Initial commit - SoundWave v1.0

- Full PWA support with offline capabilities - Comprehensive search across songs, playlists, and channels - Offline playlist manager with download tracking - Pre-built frontend for zero-build deployment - Docker-based deployment with docker compose - Material-UI dark theme interface - YouTube audio download and management - Multi-user authentication support
2025-12-16 23:43:07 +00:00 · 2025-12-16 23:43:07 +00:00 · 51679d1943
commit 51679d1943
254 changed files with 37281 additions and 0 deletions
--- a/backend/user/REGISTRATION_POLICY.md
+++ b/backend/user/REGISTRATION_POLICY.md
@ -0,0 +1,239 @@
+# User Registration Policy
+
+## Public Registration Status: DISABLED ❌
+
+Public user registration is **disabled** in SoundWave. This is a security feature for multi-tenant deployments.
+
+## User Creation
+
+### Admin-Only User Creation
+
+Only administrators can create new user accounts through:
+
+1. **Django Admin Panel**:
+   ```
+   http://localhost:8888/admin/user/account/add/
+   ```
+
+2. **REST API** (Admin only):
+   ```bash
+   POST /api/user/admin/users/
+   {
+     "username": "newuser",
+     "email": "user@example.com",
+     "password": "SecurePass123",
+     "password_confirm": "SecurePass123",
+     "storage_quota_gb": 50,
+     "max_channels": 50,
+     "max_playlists": 100,
+     "is_admin": false,
+     "is_active": true
+   }
+   ```
+
+3. **Frontend Admin Panel**:
+   - Navigate to Admin Users page
+   - Click "Create User" button
+   - Fill in user details and resource quotas
+
+### Django Management Command
+
+Admins can also use Django management commands:
+
+```bash
+# Create regular user
+python manage.py createsuperuser
+
+# Or use shell
+python manage.py shell
+>>> from user.models import Account
+>>> user = Account.objects.create_user(
+...     username='john_doe',
+...     email='john@example.com',
+...     password='SecurePass123'
+... )
+>>> user.storage_quota_gb = 100
+>>> user.max_channels = 75
+>>> user.save()
+```
+
+## Attempted Public Registration
+
+If someone attempts to access the registration endpoint:
+
+**Request**:
+```bash
+POST /api/user/register/
+{
+  "username": "newuser",
+  "email": "user@example.com",
+  "password": "password123"
+}
+```
+
+**Response** (403 Forbidden):
+```json
+{
+  "error": "Public registration is disabled",
+  "message": "New users can only be created by administrators. Please contact your system administrator for account creation."
+}
+```
+
+## Configuration
+
+Registration policy is controlled in `config/user_settings.py`:
+
+```python
+# Public registration disabled - only admins can create users
+ALLOW_PUBLIC_REGISTRATION = False
+```
+
+### To Enable Public Registration (Not Recommended)
+
+If you need to enable public registration for testing or specific use cases:
+
+1. Edit `config/user_settings.py`:
+   ```python
+   ALLOW_PUBLIC_REGISTRATION = True
+   ```
+
+2. Implement registration logic in `user/views.py` RegisterView
+3. Add frontend registration form (not included by default)
+
+**⚠️ Warning**: Enabling public registration bypasses the multi-tenant security model and allows anyone to create accounts.
+
+## Security Benefits
+
+### Why Registration is Disabled
+
+1. **Resource Control**: Admins control who gets accounts and resource quotas
+2. **Quality Control**: Prevents spam accounts and abuse
+3. **Multi-Tenancy**: Each user is a "tenant" with isolated data
+4. **Storage Management**: Admins allocate storage based on needs
+5. **Compliance**: Controlled user base for compliance requirements
+6. **Billing**: Users can be tied to billing/subscription models
+
+### Admin Capabilities
+
+Admins have full control over:
+- User creation and deletion
+- Resource quotas (storage, channels, playlists)
+- Account activation/deactivation
+- 2FA reset
+- Storage usage monitoring
+- User permissions (admin/regular)
+
+## User Onboarding Flow
+
+### Recommended Process
+
+1. **Request**: User requests account via email/form
+2. **Admin Review**: Admin reviews request
+3. **Account Creation**: Admin creates account with appropriate quotas
+4. **Credentials**: Admin sends credentials to user securely
+5. **First Login**: User logs in and changes password
+6. **2FA Setup**: User sets up 2FA (recommended)
+
+### Example Onboarding Email
+
+```
+Welcome to SoundWave!
+
+Your account has been created:
+- Username: john_doe
+- Temporary Password: [generated_password]
+
+Storage Quota: 50 GB
+Max Channels: 50
+Max Playlists: 100
+
+Please login and change your password immediately:
+http://soundwave.example.com/
+
+For security, we recommend enabling 2FA in Settings.
+
+Questions? Contact: admin@example.com
+```
+
+## API Endpoints
+
+### Public Endpoints (No Auth Required)
+- `POST /api/user/login/` - User login
+- `POST /api/user/register/` - Returns 403 (disabled)
+
+### Authenticated Endpoints
+- `GET /api/user/account/` - Get current user
+- `POST /api/user/logout/` - Logout
+- `GET /api/user/config/` - User settings
+
+### Admin-Only Endpoints
+- `GET /api/user/admin/users/` - List all users
+- `POST /api/user/admin/users/` - Create new user
+- `PATCH /api/user/admin/users/{id}/` - Update user
+- `POST /api/user/admin/users/{id}/reset_storage/` - Reset storage
+- `POST /api/user/admin/users/{id}/toggle_active/` - Activate/deactivate
+
+## Password Requirements
+
+When creating users, passwords must meet these requirements:
+
+```python
+PASSWORD_MIN_LENGTH = 8
+PASSWORD_REQUIRE_UPPERCASE = True
+PASSWORD_REQUIRE_LOWERCASE = True
+PASSWORD_REQUIRE_NUMBERS = True
+PASSWORD_REQUIRE_SPECIAL = False  # Optional
+```
+
+Example valid passwords:
+- `SecurePass123`
+- `MyPassword1`
+- `Admin2024Test`
+
+## Future Enhancements
+
+Potential features for user management:
+
+- [ ] Invitation system (admin sends invite links)
+- [ ] Approval workflow (users request, admin approves)
+- [ ] Self-service password reset
+- [ ] Email verification
+- [ ] Account expiration dates
+- [ ] Welcome email templates
+- [ ] User onboarding wizard
+- [ ] Bulk user import from CSV
+- [ ] SSO/LDAP integration
+- [ ] OAuth providers (Google, GitHub)
+
+## Troubleshooting
+
+### "Registration is disabled" error
+
+**Cause**: Public registration is intentionally disabled.
+
+**Solution**: Contact system administrator to create an account.
+
+### Cannot create users
+
+**Cause**: User is not an admin.
+
+**Solution**: Only admin users (`is_admin=True` or `is_superuser=True`) can create users.
+
+### How to create first admin?
+
+```bash
+python manage.py createsuperuser
+```
+
+This creates the first admin who can then create other users.
+
+## Best Practices
+
+1. **Strong Passwords**: Enforce strong password requirements
+2. **Enable 2FA**: Require 2FA for admin accounts
+3. **Audit Logs**: Track user creation and modifications
+4. **Resource Planning**: Allocate quotas based on user needs
+5. **Regular Review**: Periodically review active users
+6. **Offboarding**: Deactivate accounts for departed users
+7. **Backup**: Regular database backups including user data
+8. **Documentation**: Keep user list and quotas documented