DFE-Digital
diff --git a/‎src/DfE.ExternalApplications.Api/Controllers/UsersController.cs‎
Lines changed: 26 additions & 0 deletions b/‎src/DfE.ExternalApplications.Api/Controllers/UsersController.cs‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎src/DfE.ExternalApplications.Api/DfE.ExternalApplications.Api.csproj‎
Lines changed: 1 addition & 1 deletion b/‎src/DfE.ExternalApplications.Api/DfE.ExternalApplications.Api.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DfE.ExternalApplications.Application/DfE.ExternalApplications.Application.csproj‎
Lines changed: 1 addition & 1 deletion b/‎src/DfE.ExternalApplications.Application/DfE.ExternalApplications.Application.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DfE.ExternalApplications.Application/Users/Commands/RegisterUserCommandHandler.cs‎
Lines changed: 132 additions & 0 deletions b/‎src/DfE.ExternalApplications.Application/Users/Commands/RegisterUserCommandHandler.cs‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎src/DfE.ExternalApplications.Application/Users/Commands/RegisterUserCommandValidator.cs‎
Lines changed: 21 additions & 0 deletions b/‎src/DfE.ExternalApplications.Application/Users/Commands/RegisterUserCommandValidator.cs‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎src/DfE.ExternalApplications.Application/Users/EventHandlers/UserCreatedEventHandler.cs‎
Lines changed: 22 additions & 0 deletions b/‎src/DfE.ExternalApplications.Application/Users/EventHandlers/UserCreatedEventHandler.cs‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/DfE.ExternalApplications.Domain/DfE.ExternalApplications.Domain.csproj‎
Lines changed: 1 addition & 1 deletion b/‎src/DfE.ExternalApplications.Domain/DfE.ExternalApplications.Domain.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DfE.ExternalApplications.Domain/Events/UserCreatedEvent.cs‎
Lines changed: 13 additions & 0 deletions b/‎src/DfE.ExternalApplications.Domain/Events/UserCreatedEvent.cs‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎src/DfE.ExternalApplications.Domain/Factories/IUserFactory.cs‎
Lines changed: 7 additions & 0 deletions b/‎src/DfE.ExternalApplications.Domain/Factories/IUserFactory.cs‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/DfE.ExternalApplications.Domain/Factories/UserFactory.cs‎
Lines changed: 77 additions & 0 deletions b/‎src/DfE.ExternalApplications.Domain/Factories/UserFactory.cs‎
Lines changed: 77 additions & 0 deletions
@@ -1,11 +1,14 @@
 using Asp.Versioning;
+using DfE.ExternalApplications.Application.Users.Commands;
 using GovUK.Dfe.CoreLibs.Contracts.ExternalApplications.Models.Response;
 using DfE.ExternalApplications.Application.Users.Queries;
 using MediatR;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Swashbuckle.AspNetCore.Annotations;
 using GovUK.Dfe.CoreLibs.Http.Models;
+using DfE.ExternalApplications.Infrastructure.Security;
+using GovUK.Dfe.CoreLibs.Contracts.ExternalApplications.Models.Request;
 
 namespace DfE.ExternalApplications.Api.Controllers;
 
