Improve username validation

dansup · dansup · commit 2f99e609d662 · 2025-12-15T06:25:47.000-07:00
diff --git a/app/Console/Commands/CreateAdminUser.php b/app/Console/Commands/CreateAdminUser.php
@@ -225,10 +225,10 @@ private function validateUsernameForPrompt(string $username): ?string
         if (strlen($username) < 3) {
             return 'Username must be at least 3 characters.';
         }
-        if (strlen($username) > 30) {
-            return 'Username must not exceed 30 characters.';
+        if (strlen($username) > 24) {
+            return 'Username must not exceed 24 characters.';
         }
-        if (! preg_match('/^[a-zA-Z0-9_-]+$/', $username)) {
+        if (! preg_match('/^[a-zA-Z0-9_.-]+$/', $username)) {
             return 'Username can only contain letters, numbers, underscores, and hyphens.';
         }
         if (User::where('username', $username)->exists()) {
diff --git a/app/Http/Controllers/Auth/RegisterController.php b/app/Http/Controllers/Auth/RegisterController.php
@@ -4,6 +4,7 @@
 
 use App\Http\Controllers\Controller;
 use App\Models\User;
+use App\Rules\ValidUsername;
 use App\Services\UsernameService;
 use Illuminate\Foundation\Auth\RegistersUsers;
 use Illuminate\Support\Facades\Hash;
@@ -52,10 +53,10 @@ protected function validator(array $data)
             'name' => ['required', 'string', 'max:255'],
             'username' => [
                 'required',
-                'alpha_dash',
                 'min:2',
-                'max:30',
+                'max:24',
                 'unique:users,username',
+                new ValidUsername,
                 function ($attribute, $value, $fail) {
                     if (app(UsernameService::class)->isReserved($value)) {
                         $fail('This username is reserved.');
diff --git a/app/Http/Requests/StoreRegisterUsernameRequest.php b/app/Http/Requests/StoreRegisterUsernameRequest.php
@@ -3,6 +3,7 @@
 namespace App\Http\Requests;
 
 use App\Models\AdminSetting;
+use App\Rules\ValidUsername;
 use App\Services\UsernameService;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Foundation\Http\FormRequest;
@@ -39,10 +40,10 @@ public function rules(): array
         return [
             'username' => [
                 'required',
-                'alpha_dash',
                 'min:2',
-                'max:30',
+                'max:24',
                 'unique:users,username',
+                new ValidUsername,
                 function ($attribute, $value, $fail) {
                     if (app(UsernameService::class)->isReserved($value)) {
                         $fail('This username is reserved.');
diff --git a/app/Rules/ValidUsername.php b/app/Rules/ValidUsername.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace App\Rules;
+
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
+
+class ValidUsername implements ValidationRule
+{
+    /**
+     * Run the validation rule.
+     *
+     * @param  \Closure(string, ?string=): \Illuminate\Translation\PotentiallyTranslatedString  $fail
+     */
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if (! preg_match('/^[a-zA-Z0-9_.-]+$/', $value)) {
+            $fail('The :attribute can only contain letters, numbers, underscores, hyphens, and periods.');
+
+            return;
+        }
+
+        if (str_starts_with($value, '.')) {
+            $fail('The :attribute cannot start with a period.');
+
+            return;
+        }
+
+        if (str_starts_with($value, '_')) {
+            $fail('The :attribute cannot start with an underscore.');
+
+            return;
+        }
+
+        if (str_starts_with($value, '-')) {
+            $fail('The :attribute cannot start with a hyphen.');
+
+            return;
+        }
+
+        if (str_ends_with($value, '.')) {
+            $fail('The :attribute cannot end with a period.');
+
+            return;
+        }
+
+        if (str_ends_with($value, '-')) {
+            $fail('The :attribute cannot end with a hyphen.');
+
+            return;
+        }
+
+        if (str_contains($value, '--')) {
+            $fail('The :attribute cannot contain consecutive hyphens.');
+
+            return;
+        }
+
+        if (str_contains($value, '..')) {
+            $fail('The :attribute cannot contain consecutive periods.');
+
+            return;
+        }
+    }
+}
diff --git a/resources/js/components/AuthModal.vue b/resources/js/components/AuthModal.vue
@@ -452,6 +452,7 @@
                                             v-model="form.username"
                                             type="text"
                                             required
+                                            maxlength="24"
                                             class="w-full px-4 py-3 rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-800 text-gray-900 dark:text-white placeholder-gray-500 dark:placeholder-gray-400 focus:border-blue-500 dark:focus:border-blue-400 focus:ring-2 focus:ring-blue-500/20 dark:focus:ring-blue-400/20 transition-colors"
                                             :placeholder="t('common.chooseAUsername')"
                                         />

Original file line number	Diff line number	Diff line change
`@@ -225,10 +225,10 @@ private function validateUsernameForPrompt(string $username): ?string`
`225`	`225`	`if (strlen($username) < 3) {`
`226`	`226`	`return 'Username must be at least 3 characters.';`
`227`	`227`	`}`
`228`		`- if (strlen($username) > 30) {`
`229`		`- return 'Username must not exceed 30 characters.';`
	`228`	`+ if (strlen($username) > 24) {`
	`229`	`+ return 'Username must not exceed 24 characters.';`
`230`	`230`	`}`
`231`		`- if (! preg_match('/^[a-zA-Z0-9_-]+$/', $username)) {`
	`231`	`+ if (! preg_match('/^[a-zA-Z0-9_.-]+$/', $username)) {`
`232`	`232`	`return 'Username can only contain letters, numbers, underscores, and hyphens.';`
`233`	`233`	`}`
`234`	`234`	`if (User::where('username', $username)->exists()) {`