I have a user registration razor page and corresponding action that uses UserManager and SignInManager to create user accounts. It works just fine.
However, I only want a few people to be able to register so I have disabled all links to /Accounts/Register. But it's easy enough for someone or some bot to guess at the registration route, register and then log in. I am not sure what the best way to "hide" the registration might be. Here are possibilities I came up with:
- Create a hard-to-guess route and corresponding action such as /Accounts/xpflqj7t99y Only those who are sent the route can register.
- Let anyone register but make the default roles as restrictive as possible
- Add a field to the view model called something like "Secret" (which is sent to select people only) and decorate it with a data annotation such as
[RegularExpression("^Th1s1sAnUnl1kelyS3cr3t$", ErrorMessage = "Incorrect Secret")]
public string Secret { get; set; }
The last one seems to be the easiest but I don't know if Data Annotations are secure. Is there some accepted convention of doing this that I'm missing?