Page MenuHomePhabricator

AJAX validation of username for password reset
Open, NormalPublic

Description

The list of usernames is public, so it would be useful to do client-side validation of usernames on the password reset screen.

It is not public which emails are in use, so we should not reveal that in any way (the current password reset interface does not either).


Version: 1.22.0
Severity: normal
See Also:
T42040: Special:PasswordReset could use some design love
T19544: Client-side validation of the username availability (done) and that password meets requirements
T36447: "Check Availability" feature for usernames at registration interface
T49685: Add password and username checking JS to core login and signup forms

Details

Reference
bz56025

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 2:25 AM
bzimport set Reference to bz56025.

Change 124139 had a related patch set uploaded by Ganeshaditya1:
AJAX validation of username in password reset page

https://gerrit.wikimedia.org/r/124139

Can this be leveraged for Account creation as well?

ganeshaditya1 wrote:

I think it can be, by factoring out the validateUserName function into a common file and making it common to both the account creation, login and password reset pages. What could I name this file ?

It might take me some time as I have exams so in the meantime I would even get feedback on my validateUserName function too.

(In reply to ganeshaditya1 from comment #4)
Matt can probably point you in the right direction here, this is on our roadmaps but isn't a prioritized thing for us right now, so we really appreciate you taking the time to work on this.

(In reply to Jared Zimmerman (WMF) from comment #3)

Can this be leveraged for Account creation as well?

Bartosz already implemented this in 74b22223 for account creation. It's been live for a little while. :)

As for generalizing it, login and password reset could be common pretty easily (does the username exist?). Signup is a little more difficult, since it's partly the opposite (username should *not* exist) and partly custom (must be valid username, which we don't have to worry about if it needs to exist anyway).

ganeshaditya1: Do you plan to extend your patch, based on comment 5 and comment 6?

Also, there are more issues with it that I pointed out in Gerrit.

Tgr added a subscriber: Tgr.Sep 1 2015, 4:08 AM

This seems kind of useless. You are supposed to enter an existing username there; if you get it wrong, telling you whether it's valid or not is not particularly helpful.

Autocompleting usernames would make more sense.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 1 2015, 4:08 AM
In T58025#1591560, @Tgr wrote:

This seems kind of useless. You are supposed to enter an existing username there; if you get it wrong, telling you whether it's valid or not is not particularly helpful.
Autocompleting usernames would make more sense.

Why do you assume it has to be one or the other? Most auto-complete fields don't force you to use the drop-down, so validation is still useful.

Tgr updated the task description. (Show Details)Sep 2 2015, 9:32 PM
Tgr set Security to None.
Tgr updated the task description. (Show Details)Dec 6 2016, 6:23 AM
Tgr added a comment.Dec 14 2018, 12:27 AM

Autocompletion was added, then removed shortly afterwards. See T209972: Remove auto-fill/suggest of usernames from password reset forms.