Skip to content

Reject email addresses as usernames on registration #24

Description

@krazyjakee

Problem

The registration endpoint accepts an email address as a username. Server-side validation in src/routes/auth.rs (register(), ~L419–425) only checks length (1–32 chars) — there is no character-set validation, so user@example.com is accepted as a username.

This is confusing because login looks users up by username (not email), and the username is a public identifier.

// src/routes/auth.rs (register)
let username = input.username.trim();
if username.is_empty() || username.len() > 32 {
    return Err(AppError::BadRequest(
        "username must be between 1 and 32 characters".to_string(),
    ));
}

Proposed change

Reject usernames that look like an email address (and ideally enforce a proper username charset). At minimum, reject any username containing @. Suggested: restrict to [a-z0-9_.] (or similar), lowercase, no leading/trailing ..

  • Add validation in register() in src/routes/auth.rs after the length check.
  • Return 400 BadRequest with a clear message, e.g. "username may not be an email address".
  • Consider applying the same rule to any username-update endpoint.

Related

Client-side counterpart: DaccordProject/daccord-app (the Flutter client field is labeled "Username or email" with no validation). Server is the source of truth — this issue tracks the authoritative fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions