User can be created with an invalid username, leading server errors after login

[webknjaz]

Describe the issue

I just registered @ datatracker.ietf.org. I tend to use sub-addressing when registering on different websites. This time, I registered with an address having a format of twochars+~accounts/[email protected]. I got a verification email, clicked on the link, filled out the form with the name and a password generated using Bitwarden (128 random chars with special symbols). This worked too.

I'm trying to log in, the browser sends my login creds to https://datatracker.ietf.org/accounts/login/?next=/ and gets a normal 302 Found in response, with Location: /. Following the redirect, it shows me this banner:

Internal Server Error

---

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a script used to generate the requested page. In case this was an overload problem or other temporary error, you may want to try again in a little while.

A failure report with details about what happened has been sent to the server administrators. It would be helpful if you would create an issue providing additional information at GitHub, too.

I can click on various links in the top menu but neither works — each of them shows this exact banner. When I clean the cookies, the content shows up on all the pages, but as soon as I log in again, it's broken the same way.

This makes me thing there's some crash/traceback that is happening post-login in the web app, after retrieving the user session and doing something with the data. The HTTP session itself probably works on the django framework level. Perhaps, it doesn't like my e-mail format (the most likely reason!).

P.S. The only website pages that seem to work are direct RFC pages like https://datatracker.ietf.org/doc/html/rfc6874

Code of Conduct

• I agree to follow the IETF's Code of Conduct

[jennifer-richards]

I believe you are correct that it is related to the format of your username. Will take some investigation to see whether we can fix this to accept the username you used or whether we need to adjust the rules on username format.

If it's acceptable to use a different username, that will probably be the fastest way to get online would be to change it (this will probably require assistance, I'll contact you directly to discuss).

[webknjaz]

I'm not in a rush, thanks! Just wanted to report :)

[jennifer-richards]

The issue is caused by the "/" in the email address used for the Django username.

Django's User model allows only alphanumerics and the @.+-_ characters in usernames. The easiest thing to do here is to disallow characters other than those in email addresses, but that will disallow many valid emails.

A compromise would be to require an email that satisfies the username rules as the initial email address and restrict username changes to addresses that also satisfy it. This would avoid problems that might arise from having usernames that Django might not expect while also allowing users to add other emails.

(Note that they could still make any email their primary email, they just would not be able to choose it as their username)

[jennifer-richards]

Character frequencies in all of the addresses in the datatracker:

>>> Counter(c for c in list("".join(addrs)))
Counter({'a': 75109, 'o': 71142, '.': 63757, 'm': 62223, 'i': 59199, 'c': 57918, 'e': 57763, 'n': 47469, 
'@': 42144, 'l': 41128, 'r': 39425, 's': 35328, 't': 33853, 'g': 27488, 'u': 25379, 'h': 22107, 
'd': 20777, 'k': 14598, 'b': 12528, 'p': 11937, 'y': 10319, 'f': 8634, 'j': 8363, 'w': 7934, 'v': 7225, 
'1': 4962, 'z': 4912, '0': 3818, '2': 3615, '3': 2949, 'x': 2931, '9': 2779, '-': 2693, '8': 2346,
'6': 2277, '7': 2160, '4': 1996, '5': 1973, 'q': 1650, '_': 980, 'S': 206, 'M': 201, 'C': 200, '+': 198, 
'A': 139, 'L': 138, 'P': 126, 'J': 125, 'D': 121, 'R': 117, 'B': 115, 'T': 112, 'N': 103, 'E': 92, 'K': 90, 
'H': 83, 'G': 83, 'O': 76, 'I': 72, 'F': 60, 'W': 44, ' ': 43, 'U': 40, 'V': 34, 'Y': 28, 'Z': 19, 'X': 16, 
'Q': 14, '(': 7, ')': 7, "'": 3, '/': 3, '~': 3, ',': 2, '%': 2, '=': 1, '!': 1, '"': 1, ':': 1, ';': 1})

or, counting addresses that contain non-Django-username characters,

>>> badcounts = {' ': 43, '(': 7, ')': 7, "'": 3, '/': 3, '~': 3, ',': 2, '%': 2, '=': 1, '!': 1, '"': 1, ':': 1, ';': 1}
>>> s = set()
>>> [s.update(Email.objects.filter(address__contains=c).values_list("pk", flat=True)) for c in badcounts]
[None, None, None, None, None, None, None, None, None, None, None, None, None]
>>> len(s)
37

(and of those 37, one is the address that prompted this issue and two are addresses I created while debugging)

[rjsparks]

it's worth also filtering to "is_active=True" while thinking this through (on User).