User self registration doesn't validate email address

[tiran]

The self registration workflow doesn't validate the user's email address yet. It's common practice to validate the email address.

Suggested workflow

1. User registers herself with username, temporary password and email address. The stage user is not created. Instead the information are stored in a local sqlite database.
2. Portal sends user an email with a validation token and a temporary password
3. User clicks on link and validates the token.
4. Portal creates stage user in FreeIPA.

   Security concern

The temporary password is send plain text. Since it's a temporary password (user has to set a new password in FreeIPA web UI anyway) it is not so bad.

In order to mitigate flooding and DoS attacks on FreeIPA and LDAP servers, the portal must create the staging user after the mail address has been validated.

[frasertweedale]

I agree with deferring password prompt until it is needed (step 3).

[tiran]

@simo5 has pointed out that the portal could be abused to flood the database with users. The system should mitigate flooding attacks.