Page MenuHomePhabricator

AJAX validation of username for password reset
Open, MediumPublic

Description

The list of usernames is public, so it would be useful to do client-side validation of usernames on the password reset screen.

It is not public which emails are in use, so we should not reveal that in any way (the current password reset interface does not either).


Version: 1.22.0
Severity: normal
See Also:
T42040: Special:PasswordReset could use some design love
T19544: Client-side validation of the username availability (done) and that password meets requirements
T36447: "Check Availability" feature for usernames at registration interface
T49685: Add password and username checking JS to core login and signup forms

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:25 AM
bzimport set Reference to bz56025.

Change 124139 had a related patch set uploaded by Ganeshaditya1:
AJAX validation of username in password reset page

https://gerrit.wikimedia.org/r/124139

Can this be leveraged for Account creation as well?

ganeshaditya1 wrote:

I think it can be, by factoring out the validateUserName function into a common file and making it common to both the account creation, login and password reset pages. What could I name this file ?

It might take me some time as I have exams so in the meantime I would even get feedback on my validateUserName function too.

(In reply to ganeshaditya1 from comment #4)
Matt can probably point you in the right direction here, this is on our roadmaps but isn't a prioritized thing for us right now, so we really appreciate you taking the time to work on this.

(In reply to Jared Zimmerman (WMF) from comment #3)

Can this be leveraged for Account creation as well?

Bartosz already implemented this in 74b22223 for account creation. It's been live for a little while. :)

As for generalizing it, login and password reset could be common pretty easily (does the username exist?). Signup is a little more difficult, since it's partly the opposite (username should *not* exist) and partly custom (must be valid username, which we don't have to worry about if it needs to exist anyway).

ganeshaditya1: Do you plan to extend your patch, based on comment 5 and comment 6?

Also, there are more issues with it that I pointed out in Gerrit.

This seems kind of useless. You are supposed to enter an existing username there; if you get it wrong, telling you whether it's valid or not is not particularly helpful.

Autocompleting usernames would make more sense.

In T58025#1591560, @Tgr wrote:

This seems kind of useless. You are supposed to enter an existing username there; if you get it wrong, telling you whether it's valid or not is not particularly helpful.

Autocompleting usernames would make more sense.

Why do you assume it has to be one or the other? Most auto-complete fields don't force you to use the drop-down, so validation is still useful.

Tgr set Security to None.

Change 124139 had a related patch set uploaded (by Aklapper; author: Ganeshaditya1):

[mediawiki/core@master] AJAX validation of username in password reset page

https://gerrit.wikimedia.org/r/124139

Change 124139 abandoned by Gergő Tisza:

[mediawiki/core@master] AJAX validation of username in password reset page

Reason:

The patch is almost a decade old; the form has been migrated to OOUI and global users have been integrated in the authentication system, so the logic would have to be completely different today.

https://gerrit.wikimedia.org/r/124139