@@ -35,4 +38,27 @@ public async Task<IActionResult> GetMyPermissionsAsync(
             StatusCode = StatusCodes.Status200OK
         };
     }
+
+    /// <summary>
+    /// Create and registers a new user using the data in the provided External-IDP token.
+    /// </summary>
+    [HttpPost("register")]
+    [SwaggerResponse(200, "User registered successfully.", typeof(UserDto))]
+    [SwaggerResponse(400, "Invalid request data.", typeof(ExceptionResponse))]
+    [SwaggerResponse(401, "Unauthorized - no valid user token", typeof(ExceptionResponse))]
+    [SwaggerResponse(500, "Internal server error.", typeof(ExceptionResponse))]
+    [SwaggerResponse(429, "Too Many Requests.", typeof(ExceptionResponse))]
+    [Authorize(AuthenticationSchemes = AuthConstants.AzureAdScheme, Policy = "SvcCanReadWrite")]
+    public async Task<ActionResult<UserDto>> RegisterUserAsync(
+        [FromBody] RegisterUserRequest request,
+        CancellationToken ct)
+    {
+        var result = await sender.Send(
+            new RegisterUserCommand(request.AccessToken, request.TemplateId), ct);
+        
+        if (!result.IsSuccess)
+            return BadRequest(new ExceptionResponse { Message = result.Error });
+        
+        return Ok(result.Value);
+    }
 }
@@ -10,7 +10,7 @@
 	<ItemGroup>
 		<PackageReference Include="Asp.Versioning.Mvc" Version="8.1.0" />
 		<PackageReference Include="Asp.Versioning.Mvc.ApiExplorer" Version="8.1.0" />
-		<PackageReference Include="GovUK.Dfe.CoreLibs.Contracts" Version="1.0.45" />
+		<PackageReference Include="GovUK.Dfe.CoreLibs.Contracts" Version="1.0.46" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Http" Version="1.0.10" />
 		<PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.23.0" />
 		<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="8.0.18" />
 
@@ -17,7 +17,7 @@
 		<PackageReference Include="AutoMapper" Version="14.0.0" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.AsyncProcessing" Version="1.0.12" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Caching" Version="1.0.10" />
-		<PackageReference Include="GovUK.Dfe.CoreLibs.Contracts" Version="1.0.45" />
+		<PackageReference Include="GovUK.Dfe.CoreLibs.Contracts" Version="1.0.46" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Email" Version="0.1.0-prerelease-146" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.FileStorage" Version="0.1.3" />
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Notifications" Version="0.1.5" />
 
