[feature] New user sign-up via web page (#2796)

* [feature] User sign-up form and admin notifs

* add chosen + filtered languages to migration

* remove stray comment

* chosen languages schmosen schmanguages

* proper error on local account missing

4 files changed, 210 insertions, 1 deletions

diff --git a/internal/web/confirmemail.go b/internal/web/confirmemail.go
index f15252bf7..e512761f4 100644
--- a/internal/web/confirmemail.go
+++ b/internal/web/confirmemail.go
@@ -56,18 +56,84 @@ func (m *Module) confirmEmailGETHandler(c *gin.Context) {
 		return
 	}
 
+	// Get user but don't confirm yet.
+	user, errWithCode := m.processor.User().EmailGetUserForConfirmToken(c.Request.Context(), token)
+	if errWithCode != nil {
+		apiutil.WebErrorHandler(c, errWithCode, instanceGet)
+		return
+	}
+
+	// They may have already confirmed before
+	// and are visiting the link again for
+	// whatever reason. This is fine, just make
+	// sure we have an email address to show them.
+	email := user.UnconfirmedEmail
+	if email == "" {
+		// Already confirmed, take
+		// that address instead.
+		email = user.Email
+	}
+
+	// Serve page where user can click button
+	// to POST confirmation to same endpoint.
+	page := apiutil.WebPage{
+		Template: "confirm_email.tmpl",
+		Instance: instance,
+		Extra: map[string]any{
+			"email":    email,
+			"username": user.Account.Username,
+			"token":    token,
+		},
+	}
+
+	apiutil.TemplateWebPage(c, page)
+}
+
+func (m *Module) confirmEmailPOSTHandler(c *gin.Context) {
+	instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context())
+	if errWithCode != nil {
+		apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	// Return instance we already got from the db,
+	// don't try to fetch it again when erroring.
+	instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) {
+		return instance, nil
+	}
+
+	// We only serve text/html at this endpoint.
+	if _, err := apiutil.NegotiateAccept(c, apiutil.TextHTML); err != nil {
+		apiutil.WebErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), instanceGet)
+		return
+	}
+
+	// If there's no token in the query,
+	// just serve the 404 web handler.
+	token := c.Query("token")
+	if token == "" {
+		errWithCode := gtserror.NewErrorNotFound(errors.New(http.StatusText(http.StatusNotFound)))
+		apiutil.WebErrorHandler(c, errWithCode, instanceGet)
+		return
+	}
+
+	// Confirm email address for real this time.
 	user, errWithCode := m.processor.User().EmailConfirm(c.Request.Context(), token)
 	if errWithCode != nil {
 		apiutil.WebErrorHandler(c, errWithCode, instanceGet)
 		return
 	}
 
+	// Serve page informing user that their
+	// email address is now confirmed.
 	page := apiutil.WebPage{
-		Template: "confirmed.tmpl",
+		Template: "confirmed_email.tmpl",
 		Instance: instance,
 		Extra: map[string]any{
 			"email":    user.Email,
 			"username": user.Account.Username,
+			"token":    token,
+			"approved": *user.Approved,
 		},
 	}
 
diff --git a/internal/web/robots.go b/internal/web/robots.go
index cfd1758a4..2511ee1d3 100644
--- a/internal/web/robots.go
+++ b/internal/web/robots.go
@@ -82,6 +82,7 @@ Disallow: /oauth/
 Disallow: /check_your_email
 Disallow: /wait_for_approval
 Disallow: /account_disabled
+Disallow: /signup
 
 # Well-known endpoints.
 Disallow: /.well-known/
diff --git a/internal/web/signup.go b/internal/web/signup.go
new file mode 100644
index 000000000..691469dff
--- /dev/null
+++ b/internal/web/signup.go
@@ -0,0 +1,138 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package web
+
+import (
+	"context"
+	"errors"
+	"net"
+
+	"github.com/gin-gonic/gin"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/validate"
+)
+
+func (m *Module) signupGETHandler(c *gin.Context) {
+	ctx := c.Request.Context()
+
+	// We'll need the instance later, and we can also use it
+	// before then to make it easier to return a web error.
+	instance, errWithCode := m.processor.InstanceGetV1(ctx)
+	if errWithCode != nil {
+		apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	// Return instance we already got from the db,
+	// don't try to fetch it again when erroring.
+	instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) {
+		return instance, nil
+	}
+
+	// We only serve text/html at this endpoint.
+	if _, err := apiutil.NegotiateAccept(c, apiutil.TextHTML); err != nil {
+		apiutil.WebErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), instanceGet)
+		return
+	}
+
+	page := apiutil.WebPage{
+		Template: "sign-up.tmpl",
+		Instance: instance,
+		OGMeta:   apiutil.OGBase(instance),
+		Extra: map[string]any{
+			"reasonRequired": config.GetAccountsReasonRequired(),
+		},
+	}
+
+	apiutil.TemplateWebPage(c, page)
+}
+
+func (m *Module) signupPOSTHandler(c *gin.Context) {
+	ctx := c.Request.Context()
+
+	// We'll need the instance later, and we can also use it
+	// before then to make it easier to return a web error.
+	instance, errWithCode := m.processor.InstanceGetV1(ctx)
+	if errWithCode != nil {
+		apiutil.WebErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	// Return instance we already got from the db,
+	// don't try to fetch it again when erroring.
+	instanceGet := func(ctx context.Context) (*apimodel.InstanceV1, gtserror.WithCode) {
+		return instance, nil
+	}
+
+	// We only serve text/html at this endpoint.
+	if _, err := apiutil.NegotiateAccept(c, apiutil.TextHTML); err != nil {
+		apiutil.WebErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), instanceGet)
+		return
+	}
+
+	form := &apimodel.AccountCreateRequest{}
+	if err := c.ShouldBind(form); err != nil {
+		apiutil.WebErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), instanceGet)
+		return
+	}
+
+	if err := validate.CreateAccount(form); err != nil {
+		apiutil.WebErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), instanceGet)
+		return
+	}
+
+	clientIP := c.ClientIP()
+	signUpIP := net.ParseIP(clientIP)
+	if signUpIP == nil {
+		err := errors.New("ip address could not be parsed from request")
+		apiutil.WebErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), instanceGet)
+		return
+	}
+	form.IP = signUpIP
+
+	// We have all the info we need, call account create
+	// (this will also trigger side effects like sending emails etc).
+	user, errWithCode := m.processor.Account().Create(
+		c.Request.Context(),
+		// nil to use
+		// instance app.
+		nil,
+		form,
+	)
+	if errWithCode != nil {
+		apiutil.WebErrorHandler(c, errWithCode, instanceGet)
+		return
+	}
+
+	// Serve a page informing the
+	// user that they've signed up.
+	page := apiutil.WebPage{
+		Template: "signed-up.tmpl",
+		Instance: instance,
+		OGMeta:   apiutil.OGBase(instance),
+		Extra: map[string]any{
+			"email":    user.UnconfirmedEmail,
+			"username": user.Account.Username,
+		},
+	}
+
+	apiutil.TemplateWebPage(c, page)
+}
diff --git a/internal/web/web.go b/internal/web/web.go
index 19df63332..185bf7120 100644
--- a/internal/web/web.go
+++ b/internal/web/web.go
@@ -49,6 +49,7 @@ const (
 	settingsPanelGlob  = settingsPathPrefix + "/*panel"
 	userPanelPath      = settingsPathPrefix + "/user"
 	adminPanelPath     = settingsPathPrefix + "/admin"
+	signupPath         = "/signup"
 
 	cacheControlHeader    = "Cache-Control"     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
 	cacheControlNoCache   = "no-cache"          // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#response_directives
@@ -115,10 +116,13 @@ func (m *Module) Route(r *router.Router, mi ...gin.HandlerFunc) {
 	r.AttachHandler(http.MethodGet, customCSSPath, m.customCSSGETHandler)
 	r.AttachHandler(http.MethodGet, rssFeedPath, m.rssFeedGETHandler)
 	r.AttachHandler(http.MethodGet, confirmEmailPath, m.confirmEmailGETHandler)
+	r.AttachHandler(http.MethodPost, confirmEmailPath, m.confirmEmailPOSTHandler)
 	r.AttachHandler(http.MethodGet, robotsPath, m.robotsGETHandler)
 	r.AttachHandler(http.MethodGet, aboutPath, m.aboutGETHandler)
 	r.AttachHandler(http.MethodGet, domainBlockListPath, m.domainBlockListGETHandler)
 	r.AttachHandler(http.MethodGet, tagsPath, m.tagGETHandler)
+	r.AttachHandler(http.MethodGet, signupPath, m.signupGETHandler)
+	r.AttachHandler(http.MethodPost, signupPath, m.signupPOSTHandler)
 
 	// Attach redirects from old endpoints to current ones for backwards compatibility
 	r.AttachHandler(http.MethodGet, "/auth/edit", func(c *gin.Context) { c.Redirect(http.StatusMovedPermanently, userPanelPath) })