleteUser, getCurrentUserId, loginAs, logout } from './utils/authHelpe
 import { AdminDashboardPage } from './pages/adminDashboardPage';
 import { EmailSubjects } from './pages/mailPages';
 import { LoginPage } from './pages/loginPage';
-import { RegisterPage } from './pages/registerPage';
+import { AcceptInvitationPage } from './pages/acceptInvitationPage';
 import { ResetPasswordPage } from './pages/resetPasswordPage';
 import { UserAccountSettingsPage } from './pages/userAccountSettingsPage';
 import { UserDashboardPage } from './pages/userDashboardPage';
@@ -134,7 +134,7 @@ test('register via new-user invitation email', async ({ page }) => {
   const emailPage = await inboxPage.openEmail(EmailSubjects.ProjectInvitation);
   const invitationUrl = await emailPage.getFirstLanguageDepotUrl();
   expect(invitationUrl).not.toBeNull();
-  expect(invitationUrl!).toContain('register');
+  expect(invitationUrl!).toContain('acceptInvitation');
   expect(invitationUrl!).toContain('returnTo=');
   expect(invitationUrl!).not.toContain('returnTo=http');
 
@@ -142,11 +142,11 @@ test('register via new-user invitation email', async ({ page }) => {
   const pagePromise = emailPage.page.context().waitForEvent('page');
   await emailPage.clickFirstLanguageDepotUrl();
   const newPage = await pagePromise;
-  const registerPage = await new RegisterPage(newPage).waitFor();
+  const acceptPage = await new AcceptInvitationPage(newPage).waitFor();
   await expect(newPage.getByLabel('Email')).toHaveValue(newEmail);
-  await registerPage.fillForm(`Test user ${uuid}`, newEmail, defaultPassword);
+  await acceptPage.fillForm(`Test user ${uuid}`, newEmail, defaultPassword);
 
-  await registerPage.submit();
+  await acceptPage.submit();
   const userDashboardPage = await new UserDashboardPage(newPage).waitFor();
 
   // Register current user ID to be cleaned up even if test fails later on
diff --git a/frontend/tests/pages/acceptInvitationPage.ts b/frontend/tests/pages/acceptInvitationPage.ts
new file mode 100644
index 000000000..a46531909
--- /dev/null
+++ b/frontend/tests/pages/acceptInvitationPage.ts
@@ -0,0 +1,18 @@
+import type { Page } from '@playwright/test';
+import { BasePage } from './basePage';
+
+export class AcceptInvitationPage extends BasePage {
+  constructor(page: Page) {
+    super(page, page.getByRole('heading', {name: 'Accept Invitation'}), `/acceptInvitation`);
+  }
+
+  async fillForm(name: string, email: string, password: string): Promise<void> {
+    await this.page.getByLabel('Name').fill(name);
+    await this.page.getByLabel('Email').fill(email);
+    await this.page.getByLabel('Password').fill(password);
+  }
+
+  async submit(): Promise<void> {
+    await this.page.getByRole('button', {name: 'Register'}).click();
+  }
+}

From f35f8d015334155ad78ef88ca32ccd2fd2db286a Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Fri, 17 May 2024 11:59:00 +0700
Subject: [PATCH 26/42] Another change for optional proj ID in bulk add GQL

---
 frontend/src/lib/gql/gql-client.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frontend/src/lib/gql/gql-client.ts b/frontend/src/lib/gql/gql-client.ts
index 1ac423236..124743f60 100644
--- a/frontend/src/lib/gql/gql-client.ts
+++ b/frontend/src/lib/gql/gql-client.ts
@@ -62,7 +62,9 @@ function createGqlClient(_gqlEndpoint?: string): Client {
               cache.invalidate({__typename: 'User', id: args.input.userId});
             },
             bulkAddProjectMembers: (result, args: BulkAddProjectMembersMutationVariables, cache, _info) => {
-              cache.invalidate({__typename: 'Project', id: args.input.projectId});
+              if (args.input.projectId) {
+                cache.invalidate({__typename: 'Project', id: args.input.projectId});
+              }
             },
             leaveProject: (result, args: LeaveProjectMutationVariables, cache, _info) => {
               cache.invalidate({__typename: 'Project', id: args.input.projectId});

From 5cd69c2b5d0bc9f4d8b3ea3d45f9a224e31b77dd Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Fri, 17 May 2024 15:19:01 +0700
Subject: [PATCH 27/42] Remove autoLogin from backend API

Keep it in the frontend CreateUser component, because we don't want
admins to get logged out when they create a guest user with the modal.
---
 backend/LexBoxApi/Models/RegisterAccountInput.cs    |  3 +--
 frontend/src/lib/components/Users/CreateUser.svelte |  2 +-
 frontend/src/lib/user.ts                            | 13 ++++++-------
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/backend/LexBoxApi/Models/RegisterAccountInput.cs b/backend/LexBoxApi/Models/RegisterAccountInput.cs
index ddf3b1576..b29304da7 100644
--- a/backend/LexBoxApi/Models/RegisterAccountInput.cs
+++ b/backend/LexBoxApi/Models/RegisterAccountInput.cs
@@ -7,5 +7,4 @@ public record RegisterAccountInput([Required(AllowEmptyStrings = false)] string
     [Required(AllowEmptyStrings = false)] string Locale,
     [Required(AllowEmptyStrings = false)] string PasswordHash,
     int? PasswordStrength,
-    string TurnstileToken,
-    bool AutoLogin = true);
+    string TurnstileToken);
diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 070a6e270..294c0f772 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -35,7 +35,7 @@
       : endpoint === 'register' ? register
       : endpoint === 'createGuestUserByAdmin' ? createGuestUserByAdmin
       : () => { throw new Error(`CreateUser doesn't know how to handle endpoint type ${endpoint}`) };
-    const { user, error } = await endpointHandler($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken, autoLogin);
+    const { user, error } = await endpointHandler($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken);
     if (error) {
       if (error.turnstile) {
         $message = $t('turnstile.invalid');
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index 84a227f7e..b6d0a83ec 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -84,7 +84,7 @@ export async function login(userId: string, password: string): Promise<LoginResu
 }
 