@@ -0,0 +1,132 @@
+using System.Net;
+using System.Security.Claims;
+using DfE.ExternalApplications.Application.Common.Attributes;
+using DfE.ExternalApplications.Application.Common.Behaviours;
+using DfE.ExternalApplications.Application.Users.QueryObjects;
+using DfE.ExternalApplications.Domain.Common;
+using DfE.ExternalApplications.Domain.Entities;
+using DfE.ExternalApplications.Domain.Factories;
+using DfE.ExternalApplications.Domain.Interfaces;
+using DfE.ExternalApplications.Domain.Interfaces.Repositories;
+using DfE.ExternalApplications.Domain.Services;
+using DfE.ExternalApplications.Domain.ValueObjects;
+using GovUK.Dfe.CoreLibs.Contracts.ExternalApplications.Models.Response;
+using GovUK.Dfe.CoreLibs.Security.Interfaces;
+using MediatR;
+using Microsoft.AspNetCore.Http;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DfE.ExternalApplications.Application.Users.Commands;
+
+[RateLimit(5, 30)]
+public sealed record RegisterUserCommand(string SubjectToken, Guid? TemplateId = null) : IRequest<Result<UserDto>>, IRateLimitedRequest;
+
+public sealed class RegisterUserCommandHandler(
+    IEaRepository<User> userRepo,
+    IExternalIdentityValidator externalValidator,
+    IHttpContextAccessor httpContextAccessor,
+    IUserFactory userFactory,
+    IUnitOfWork unitOfWork) : IRequestHandler<RegisterUserCommand, Result<UserDto>>
+{
+    public async Task<Result<UserDto>> Handle(
+        RegisterUserCommand request,
+        CancellationToken cancellationToken)
+    {
+        try
+        {
+            // Validate external token and extract claims
+            var externalUser = await externalValidator
+                .ValidateIdTokenAsync(request.SubjectToken, cancellationToken);
+
+            var email = externalUser.FindFirst(ClaimTypes.Email)?.Value
+                        ?? throw new SecurityTokenException("RegisterUserCommandHandler > Missing email");
+
+            var name = externalUser.FindFirst(ClaimTypes.Name)?.Value 
+                       ?? externalUser.FindFirst("name")?.Value
+                       ?? externalUser.FindFirst("given_name")?.Value
+                       ?? email; // Fallback to email if name not available
+
+            // Check if user already exists
+            var dbUser = await (new GetUserByEmailQueryObject(email))
+                .Apply(userRepo.Query().AsNoTracking())
+                .FirstOrDefaultAsync(cancellationToken: cancellationToken);
+
+            if (dbUser is not null)
+            {
+                // User already exists, return their information
+                return Result<UserDto>.Success(new UserDto
+                {
+                    UserId = dbUser.Id!.Value,
+                    Name = dbUser.Name,
+                    Email = dbUser.Email,
+                    RoleId = dbUser.RoleId.Value,
+                    Authorization = CreateAuthorizationFromUser(dbUser)
+                });
+            }
+
+            // Create new user with User role
+            var userId = new UserId(Guid.NewGuid());
+            var now = DateTime.UtcNow;
+
+            // TemplateId is required for user registration
+            if (!request.TemplateId.HasValue)
+            {
+                return Result<UserDto>.Failure("Template ID is required for user registration");
+            }
+
+            var templateId = new TemplateId(request.TemplateId.Value);
+
+            var newUser = userFactory.CreateUser(
+                userId,
+                new RoleId(RoleConstants.UserRoleId),
+                name,
+                email,
+                templateId,
+                now);
+
+            await userRepo.AddAsync(newUser, cancellationToken);
+            await unitOfWork.CommitAsync(cancellationToken);
+
+            // Create authorization data directly from the new user
+            var authorization = CreateAuthorizationFromUser(newUser);
+
+            return Result<UserDto>.Success(new UserDto
+            {
+                UserId = newUser.Id!.Value,
+                Name = newUser.Name,
+                Email = newUser.Email,
+                RoleId = newUser.RoleId.Value,
+                Authorization = authorization
+            });
+        }
+        catch (SecurityTokenException ex)
+        {
+            return Result<UserDto>.Failure($"Invalid token: {ex.Message}");
+        }
+        catch (Exception ex)
+        {
+            return Result<UserDto>.Failure(ex.Message);
+        }
+    }
+
+    private UserAuthorizationDto? CreateAuthorizationFromUser(User user)
+    {
+        if (user.Permissions == null || !user.Permissions.Any())
+            return null;
+
+        return new UserAuthorizationDto
+        {
+            Permissions = user.Permissions
+                .Select(p => new UserPermissionDto
+                {
+                    ApplicationId = p.ApplicationId?.Value,
+                    ResourceType = p.ResourceType,
+                    ResourceKey = p.ResourceKey,
+                    AccessType = p.AccessType
+                })
+                .ToArray(),
+            Roles = new List<string> { user.Role?.Name ?? "User" }
+        };
+    }
+}
@@ -0,0 +1,21 @@
+using FluentValidation;
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("DfE.ExternalApplications.Application.Tests")]
+namespace DfE.ExternalApplications.Application.Users.Commands;
+
+internal class RegisterUserCommandValidator : AbstractValidator<RegisterUserCommand>
+{
+    public RegisterUserCommandValidator()
+    {
+        RuleFor(x => x.SubjectToken)
+            .NotEmpty()
+            .WithMessage("Subject token is required");
+        
+        RuleFor(x => x.TemplateId)
+            .NotNull()
+            .NotEmpty()
+            .WithMessage("Template ID is required");
+    }
+}
+
@@ -0,0 +1,22 @@
+using DfE.ExternalApplications.Application.Common.EventHandlers;
+using DfE.ExternalApplications.Domain.Events;
+using Microsoft.Extensions.Logging;
+
+namespace DfE.ExternalApplications.Application.Users.EventHandlers;
+
+public sealed class UserCreatedEventHandler(
+    ILogger<UserCreatedEventHandler> logger) : BaseEventHandler<UserCreatedEvent>(logger)
+{
+    protected override async Task HandleEvent(UserCreatedEvent notification, CancellationToken cancellationToken)
+    {
+        logger.LogInformation("User created: {UserId} - {Email} at {CreatedOn}",
+            notification.User.Id!.Value,
+            notification.User.Email,
+            notification.CreatedOn);
+
+        // Future: Add welcome email or other side effects here
+        
+        await Task.CompletedTask;
+    }
+}
+
@@ -6,7 +6,7 @@
 
