Usernames
| This should actually be part of the documentation at server.restauth.net. |
The topic of usernames in RestAuth is rather complex. That is because different systems using RestAuth forbid different characters. Naturally, if a user registers in one service, you want him/her to be able to use the other services to. By default, RestAuth forbids invalid usernames from a range of systems such as content management systems, email and both Linux and Windows system accounts. This restricts valid usernames to ASCII letters and numbers. Additionally, underscores ("_") and dashes ("-") are also valid (the latter is not allowed at the start of a username).
This is very restrictive, but you can easily loosen those restrictions. RestAuth uses "validators" that validate that a system is valid for a certain system. Use the SKIP_VALIDATORS setting to disable one or more validators.
RestAuth and case sensitivity
Usernames are case insensitive. Systems handle case in different ways, so it is a precaution to handle this in a safe manner.
RestAuth and non-ASCII usernames
Currently, only the "email" validator strictly enforces a string to be valid ASCII. Also, the "linux" validator enforces a username to be in ASCII if FILTER_LINUX_USERNAME_NOT_RECOMMENDED is not set to False.
Validators
Please always keep in mind that the general validator also filters certain special characters. You can configure RestAuth to skip any validator by setting the SKIP_VALIDATORS variable in localsettings.py. So if you know you will never want any Linux or Windows machines to authenticate against RestAuth nor ever want any email addresses based on RestAuth, set SKIP_VALIDATORS to:
SKIP_VALIDATORS = [ 'linux', 'windows', 'email' ]
general
This is a general filter that filters various dangerous characters. It is highly recommended that you do not disable this validator as other validators assume that this one is also called. This filters usernames:
- containing a slash ("/"), a backslash ("\") or a (":")
- begin or end with a dot (".")
- The characters from Table C.2 to C.9 as defined in RFC3454. These are just certain control characters etc. and should not affect any user.
xmpp
The xmpp validator filters the characters
"&'/<>@
as well as any space characters as defined in table C.1 in RFC3454.
The email validator enforces the username to be an ASCII string. It additionally filters these characters:
(),;<>@[]
... and the "space" character.
mediawiki
This validator enforces that a username is no longer than 255 bytes, accounting for multi-byte characters in unicode. It filters the reserved names 'MediaWiki default', 'Conversion script', 'Maintenance script', 'msg:double-redirect-fixer', 'Template namespace initialisation script' as well as these special characters:
#<>]|[{}
linux
With this validator usernames must match the regular expression '[a-z_][a-z0-9_-]*[$]?' and be no longer than 32 characters. This means usernames must start with a letter or an underscore ("_"), contain only letters, underscores and dashes ("-") and optionally can end with a dollar sign ("$"). You can heavily loosen these restrictions without disabling the validator all together by setting FILTER_LINUX_USERNAME_NOT_RECOMMENDED to False. With this settings, usernames still cannot be longer than 32 characters, cannot start with a dash ("-") and contain no space.
windows
This validator filters the reserved usernames 'ANONYMOUS', 'AUTHENTICATED USER', 'BATCH', 'BUILTIN', 'CREATOR GROUP', 'CREATOR GROUP SERVER', 'CREATOR OWNER', 'CREATOR OWNER SERVER', 'DIALUP', 'DIGEST AUTH', 'INTERACTIVE', 'INTERNET', 'LOCAL', 'LOCAL SYSTEM', 'NETWORK', 'NETWORK SERVICE', 'NT AUTHORITY', 'NT DOMAIN', 'NTLM AUTH', 'NULL', 'PROXY', 'REMOTE INTERACTIVE', 'RESTRICTED', 'SCHANNEL AUTH', 'SELF', 'SERVER', 'SERVICE', 'SYSTEM', 'TERMINAL SERVER', 'THIS ORGANIZATION', 'USERS', 'WORLD' as well as these characters:
"[];|=+*?<>