 type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean, invalidInput: boolean }, user?: LexAuthUser };
-export async function createUser(endpoint: string, password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
+export async function createUser(endpoint: string, password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string): Promise<RegisterResponse> {
   const response = await fetch(endpoint, {
     method: 'post',
     headers: {
@@ -96,7 +96,6 @@ export async function createUser(endpoint: string, password: string, passwordStr
       locale,
       turnstileToken,
       passwordStrength,
-      autoLogin,
       passwordHash: await hash(password),
     })
   });
@@ -111,13 +110,13 @@ export async function createUser(endpoint: string, password: string, passwordStr
   const userJson: LexAuthUser = jwtToUser(responseJson);
   return { user: userJson };
 }
-export function register(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
-  return createUser('/api/User/registerAccount', password, passwordStrength, name, email, locale, turnstileToken, autoLogin);
+export function register(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string): Promise<RegisterResponse> {
+  return createUser('/api/User/registerAccount', password, passwordStrength, name, email, locale, turnstileToken);
 }
-export function acceptInvitation(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string, autoLogin: boolean): Promise<RegisterResponse> {
-  return createUser('/api/User/acceptInvitation', password, passwordStrength, name, email, locale, turnstileToken, autoLogin);
+export function acceptInvitation(password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string): Promise<RegisterResponse> {
+  return createUser('/api/User/acceptInvitation', password, passwordStrength, name, email, locale, turnstileToken);
 }
-export async function createGuestUserByAdmin(password: string, passwordStrength: number, name: string, email: string, locale: string, _turnstileToken: string, _autoLogin: boolean): Promise<RegisterResponse> {
+export async function createGuestUserByAdmin(password: string, passwordStrength: number, name: string, email: string, locale: string, _turnstileToken: string): Promise<RegisterResponse> {
   const passwordHash = await hash(password);
   const gqlInput: CreateGuestUserByAdminInput = {
     passwordHash,

From 6b19e6c27782607305b086c35de2117480161381 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Fri, 17 May 2024 15:37:53 +0700
Subject: [PATCH 28/42] CreateUser UI now optionally allows usernames

Currently it disallows usernames by default, and they're only allowed in
the admin dashboard's CreateUserModal.
---
 frontend/src/lib/components/Users/CreateUser.svelte   | 11 +++++++----
 .../src/lib/components/Users/CreateUserModal.svelte   |  2 +-
 frontend/src/lib/i18n/locales/en.json                 |  1 +
 frontend/src/lib/user.ts                              |  6 +++++-
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 294c0f772..48d57b63f 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
   import { goto } from '$app/navigation';
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
-  import { SubmitButton, FormError, Input, ProtectedForm, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
+  import { SubmitButton, FormError, Input, ProtectedForm, isEmail, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
   import { register, acceptInvitation, createGuestUserByAdmin } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
@@ -9,6 +9,7 @@
   import { z } from 'zod';
 
   export let autoLogin = true;
+  export let allowUsernames = false;
   export let onSubmit: (() => void) | undefined = undefined;
   export let submitButtonText = $t('register.button_register');
   export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
@@ -23,7 +24,9 @@
   const userLocale = getLanguageCodeFromNavigator() ?? $locale;
   const formSchema = z.object({
     name: z.string().trim().min(1, $t('register.name_missing')),
-    email: z.string().email($t('form.invalid_email')),
+    email: z.string().trim()
+      .min(1, $t('project_page.add_user.empty_user_field'))
+      .refine((value) => (allowUsernames && !value.includes('@')) || isEmail(value), { message: $t('form.invalid_email') }),
     password: passwordFormRules($t),
     score: z.number(),
     locale: z.string().trim().min(2).default(userLocale),
@@ -71,9 +74,9 @@
   <div class="contents email">
     <Input
       id="email"
-      label={$t('register.label_email')}
+      label={$t(allowUsernames ? 'register.label_email_or_username' : 'register.label_email')}
       description={$t('register.description_email')}
-      type="email"
+      type={allowUsernames ? 'text' : 'email'}
       bind:value={$form.email}
       error={$errors.email}
     />
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index ec1992879..dbadd1d3d 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -33,7 +33,7 @@
     </div>
   </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser {endpoint} autoLogin={false}
+  <CreateUser {endpoint} autoLogin={false} allowUsernames={true}
     onSubmit={() => createUserModal.submitModal()}
     submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
   />
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 0a91d071c..22d3fea60 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -392,6 +392,7 @@ If you don't see a dialog or already closed it, click the button below:",
     "invalid_input": "Please specify an email address",
     "button_register": "Register",
     "label_email": "Email",
+    "label_email_or_username": "Email or login/username",
     "description_email": "This will be your **Send/Receive login**",
     "label_name": "Name",
     "label_password": "Password",
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index b6d0a83ec..be61ed45d 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -122,9 +122,13 @@ export async function createGuestUserByAdmin(password: string, passwordStrength:
     passwordHash,
     passwordStrength,
     name,
-    email,
     locale,
   };
+  if (email.includes('@')) {
+    gqlInput.email = email;
+  } else {
+    gqlInput.username = email;
+  }
   const gqlResponse = await _createGuestUserByAdmin(gqlInput);
   // const registerResponse = { error?: { turnstile: boolean, accountExists: boolean }, user?: LexAuthUser };
   if (gqlResponse.error?.byType('UniqueValueError')) {

