Trailing _ or - not allowed in usernames although the docs and error message say it should work
Summary
Logging in via OIDC or creating a user with the username foobar_
fails.
Steps to reproduce
- have an OIDC account with the username
foobar_
conforming to the GitLab docs regarding usernames - try to login to GitLab CE
- "Sign-in using XXX auth failed. Username can only include non-accented letters, digits, '_', '-' and '.'. It must not start with '-', end in '.', '.git', or '.atom'."
What is the current bug behavior?
It is not possible to create an account with a username that is valid according to the docs.
What is the expected correct behavior?
It is possible to create an account with a username that is valid according to the docs, OR the docs are updated to reflect the more restrictive requirements for usernames.
Output of checks
This bug happens on GitLab.com.
Results of GitLab environment info
Our GitLab CE is v17.0.1-ee
Possible fixes
The regex in https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/regex.rb#L23 does not encode what the docs says. The regex requires .
, -
or _
characters to always be followed by one or more letters or digits. Usernames not excluded by the description of the validation error/docs but that do not match:
foobar_
foo__bar
foo_-bar
foobar_-
See also (please note: the string anchors are changed to line anchors in the rubular pad to demonstrate the issue on multiple usernames): https://rubular.com/r/KHOHp5Wk1xxlg0