Prevent registered e-mail address enumeration via user registration form

tldr

Add 2 options to prevent information disclosure. The patch is a proof of concept with several todos.

a) email verification disabled

Dont show information that name or mail address are in use, just got to the front page and send an information mail to the account holder.

b) email verification enabled

Introducing a two-step registration.

- In 1st step only ask for mail address and consent to policy privacy. If mail address is in use you get a passwort reset link.
- In 2nd step after getting mail create your account.

Long version

I am not sure if this can be fixed without fundamental changes. The register-form is rudimentary. You have information disclosures, you have no consent for processing privacy data per default, you have no automatic routines for deletion unconfirmed users.

We can mitigate each single point - but everytime many custom solutions or contrib modules may break. And I think almost every page has a custom solution because the register form provides only basic functionality.

In an ideal world you have a two-step register process:

1) In the 1st step the user enter their mail address and consent to the privacy policy of the site. They get on the screen in any case: "Thank you for registration. We send you a mail to the given address." Then a mail with register-token or password-reset will be send. (In a real ideal world this double-opt-in would be a service in core and the data would be saved encrypted). Yes, we need a flood-protection. No user user entity will be created at this point (so we have no problem with no-deletion of orphaned users (privacy violation!).).

2) In the 2nd step the user can create their profile. If the site is working with user names (better use only mail address) you have to inform all users that they will be visible to other registered users (and they may use an anonymous nick name).

But this would break many (most?) existing solutions.

My proposal is to add a info-text and add 2 new options to the account settings formular.

The patch is a proof of concept to show the possible process.

Open todos:

- Account-Settings-Form: The states are not working correct - please click on and off to disable correctly.
- two-step: Encrypt / Decrypt data in keystore.
- two-step: No mail is sent after 1st step, you will be instead redirected to the generated URL to register
- two-step: Remove data form keystore.
- Send mail if registration fails in process without email verification.

The patch should apply to D10.1

Please take this as an offer for discussion.

Sorry, wrong -p-level in #26