From 8c5d0b07eb47a5cdf6991c3cb54d7e942a0be8de Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:21:36 +0700
Subject: [PATCH 29/42] Validate usernames in CreateUser form

---
 frontend/src/lib/components/Users/CreateUser.svelte            | 3 ++-
 frontend/src/lib/i18n/locales/en.json                          | 2 +-
 frontend/src/lib/user.ts                                       | 2 ++
 .../project/[project_code]/BulkAddProjectMembers.svelte        | 3 +--
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 48d57b63f..1f47a5711 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -6,6 +6,7 @@
   import { register, acceptInvitation, createGuestUserByAdmin } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
   import { onMount } from 'svelte';
+  import { usernameRe } from '$lib/user';
   import { z } from 'zod';
 
   export let autoLogin = true;
@@ -26,7 +27,7 @@
     name: z.string().trim().min(1, $t('register.name_missing')),
     email: z.string().trim()
       .min(1, $t('project_page.add_user.empty_user_field'))
-      .refine((value) => (allowUsernames && !value.includes('@')) || isEmail(value), { message: $t('form.invalid_email') }),
+      .refine((value) => (allowUsernames && !value.includes('@') && usernameRe.test(value)) || isEmail(value), { message: $t('register.invalid_input') }),
     password: passwordFormRules($t),
     score: z.number(),
     locale: z.string().trim().min(2).default(userLocale),
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 22d3fea60..aa08db832 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -389,7 +389,7 @@ If you don't see a dialog or already closed it, click the button below:",
   "register": {
     "title": "Register",
     "account_exists": "An account with this email already exists",
-    "invalid_input": "Please specify an email address",
+    "invalid_input": "Please specify an email address or a valid username",
     "button_register": "Register",
     "label_email": "Email",
     "label_email_or_username": "Email or login/username",
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index be61ed45d..94eb603b5 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -57,6 +57,8 @@ export type LexAuthUser = {
 export const USER_LOAD_KEY = 'user:current';
 export const AUTH_COOKIE_NAME = '.LexBoxAuth';
 
+export const usernameRe = /^[a-zA-Z0-9_]+$/;
+
 export function getHomePath(user: LexAuthUser | null): string {
   return user?.isAdmin ? '/admin' : '/';
 }
diff --git a/frontend/src/routes/(authenticated)/project/[project_code]/BulkAddProjectMembers.svelte b/frontend/src/routes/(authenticated)/project/[project_code]/BulkAddProjectMembers.svelte
index 7507eb021..bc335a347 100644
--- a/frontend/src/routes/(authenticated)/project/[project_code]/BulkAddProjectMembers.svelte
+++ b/frontend/src/routes/(authenticated)/project/[project_code]/BulkAddProjectMembers.svelte
@@ -13,6 +13,7 @@
   import { distinct } from '$lib/util/array';
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
   import { SupHelp, helpLinks } from '$lib/components/help';
+  import { usernameRe } from '$lib/user';
 
   enum BulkAddSteps {
     Add,
@@ -35,8 +36,6 @@
   let existingMembers: BulkAddProjectMembersResult['existingMembers'] = [];
   $: addedCount = addedMembers.length + createdMembers.length;
 
-  const usernameRe = /^[a-zA-Z0-9_]+$/;
-
   function validateBulkAddInput(usernames: string[]): FormSubmitReturn<typeof schema> {
     if (usernames.length === 0) return { usernamesText: [$t('project_page.bulk_add_members.empty_user_field')] };
 

From 57b5ab3f05dd4b8ecbe49f649792ed1b2c83d026 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:22:39 +0700
Subject: [PATCH 30/42] Remove redundant username check in CreateUser

As long as we don't add @ to the usernameRe check, the check for
`value.contains('@')` is redundant, so let's get rid of it. We'll also
rearrange the check to have `isEmail` first as that's easier to read.
---
 frontend/src/lib/components/Users/CreateUser.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 1f47a5711..3e12592a8 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -27,7 +27,7 @@
     name: z.string().trim().min(1, $t('register.name_missing')),
     email: z.string().trim()
       .min(1, $t('project_page.add_user.empty_user_field'))
-      .refine((value) => (allowUsernames && !value.includes('@') && usernameRe.test(value)) || isEmail(value), { message: $t('register.invalid_input') }),
+      .refine((value) => isEmail(value) || (allowUsernames && usernameRe.test(value)), { message: $t('register.invalid_input') }),
     password: passwordFormRules($t),
     score: z.number(),
     locale: z.string().trim().min(2).default(userLocale),

From adebdc6052c5f62e3c47110f08194821aa0e17f9 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:24:11 +0700
Subject: [PATCH 31/42] Prettiness

---
 frontend/src/lib/components/Users/CreateUserModal.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index dbadd1d3d..60c35bd7d 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -33,7 +33,7 @@
     </div>
   </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser {endpoint} autoLogin={false} allowUsernames={true}
+  <CreateUser {endpoint} autoLogin={false} allowUsernames
     onSubmit={() => createUserModal.submitModal()}
     submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
   />

From 1e3cb445b9a03101034c2cc33213013918442d66 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:25:58 +0700
Subject: [PATCH 32/42] Remove completed TODO

The comment mentions errors.username, but we decided not to have a
separate field called username. We kept the field called email since
that's its primary purpose, but the error message has been adjusted to
mention usernames *or* email addresses.
---
 frontend/src/lib/components/Users/CreateUser.svelte | 1 -
 1 file changed, 1 deletion(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 3e12592a8..b447dcacc 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -49,7 +49,6 @@
       }
       if (error.invalidInput) {
         $errors.email = [$t('register.invalid_input')];
-        // If we later allow username-only accounts to be created, add error message to $errors.username as well and change message to "specify email or username"
       }
       return;
     }

