If you try to create a username that has a hash in, we've got three totally different behaviours on four platforms:
- Desktop: Refuses to create username because it has a hash in it.
- iOS App: Lets you create the username, but silently truncates everything including and after the hash, then fails to log you in saying that you provided an illegal username because it tried to log you in to the username that has a hash in.
- Android App and Mobile Web: Lets your create the username, but silently truncates everything including and after the hash, then logs you in successfully to the truncated username.
If desktop doesn't let you create these usernames then neither should any of our mobile platforms.
I'm unclear what the correct engineering solution is though. Do we change the API used to create accounts to error if you try to include hashes (instead of silently truncating and creating), or do we just include client-side validation to disallow hashes?
Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=64409
https://bugzilla.wikimedia.org/show_bug.cgi?id=64960