 	<ItemGroup>
 		<PackageReference Include="GovUK.Dfe.CoreLibs.Caching" Version="1.0.10" />
-		<PackageReference Include="GovUK.Dfe.CoreLibs.Contracts" Version="1.0.45" />
+		<PackageReference Include="GovUK.Dfe.CoreLibs.Contracts" Version="1.0.46" />
 		<PackageReference Include="FluentValidation" Version="12.0.0" />
 		<PackageReference Include="MediatR" Version="12.5.0" />
 	</ItemGroup>
 
@@ -0,0 +1,13 @@
+using DfE.ExternalApplications.Domain.Common;
+using DfE.ExternalApplications.Domain.Entities;
+using DfE.ExternalApplications.Domain.ValueObjects;
+
+namespace DfE.ExternalApplications.Domain.Events;
+
+public sealed record UserCreatedEvent(
+    User User,
+    DateTime CreatedOn) : IDomainEvent
+{
+    public DateTime OccurredOn => CreatedOn;
+}
+
@@ -18,6 +18,13 @@ User CreateContributor(
         TemplateId templateId,
         DateTime? createdOn = null);
 
+    User CreateUser(
+        UserId id,
+        RoleId roleId,
+        string name,
+        string email,
+        TemplateId templateId,
+        DateTime? createdOn = null);
 
     void AddPermissionToUser(
         User user,
 
@@ -108,6 +108,83 @@ public User CreateContributor(
         return contributor;
     }
 
+    public User CreateUser(
+        UserId id,
+        RoleId roleId,
+        string name,
+        string email,
+        TemplateId templateId ,
+        DateTime? createdOn = null)
+    {
+        if (id == null)
+            throw new ArgumentException("Id cannot be null", nameof(id));
+        
+        if (roleId == null)
+            throw new ArgumentException("RoleId cannot be null", nameof(roleId));
+        
+        if (string.IsNullOrWhiteSpace(name))
+            throw new ArgumentException("Name cannot be null or empty", nameof(name));
+        
+        if (string.IsNullOrWhiteSpace(email))
+            throw new ArgumentException("Email cannot be null or empty", nameof(email));
+
+        var when = createdOn ?? DateTime.UtcNow;
+        
+        var user = new User(
+            id,
+            roleId,
+            name,
+            email,
+            when,
+            null, // CreatedBy is null for self-registered users
+            null,
+            null);
+
+        // Add self permission to the user to read their own user record
+        AddPermissionToUser(
+            user,
+            email,
+            ResourceType.User,
+            new[] { AccessType.Read },
+            id, // User grants permission to themselves
+            null, // No application context
+            when);
+
+        // Add notification permissions for the user's own email
+        AddPermissionToUser(
+            user,
+            email,
+            ResourceType.Notifications,
+            new[] { AccessType.Read, AccessType.Write, AccessType.Delete },
+            id, // User grants permission to themselves
+            null, // No application context
+            when);
+
+        // Add template permissions if TemplateId is provided
+        AddTemplatePermissionToUser(
+            user,
+            templateId.Value.ToString(),
+            new[] { AccessType.Read, AccessType.Write },
+            id, // User grants permission to themselves
+            when);
+
+        // Add application permissions for "Any" application
+        AddPermissionToUser(
+            user,
+            "Any",
+            ResourceType.Application,
+            new[] { AccessType.Read, AccessType.Write },
+            id,
+            null,
+            when);
+
+        // Raise domain event for user creation (side effects like email)
+        user.AddDomainEvent(new UserCreatedEvent(
+            user,
+            when));
+
+        return user;
+    }
 
     public void AddPermissionToUser(
         User user,