From b7f04bcf5954c23eb7766aa07d94f74a911ca4bf Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:31:38 +0700
Subject: [PATCH 33/42] Move onSubmit handler to CreateUser callers

This lets us get rid of the autoLogin prop as well, as if you don't want
autoLogin you just don't implement an on:submitted handler.
---
 frontend/src/lib/components/Users/CreateUser.svelte      | 9 ++++-----
 frontend/src/lib/components/Users/CreateUserModal.svelte | 4 ++--
 .../(unauthenticated)/acceptInvitation/+page.svelte      | 7 ++++++-
 .../src/routes/(unauthenticated)/register/+page.svelte   | 7 ++++++-
 4 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index b447dcacc..82e320dc9 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -5,16 +5,16 @@
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
   import { register, acceptInvitation, createGuestUserByAdmin } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
-  import { onMount } from 'svelte';
+  import { createEventDispatcher, onMount } from 'svelte';
   import { usernameRe } from '$lib/user';
   import { z } from 'zod';
 
-  export let autoLogin = true;
   export let allowUsernames = false;
-  export let onSubmit: (() => void) | undefined = undefined;
   export let submitButtonText = $t('register.button_register');
   export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
 
+  const dispatch = createEventDispatcher();
+
   type RegisterPageQueryParams = {
     name: string;
     email: string;
@@ -53,8 +53,7 @@
       return;
     }
     if (user) {
-      if (onSubmit) onSubmit();
-      if (autoLogin) await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
+      dispatch('submitted');
       return;
     }
     throw new Error('Unknown error, no error from server, but also no user.');
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index 60c35bd7d..fe52bb07f 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -33,8 +33,8 @@
     </div>
   </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser {endpoint} autoLogin={false} allowUsernames
-    onSubmit={() => createUserModal.submitModal()}
+  <CreateUser {endpoint} allowUsernames
+    on:submitted={() => createUserModal.submitModal()}
     submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
   />
 </Modal>
diff --git a/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte b/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
index 39a2cf97b..3b9805e08 100644
--- a/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
@@ -2,8 +2,13 @@
   import { TitlePage } from '$lib/layout';
   import t from '$lib/i18n';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
+  import { goto } from '$app/navigation';
+
+  async function onSubmit(): Promise<void> {
+    await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
+  }
 </script>
 
 <TitlePage title={$t('accept_invitation.title')}>
-  <CreateUser endpoint="acceptInvitation" />
+  <CreateUser endpoint="acceptInvitation" on:submitted={onSubmit} />
 </TitlePage>
diff --git a/frontend/src/routes/(unauthenticated)/register/+page.svelte b/frontend/src/routes/(unauthenticated)/register/+page.svelte
index 6ec88c33a..68db8298a 100644
--- a/frontend/src/routes/(unauthenticated)/register/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/register/+page.svelte
@@ -2,8 +2,13 @@
   import { TitlePage } from '$lib/layout';
   import t from '$lib/i18n';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
+  import { goto } from '$app/navigation';
+
+  async function onSubmit(): Promise<void> {
+    await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
+  }
 </script>
 
 <TitlePage title={$t('register.title')}>
-  <CreateUser endpoint="register" />
+  <CreateUser endpoint="register" on:submitted={onSubmit} />
 </TitlePage>

From 328c3bcb09023be3b34fa3f0e4c780fb3ebf1e11 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:36:16 +0700
Subject: [PATCH 34/42] Make name a required field for CreateUser GQL

---
 backend/LexBoxApi/GraphQL/UserMutations.cs | 4 ++--
 frontend/schema.graphql                    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/LexBoxApi/GraphQL/UserMutations.cs b/backend/LexBoxApi/GraphQL/UserMutations.cs
index 1d4698618..07ba70d55 100644
--- a/backend/LexBoxApi/GraphQL/UserMutations.cs
+++ b/backend/LexBoxApi/GraphQL/UserMutations.cs
@@ -29,7 +29,7 @@ public record ChangeUserAccountByAdminInput(Guid UserId, string? Email, string N
         : ChangeUserAccountDataInput(UserId, Email, Name);
     public record CreateGuestUserByAdminInput(
         string? Email,
-        string? Name,
+        string Name,
         string? Username,
         string Locale,
         string PasswordHash,
@@ -99,7 +99,7 @@ LexBoxDbContext dbContext
         var userEntity = new User
         {
             Id = Guid.NewGuid(),
-            Name = input.Name ?? input.Username ?? input.Email!,
+            Name = input.Name,
             Email = input.Email,
             Username = input.Username,
             LocalizationCode = input.Locale,
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
index 3d3d29438..03ecb72b0 100644
--- a/frontend/schema.graphql
+++ b/frontend/schema.graphql
@@ -431,7 +431,7 @@ input ChangeUserAccountBySelfInput {
 
 input CreateGuestUserByAdminInput {
   email: String
-  name: String
+  name: String!
   username: String
   locale: String!
   passwordHash: String!

