Username announcement (#10729)

* Change update username API call

The call no longer requires a password and also validates the username.

* Implement API call to verify username without setting it

* Improve coding style

* Apply username verification to registration

* Update error messages

* Validate display names.

* Fix API early Stat Point allocation (#10680)

* Refactor hasClass check to common so it can be used in shared & server-side code

* Check that user has selected class before allocating stat points

* chore(event): end Ember Hatching Potions

* chore(analytics): reenable navigation tracking

* update bcrypt

* Point achievement modal links to main site (#10709)

* Animal ears after death (#10691)

* Animal Ears purchasable with Gold if lost in Death

* remove ears from pinned items when set is bought

* standardise css and error handling for gems and coins

* revert accidental new line

* fix client tests

* Reduce margin-bottom of checklist-item from 10px to -3px. (#10684)

* chore(i18n): update locales

* 4.61.1

* feat(content): Subscriber Items and Magic Potions

* chore(sprites): compile

* chore(i18n): update locales

* 4.62.0

* Display notification for users to confirm their username

* fix typo

* WIP(usernames): Changes to address #10694

* WIP(usernames): Further changes for #10694

* fix(usernames): don't show spurious headings

* Change verify username notification to new version

* Improve feedback for invalid usernames

* Allow user to set their username again to confirm it

* Improve validation display for usernames

* Temporarily move display name validation outside of schema

* Improve rendering banner about sleeping in the inn

See #10695

* Display settings in one column

* Position inn banner when window is resized

* Update inn banner handling

* Fix banner offset on initial load

* Fix minor issues.

* Issue: 10660 - Fixed. Changed default to Please Enter A Value (#10718)

* Issue: 10660 - Fixed. Changed default to Please Enter A Value

* Issue: 10660 - Fixed/revision 2 Changed default to Enter A Value

* chore(news): Bailey announcements

* chore(i18n): update locales

* 4.62.1

* adjust wiki link for usernameInfo string

https://github.com/HabitRPG/habitica-private/issues/7#issuecomment-425405425

* raise coverage for tasks api calls (#10029)

* - updates a group task - approval is required
- updates a group task with checklist

* add expect to test the new checklist length

* - moves tasks to a specified position out of length

* remove unused line

* website getter tasks tests

* re-add sanitizeUserChallengeTask

* change config.json.example variable to be a string not a boolean

* fix tests - pick the text / up/down props too

* fix test - remove changes on text/up/down - revert sanitize condition - revert sanitization props

* Change update username API call

The call no longer requires a password and also validates the username.

* feat(content): Subscriber Items and Magic Potions

* Re-add register call

* Fix merge issue

* Fix issue with setting username

* Implement new alert style

* Display username confirmation status in settings

* Add disclaimer to change username field

* validate username in settings

* Allow specific fields to be focused when opening site settings

* Implement requested changes.

* Fix merge issue

* Fix failing tests

* verify username when users register with username and password

* Set ID for change username notification

* Disable submit button if username is invalid

* Improve username confirmation handling

* refactor(settings): address remaining code comments on auth form

* Revert "refactor(settings): address remaining code comments on auth form"

This reverts commit 9b6609ad64.

* Social user username (#10620)

* Refactored private functions to library

* Refactored social login code

* Added username to social registration

* Changed id library

* Added new local auth check

* Fixed export error. Fixed password check error

* fix(settings): password not available on client

* refactor(settings): more sensible placement of methods

* chore(migration): script to hand out procgen usernames

* fix(migration): don't give EVERYONE new names you doofus

* fix(migration): limit data retrieved, be extra careful about updates

* fix(migration): use missing field, not migration tag, for query

* fix(migration): unused var

* fix(usernames): only generate 20 characters

* fix(migration): set lowerCaseUsername

website/server/controllers/api-v4/auth.js

@@ -1,8 +1,100 @@
-import { authWithHeaders } from '../../middlewares/auth';
+import {
+  authWithHeaders,
+} from '../../middlewares/auth';
 import * as authLib from '../../libs/auth';
+import {
+  NotAuthorized,
+  BadRequest,
+} from '../../libs/errors';
+import * as passwordUtils from '../../libs/password';
+import { model as User } from '../../models/user';
+import {verifyUsername} from '../../libs/user/validation';
 
 const api = {};
 
+/**
+ * @api {put} /api/v4/user/auth/update-username Update username
+ * @apiDescription Update the username of a local user
+ * @apiName UpdateUsername
+ * @apiGroup User
+ *
+ * @apiParam (Body) {String} username The new username
+
+ * @apiSuccess {String} data.username The new username
+ **/
+api.updateUsername = {
+  method: 'PUT',
+  middlewares: [authWithHeaders()],
+  url: '/user/auth/update-username',
+  async handler (req, res) {
+    const user = res.locals.user;
+
+    req.checkBody({
+      username: {
+        notEmpty: {errorMessage: res.t('missingUsername')},
+      },
+    });
+
+    const validationErrors = req.validationErrors();
+    if (validationErrors) throw validationErrors;
+
+    const newUsername = req.body.username;
+
+    const issues = verifyUsername(newUsername, res);
+    if (issues.length > 0) throw new BadRequest(issues.join(' '));
+
+    const password = req.body.password;
+    if (password !== undefined) {
+      let isValidPassword = await passwordUtils.compare(user, password);
+      if (!isValidPassword) throw new NotAuthorized(res.t('wrongPassword'));
+    }
+
+    const existingUser = await User.findOne({ 'auth.local.lowerCaseUsername': newUsername.toLowerCase() }, {auth: 1}).exec();
+    if (existingUser !== undefined && existingUser !== null && existingUser._id !== user._id) {
+      throw new BadRequest(res.t('usernameTaken'));
+    }
+
+    // if password is using old sha1 encryption, change it
+    if (user.auth.local.passwordHashMethod === 'sha1' && password !== undefined) {
+      await passwordUtils.convertToBcrypt(user, password); // user is saved a few lines below
+    }
+
+    // save username
+    user.auth.local.lowerCaseUsername = newUsername.toLowerCase();
+    user.auth.local.username = newUsername;
+    user.flags.verifiedUsername = true;
+    await user.save();
+
+    res.respond(200, { username: req.body.username });
+  },
+};
+
+api.verifyUsername = {
+  method: 'POST',
+  url: '/user/auth/verify-username',
+  async handler (req, res) {
+    req.checkBody({
+      username: {
+        notEmpty: {errorMessage: res.t('missingUsername')},
+      },
+    });
+
+    const validationErrors = req.validationErrors();
+    if (validationErrors) throw validationErrors;
+
+    const issues = verifyUsername(req.body.username, res);
+
+    const count = await User.count({ 'auth.local.lowerCaseUsername': req.body.username.toLowerCase() });
+    if (count > 0)  issues.push(res.t('usernameTaken'));
+
+    if (issues.length > 0) {
+      res.respond(200, { isUsable: false, issues });
+    } else {
+      res.respond(200, { isUsable: true });
+    }
+  },
+};
+
 /*
 * NOTE most user routes are still in the v3 controller
 * here there are only routes that had to be split from the v3 version because of
@@ -35,4 +127,4 @@ api.registerLocal = {
   },
 };
 
-module.exports = api;
+module.exports = api;