add length and character limitations for login name (username) (#9895)

* update API comments to for `username` restrictions and to use Login Name terminology

We use "login name" rather than "username" in user-visible text
on the website and (usually) when communicating with users because
"username" could be confused with "profile name".
Using it in the docs allows you to search for that term.

* add alphanumeric and length validation for creating new login name (username)

The 'en-US' locale is specified explicitly to ensure we never use
another locale. The point of this change is to limit the character
set to prevent login names being used to send spam in the Welcome
emails, such as Chinese language spam we've had trouble with.

* add error messages for bad login names

* allow login name to also contain hyphens

This is because our automated tests generate user accounts using:
  let username = generateUUID();

* allow login names to be up to 36 characters long because we use UUIDs as login names in our tests

* revert back to using max 20 characters and only a-z, 0-9 for login name.

It's been decided to change the username generation in the tests instead.

* disable test that is failing because it's redundant

Spaces are now prohibited by other code.

We can probably delete this test later. I don't want to delete it
now, but instead give us time to think about that.

* fix typos

* revert to login name restrictions that allow us to keep using our existing test code

I'm really not comfortable changing our test suite in ways that
aren't essential, especially since we're working in a hurry with
a larger chance than normal of breaking things.
The 36 character length is larger than we initially decided but
not so much larger that it's a huge problem.
We can reduce it to 20 when we have more time.

* limit username length to 20 chars

* fix tests

website/server/controllers/api-v3/auth.js

@@ -25,6 +25,8 @@ import { validatePasswordResetCodeAndFindUser, convertToBcrypt} from '../../libs
 const BASE_URL = nconf.get('BASE_URL');
 const TECH_ASSISTANCE_EMAIL = nconf.get('EMAILS:TECH_ASSISTANCE_EMAIL');
 const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS:COMMUNITY_MANAGER_EMAIL');
+const USERNAME_LENGTH_MIN = 1;
+const USERNAME_LENGTH_MAX = 20;
 
 let api = {};
 
@@ -78,11 +80,11 @@ function hasBackupAuth (user, networkToRemove) {
 
 /**
  * @api {post} /api/v3/user/auth/local/register Register
- * @apiDescription Register a new user with email, username and password or attach local auth to a social user
+ * @apiDescription Register a new user with email, login name, and password or attach local auth to a social user
  * @apiName UserRegisterLocal
  * @apiGroup User
  *
- * @apiParam (Body) {String} username Username of the new user
+ * @apiParam (Body) {String} username Login name of the new user. Must be 1-36 characters, containing only a-z, 0-9, hyphens (-), or underscores (_).
  * @apiParam (Body) {String} email Email address of the new user
  * @apiParam (Body) {String} password Password for the new user
  * @apiParam (Body) {String} confirmPassword Password confirmation
@@ -101,7 +103,12 @@ api.registerLocal = {
         notEmpty: {errorMessage: res.t('missingEmail')},
         isEmail: {errorMessage: res.t('notAnEmail')},
       },
-      username: {notEmpty: {errorMessage: res.t('missingUsername')}},
+      username: {
+        notEmpty: {errorMessage: res.t('missingUsername')},
+        isLength: {options: {min: USERNAME_LENGTH_MIN, max: USERNAME_LENGTH_MAX}, errorMessage: res.t('usernameWrongLength')},
+        // TODO use the constants in the error message above
+        matches: {options: /^[-_a-zA-Z0-9]+$/, errorMessage: res.t('usernameBadCharacters')},
+      },
       password: {
         notEmpty: {errorMessage: res.t('missingPassword')},
         equals: {options: [req.body.confirmPassword], errorMessage: res.t('passwordConfirmationMatch')},