From 0b9fd4883972a33d18fe9f2dd79e9bcf8a011d42 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:53:37 +0700
Subject: [PATCH 35/42] Skip turnstile token in admin dashboard

If you're logged in as an admin, we trust you and don't expect you to be
participating in DDOS attacks or anything else that would require a
turnstile token.
---
 frontend/src/lib/components/Users/CreateUser.svelte      | 7 ++++---
 frontend/src/lib/components/Users/CreateUserModal.svelte | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 82e320dc9..b3dd460a3 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
   import { goto } from '$app/navigation';
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
-  import { SubmitButton, FormError, Input, ProtectedForm, isEmail, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
+  import { SubmitButton, FormError, Input, Form, ProtectedForm, isEmail, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
   import { register, acceptInvitation, createGuestUserByAdmin } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
@@ -10,6 +10,7 @@
   import { z } from 'zod';
 
   export let allowUsernames = false;
+  export let skipTurnstile = false;
   export let submitButtonText = $t('register.button_register');
   export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
 
@@ -68,7 +69,7 @@
   });
 </script>
 
-<ProtectedForm {enhance} bind:turnstileToken>
+<svelte:component this={skipTurnstile ? Form : ProtectedForm} {enhance} bind:turnstileToken>
   <Input autofocus id="name" label={$t('register.label_name')} bind:value={$form.name} error={$errors.name} />
   <div class="contents email">
     <Input
@@ -94,7 +95,7 @@
   />
   <FormError error={$message} />
   <SubmitButton loading={$submitting}>{submitButtonText}</SubmitButton>
-</ProtectedForm>
+</svelte:component>
 
 <style lang="postcss">
   .email :global(.description) {
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index fe52bb07f..ba19eadbf 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -33,7 +33,7 @@
     </div>
   </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser {endpoint} allowUsernames
+  <CreateUser {endpoint} allowUsernames skipTurnstile
     on:submitted={() => createUserModal.submitModal()}
     submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
   />

From b385c690a6f32e13d4d14c7331658222cd2b1ee9 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 09:54:18 +0700
Subject: [PATCH 36/42] Fix lint error

---
 frontend/src/lib/components/Users/CreateUser.svelte | 1 -
 1 file changed, 1 deletion(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index b3dd460a3..32351362c 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-  import { goto } from '$app/navigation';
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
   import { SubmitButton, FormError, Input, Form, ProtectedForm, isEmail, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';

From 50fe0ce2faa14f15dbb118aa7b34b4dcb4e8040c Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 10:01:36 +0700
Subject: [PATCH 37/42] Switch endpoint prop in CreateUser for function

Instaed of passing the name of the endpoint to handle into CreateUser,
we will now pass in the function responsible for submitting the data to
the endpoint. This will make it easier to expand the list of endpoints
in the future should we decide to.
---
 frontend/src/lib/components/Users/CreateUser.svelte   | 11 +++--------
 .../src/lib/components/Users/CreateUserModal.svelte   |  5 +++--
 frontend/src/lib/user.ts                              |  2 +-
 .../src/routes/(authenticated)/admin/+page.svelte     |  3 ++-
 .../(unauthenticated)/acceptInvitation/+page.svelte   |  3 ++-
 .../routes/(unauthenticated)/register/+page.svelte    |  3 ++-
 6 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 32351362c..0d372c64f 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -2,7 +2,7 @@
   import PasswordStrengthMeter from '$lib/components/PasswordStrengthMeter.svelte';
   import { SubmitButton, FormError, Input, Form, ProtectedForm, isEmail, lexSuperForm, passwordFormRules, DisplayLanguageSelect } from '$lib/forms';
   import t, { getLanguageCodeFromNavigator, locale } from '$lib/i18n';
-  import { register, acceptInvitation, createGuestUserByAdmin } from '$lib/user';
+  import { type RegisterResponse } from '$lib/user';
   import { getSearchParamValues } from '$lib/util/query-params';
   import { createEventDispatcher, onMount } from 'svelte';
   import { usernameRe } from '$lib/user';
@@ -11,7 +11,7 @@
   export let allowUsernames = false;
   export let skipTurnstile = false;
   export let submitButtonText = $t('register.button_register');
-  export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
+  export let handleSubmit: (password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string) => Promise<RegisterResponse>;
 
   const dispatch = createEventDispatcher();
 
@@ -34,12 +34,7 @@
   });
 
   let { form, errors, message, enhance, submitting } = lexSuperForm(formSchema, async () => {
-    const endpointHandler =
-        endpoint === 'acceptInvitation' ? acceptInvitation
-      : endpoint === 'register' ? register
-      : endpoint === 'createGuestUserByAdmin' ? createGuestUserByAdmin
-      : () => { throw new Error(`CreateUser doesn't know how to handle endpoint type ${endpoint}`) };
-    const { user, error } = await endpointHandler($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken);
+    const { user, error } = await handleSubmit($form.password, $form.score, $form.name, $form.email, $form.locale, turnstileToken);
     if (error) {
       if (error.turnstile) {
         $message = $t('turnstile.invalid');
diff --git a/frontend/src/lib/components/Users/CreateUserModal.svelte b/frontend/src/lib/components/Users/CreateUserModal.svelte
index ba19eadbf..6c8e5fde4 100644
--- a/frontend/src/lib/components/Users/CreateUserModal.svelte
+++ b/frontend/src/lib/components/Users/CreateUserModal.svelte
@@ -2,13 +2,14 @@
   import { Modal } from '$lib/components/modals';
   import t from '$lib/i18n';
   import { helpLinks } from '$lib/components/help';
+  import { type RegisterResponse } from '$lib/user';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
   import Markdown from 'svelte-exmarkdown';
   import { NewTabLinkRenderer } from '$lib/components/Markdown';
   import Icon from '$lib/icons/Icon.svelte';
 
   let createUserModal: Modal;
-  export let endpoint: 'register' | 'acceptInvitation' | 'createGuestUserByAdmin';
+  export let handleSubmit: (password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string) => Promise<RegisterResponse>;
 
   export async function open(): Promise<void> {
     await createUserModal.openModal(true, true);
@@ -33,7 +34,7 @@
     </div>
   </div>
   <h1 class="text-center text-xl">{$t('admin_dashboard.create_user_modal.create_user')}</h1>
-  <CreateUser {endpoint} allowUsernames skipTurnstile
+  <CreateUser {handleSubmit} allowUsernames skipTurnstile
     on:submitted={() => createUserModal.submitModal()}
     submitButtonText={$t('admin_dashboard.create_user_modal.create_user')}
   />
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index 94eb603b5..ff0e7bf50 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -85,7 +85,7 @@ export async function login(userId: string, password: string): Promise<LoginResu
     : { success: false, error: await response.text() as LoginError };
 }
 
-type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean, invalidInput: boolean }, user?: LexAuthUser };
+export type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean, invalidInput: boolean }, user?: LexAuthUser };
 export async function createUser(endpoint: string, password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string): Promise<RegisterResponse> {
   const response = await fetch(endpoint, {
     method: 'post',
diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index 4688ffec0..6badf8cb8 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -21,6 +21,7 @@
   import { Button } from '$lib/forms';
   import { PageBreadcrumb } from '$lib/layout';
   import AdminTabs, { type AdminTabId } from './AdminTabs.svelte';
+  import { createGuestUserByAdmin } from '$lib/user';
   import CreateUserModal from '$lib/components/Users/CreateUserModal.svelte';
   import type { Confidentiality } from '$lib/components/Projects';
 
@@ -245,5 +246,5 @@
   <EditUserAccount bind:this={formModal} {deleteUser} currUser={data.user} />
   <DeleteUserModal bind:this={deleteUserModal} i18nScope="admin_dashboard.form_modal.delete_user" />
   <UserModal bind:this={userModal}/>
-  <CreateUserModal endpoint="createGuestUserByAdmin" bind:this={createUserModal}/>
+  <CreateUserModal handleSubmit={createGuestUserByAdmin} bind:this={createUserModal}/>
 </main>
diff --git a/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte b/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
index 3b9805e08..dd8af1c28 100644
--- a/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/acceptInvitation/+page.svelte
@@ -3,6 +3,7 @@
   import t from '$lib/i18n';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
   import { goto } from '$app/navigation';
+  import { acceptInvitation } from '$lib/user';
 
   async function onSubmit(): Promise<void> {
     await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
@@ -10,5 +11,5 @@
 </script>
 
 <TitlePage title={$t('accept_invitation.title')}>
-  <CreateUser endpoint="acceptInvitation" on:submitted={onSubmit} />
+  <CreateUser handleSubmit={acceptInvitation} on:submitted={onSubmit} />
 </TitlePage>
diff --git a/frontend/src/routes/(unauthenticated)/register/+page.svelte b/frontend/src/routes/(unauthenticated)/register/+page.svelte
index 68db8298a..8213ed750 100644
--- a/frontend/src/routes/(unauthenticated)/register/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/register/+page.svelte
@@ -3,6 +3,7 @@
   import t from '$lib/i18n';
   import CreateUser from '$lib/components/Users/CreateUser.svelte';
   import { goto } from '$app/navigation';
+  import { register } from '$lib/user';
 
   async function onSubmit(): Promise<void> {
     await goto('/home', { invalidateAll: true }); // invalidate so we get the user from the server
@@ -10,5 +11,5 @@
 </script>
 
 <TitlePage title={$t('register.title')}>
-  <CreateUser endpoint="register" on:submitted={onSubmit} />
+  <CreateUser handleSubmit={register} on:submitted={onSubmit} />
 </TitlePage>

From 57b45712ba0369029e30aac7f5a04805650de50d Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 20 May 2024 10:03:53 +0700
Subject: [PATCH 38/42] Passsword strength now required in CreateGuestUser GQL

---
 backend/LexBoxApi/GraphQL/UserMutations.cs | 2 +-
 frontend/schema.graphql                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/LexBoxApi/GraphQL/UserMutations.cs b/backend/LexBoxApi/GraphQL/UserMutations.cs
index 07ba70d55..3c99143e2 100644
--- a/backend/LexBoxApi/GraphQL/UserMutations.cs
+++ b/backend/LexBoxApi/GraphQL/UserMutations.cs
@@ -33,7 +33,7 @@ public record CreateGuestUserByAdminInput(
         string? Username,
         string Locale,
         string PasswordHash,
-        int? PasswordStrength);
+        int PasswordStrength);
 
     [Error<NotFoundException>]
     [Error<DbError>]
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
index 03ecb72b0..88fedd1ec 100644
--- a/frontend/schema.graphql
+++ b/frontend/schema.graphql
@@ -435,7 +435,7 @@ input CreateGuestUserByAdminInput {
   username: String
   locale: String!
   passwordHash: String!
-  passwordStrength: Int
+  passwordStrength: Int!
 }
 
 input CreateOrganizationInput {

From 024113c1168047817e9a7dc45924b077b8a8694b Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Wed, 22 May 2024 10:54:31 +0700
Subject: [PATCH 39/42] Address review comments

---
 backend/LexBoxApi/GraphQL/UserMutations.cs             | 7 ++++++-
 frontend/src/lib/user.ts                               | 3 +--
 frontend/src/routes/(authenticated)/admin/+page.svelte | 3 ++-
 frontend/tests/emailWorkflow.test.ts                   | 2 +-
 frontend/tests/pages/acceptInvitationPage.ts           | 4 ++--
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/backend/LexBoxApi/GraphQL/UserMutations.cs b/backend/LexBoxApi/GraphQL/UserMutations.cs
index 3c99143e2..aff7f6108 100644
--- a/backend/LexBoxApi/GraphQL/UserMutations.cs
+++ b/backend/LexBoxApi/GraphQL/UserMutations.cs
@@ -82,7 +82,8 @@ EmailService emailService
     public async Task<LexAuthUser> CreateGuestUserByAdmin(
         LoggedInContext loggedInContext,
         CreateGuestUserByAdminInput input,
-        LexBoxDbContext dbContext
+        LexBoxDbContext dbContext,
+        EmailService emailService
     )
     {
         using var createGuestUserActivity = LexBoxActivitySource.Get().StartActivity("CreateGuestUser");
@@ -115,6 +116,10 @@ LexBoxDbContext dbContext
         createGuestUserActivity?.AddTag("app.user.id", userEntity.Id);
         dbContext.Users.Add(userEntity);
         await dbContext.SaveChangesAsync();
+        if (!string.IsNullOrEmpty(input.Email))
+        {
+            await emailService.SendVerifyAddressEmail(userEntity);
+        }
         return new LexAuthUser(userEntity);
     }
 
diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index ff0e7bf50..da05db064 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -19,7 +19,7 @@ type RegisterResponseErrors = {
     /* eslint-disable @typescript-eslint/naming-convention */
     TurnstileToken?: unknown,
     Email?: unknown,
-    Required?: unknown,
+    Required?: unknown, // RequiredException is thrown if GQL input is invalid, e.g. missing both email *and* username for CreateUser
     /* eslint-enable @typescript-eslint/naming-convention */
   }
 }
@@ -132,7 +132,6 @@ export async function createGuestUserByAdmin(password: string, passwordStrength:
     gqlInput.username = email;
   }
   const gqlResponse = await _createGuestUserByAdmin(gqlInput);
-  // const registerResponse = { error?: { turnstile: boolean, accountExists: boolean }, user?: LexAuthUser };
   if (gqlResponse.error?.byType('UniqueValueError')) {
     return { error: { invalidInput: false, turnstile: false, accountExists: true }};
   }
diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index 6badf8cb8..5227fdc2b 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -133,7 +133,8 @@
               {$t('admin_dashboard.create_user_modal.create_user')}
             </span>
             <span class="i-mdi-plus text-2xl" />
-          </button>        </div>
+          </button>
+        </div>
       </AdminTabs>
       <div class="mt-4">
         <FilterBar
diff --git a/frontend/tests/emailWorkflow.test.ts b/frontend/tests/emailWorkflow.test.ts
index 54082019a..1661db416 100644
--- a/frontend/tests/emailWorkflow.test.ts
+++ b/frontend/tests/emailWorkflow.test.ts
@@ -144,7 +144,7 @@ test('register via new-user invitation email', async ({ page }) => {
   const newPage = await pagePromise;
   const acceptPage = await new AcceptInvitationPage(newPage).waitFor();
   await expect(newPage.getByLabel('Email')).toHaveValue(newEmail);
-  await acceptPage.fillForm(`Test user ${uuid}`, newEmail, defaultPassword);
+  await acceptPage.fillForm(`Test user ${uuid}`, defaultPassword);
 
   await acceptPage.submit();
   const userDashboardPage = await new UserDashboardPage(newPage).waitFor();
diff --git a/frontend/tests/pages/acceptInvitationPage.ts b/frontend/tests/pages/acceptInvitationPage.ts
index a46531909..f28f300bd 100644
--- a/frontend/tests/pages/acceptInvitationPage.ts
+++ b/frontend/tests/pages/acceptInvitationPage.ts
@@ -6,10 +6,10 @@ export class AcceptInvitationPage extends BasePage {
     super(page, page.getByRole('heading', {name: 'Accept Invitation'}), `/acceptInvitation`);
   }
 
-  async fillForm(name: string, email: string, password: string): Promise<void> {
+  async fillForm(name: string, password: string, email?: string): Promise<void> {
     await this.page.getByLabel('Name').fill(name);
-    await this.page.getByLabel('Email').fill(email);
     await this.page.getByLabel('Password').fill(password);
+    if (email) await this.page.getByLabel('Email').fill(email);
   }
 
   async submit(): Promise<void> {

From e563e4a39d1f28343310f1ca8b96fdebd1d01112 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Wed, 22 May 2024 10:57:36 +0700
Subject: [PATCH 40/42] Make RegisterResponse error properties optional

---
 frontend/src/lib/user.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/user.ts b/frontend/src/lib/user.ts
index da05db064..c747938da 100644
--- a/frontend/src/lib/user.ts
+++ b/frontend/src/lib/user.ts
@@ -85,7 +85,7 @@ export async function login(userId: string, password: string): Promise<LoginResu
     : { success: false, error: await response.text() as LoginError };
 }
 
-export type RegisterResponse = { error?: { turnstile: boolean, accountExists: boolean, invalidInput: boolean }, user?: LexAuthUser };
+export type RegisterResponse = { error?: { turnstile?: boolean, accountExists?: boolean, invalidInput?: boolean }, user?: LexAuthUser };
 export async function createUser(endpoint: string, password: string, passwordStrength: number, name: string, email: string, locale: string, turnstileToken: string): Promise<RegisterResponse> {
   const response = await fetch(endpoint, {
     method: 'post',
@@ -133,13 +133,13 @@ export async function createGuestUserByAdmin(password: string, passwordStrength:
   }
   const gqlResponse = await _createGuestUserByAdmin(gqlInput);
   if (gqlResponse.error?.byType('UniqueValueError')) {
-    return { error: { invalidInput: false, turnstile: false, accountExists: true }};
+    return { error: { accountExists: true }};
   }
   if (gqlResponse.error?.byType('RequiredError')) {
-    return { error: { invalidInput: true, turnstile: false, accountExists: false }};
+    return { error: { invalidInput: true }};
   }
   if (!gqlResponse.data?.createGuestUserByAdmin.lexAuthUser ) {
-    return { error: { invalidInput: true, turnstile: false, accountExists: false }};
+    return { error: { invalidInput: true }};
   }
   const responseUser = gqlResponse.data?.createGuestUserByAdmin.lexAuthUser;
   const user: LexAuthUser = {

From f027c6bcaef0507724b2517df1bc9d657f389387 Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 23 May 2024 17:25:27 +0700
Subject: [PATCH 41/42] Address review comments about error message

---
 frontend/src/lib/components/Users/CreateUser.svelte | 4 ++--
 frontend/src/lib/i18n/locales/en.json               | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index 0d372c64f..fd9c6e1ee 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -27,7 +27,7 @@
     name: z.string().trim().min(1, $t('register.name_missing')),
     email: z.string().trim()
       .min(1, $t('project_page.add_user.empty_user_field'))
-      .refine((value) => isEmail(value) || (allowUsernames && usernameRe.test(value)), { message: $t('register.invalid_input') }),
+      .refine((value) => isEmail(value) || (allowUsernames && usernameRe.test(value)), (value) => ({ message: isEmail(value) ? $t('register.invalid_email', { email: value }) : $t('register.invalid_username', {username: value}) })),
     password: passwordFormRules($t),
     score: z.number(),
     locale: z.string().trim().min(2).default(userLocale),
@@ -43,7 +43,7 @@
         $errors.email = [$t('register.account_exists')];
       }
       if (error.invalidInput) {
-        $errors.email = [$t('register.invalid_input')];
+        $errors.email = [$t('register.invalid_input', { username: $form.email })];
       }
       return;
     }
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index aa08db832..d42455c10 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -225,7 +225,7 @@ the [Linguistics Institute at Payap University](https://li.payap.ac.th/) in Chia
       "shared_password_description": "For new users",
       "usernames": "Logins or emails (one per line)",
       "usernames_description": "This will be the **Send/Receive login** for new users",
-      "invalid_username": "Invalid login/username: {username}. Can only use letters, numbers, and underscore (_) characters.",
+      "invalid_username": "Invalid login/username: {username}. Only letters, numbers, and underscore (_) characters are allowed.",
       "empty_user_field": "Please enter email addresses and/or logins",
       "creator_must_have_email": "You must have an email address in order to create a project.",
       "members_added": "{addedCount} new {addedCount, plural, one {member was} other {members were}} added to project.",
@@ -389,7 +389,9 @@ If you don't see a dialog or already closed it, click the button below:",
   "register": {
     "title": "Register",
     "account_exists": "An account with this email already exists",
-    "invalid_input": "Please specify an email address or a valid username",
+    "invalid_email": "Invalid email address: {email}",
+    "invalid_username": "Invalid login/username: {username}. Only letters, numbers, and underscore (_) characters are allowed.",
+    "invalid_input": "Invalid email address or login/username: {username}. Only letters, numbers, and underscore (_) characters are allowed.",
     "button_register": "Register",
     "label_email": "Email",
     "label_email_or_username": "Email or login/username",

From f2d011a30b27f1d918f3b7bbbd3d994727c6cde6 Mon Sep 17 00:00:00 2001
From: Tim Haasdyk <tim_haasdyk@sil.org>
Date: Thu, 23 May 2024 13:31:05 +0200
Subject: [PATCH 42/42] Fix and organize email/username validation messages

---
 frontend/src/lib/components/Users/CreateUser.svelte | 10 ++++++++--
 frontend/src/lib/i18n/locales/en.json               |  4 +---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/frontend/src/lib/components/Users/CreateUser.svelte b/frontend/src/lib/components/Users/CreateUser.svelte
index fd9c6e1ee..9009bc3e0 100644
--- a/frontend/src/lib/components/Users/CreateUser.svelte
+++ b/frontend/src/lib/components/Users/CreateUser.svelte
@@ -20,6 +20,11 @@
     email: string;
   };
   let turnstileToken = '';
+
+  function validateAsEmail(value: string): boolean {
+    return !allowUsernames || value.includes('@');
+  }
+
   // $locale is the locale that our i18n is using for them (i.e. the best available option we have for them)
   // getLanguageCodeFromNavigator() gives us the language/locale they probably actually want. Maybe we'll support it in the future.
   const userLocale = getLanguageCodeFromNavigator() ?? $locale;
@@ -27,7 +32,8 @@
     name: z.string().trim().min(1, $t('register.name_missing')),
     email: z.string().trim()
       .min(1, $t('project_page.add_user.empty_user_field'))
-      .refine((value) => isEmail(value) || (allowUsernames && usernameRe.test(value)), (value) => ({ message: isEmail(value) ? $t('register.invalid_email', { email: value }) : $t('register.invalid_username', {username: value}) })),
+      .refine((value) => !validateAsEmail(value) || isEmail(value), $t('form.invalid_email'))
+      .refine((value) => validateAsEmail(value) || usernameRe.test(value), $t('register.invalid_username')),
     password: passwordFormRules($t),
     score: z.number(),
     locale: z.string().trim().min(2).default(userLocale),
@@ -43,7 +49,7 @@
         $errors.email = [$t('register.account_exists')];
       }
       if (error.invalidInput) {
-        $errors.email = [$t('register.invalid_input', { username: $form.email })];
+        $errors.email = [validateAsEmail($form.email) ? $t('form.invalid_email') : $t('register.invalid_username')];
       }
       return;
     }
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 7cdb9e794..70a88d5a3 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -389,9 +389,7 @@ If you don't see a dialog or already closed it, click the button below:",
   "register": {
     "title": "Register",
     "account_exists": "An account with this email already exists",
-    "invalid_email": "Invalid email address: {email}",
-    "invalid_username": "Invalid login/username: {username}. Only letters, numbers, and underscore (_) characters are allowed.",
-    "invalid_input": "Invalid email address or login/username: {username}. Only letters, numbers, and underscore (_) characters are allowed.",
+    "invalid_username": "Invalid login/username. Only letters, numbers, and underscore (_) characters are allowed.",
     "button_register": "Register",
     "label_email": "Email",
     "label_email_or_username": "Email or login/username",