Disallow @ symbol in usernames

[Copilot]

Usernames containing @ could be confused with email addresses or @-mentions. This adds validation to reject them at both registration and username-change. Existing users with @ in their usernames are unaffected.

Changes

• auctions/validators.py (new) — validate_username_no_at_symbol validator and a USERNAME_VALIDATORS list combining Django's default username validators with the new one
• settings.py — ACCOUNT_USERNAME_VALIDATORS set to "auctions.validators.USERNAME_VALIDATORS", so allauth's adapter enforces the restriction across all signup flows natively
• ChangeUsernameForm.clean_username — delegates to the shared validate_username_no_at_symbol validator (this form is a plain Django ModelForm, not part of allauth)
• Tests — ChangeUsernameFormTest (form-level) and CustomSignupFormTest (verifies allauth adapter rejects @ usernames via the configured validators)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>disallow @ symbol in usernames</issue_title>
<issue_description>For new users and for name changes of existing users, don't allow the @ symbol in the username field.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes disallow @ symbol in usernames #716

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[iragm]

@copilot is there a built in way that django-allauth handles this and would that be cleaner? We have many users with @ in their ueranmes already

[Copilot]

@copilot is there a built in way that django-allauth handles this and would that be cleaner? We have many users with @ in their ueranmes already

Yes — allauth provides ACCOUNT_USERNAME_VALIDATORS exactly for this. Switched to that approach in 8dab91a.

The change creates auctions/validators.py with a validate_username_no_at_symbol function and a USERNAME_VALIDATORS list (Django's default validators + the new one), then sets ACCOUNT_USERNAME_VALIDATORS = "auctions.validators.USERNAME_VALIDATORS" in settings. Allauth's adapter calls this list on every signup/username flow automatically, so CustomSignupForm no longer needs its own clean_username. The ChangeUsernameForm (which is a plain Django ModelForm, not an allauth form) still has its own clean_username but now delegates to the shared validator.

Existing users with @ in their usernames are unaffected — this only validates new usernames on signup and on the username-change form.

[Copilot]

Pull request overview

Adds a consistent username validation rule across django-allauth signup and the site’s username change form by disallowing @ in usernames, avoiding confusion with email-based login.

Changes:

• Configure django-allauth to use a shared username validator list via ACCOUNT_USERNAME_VALIDATORS.
• Introduce a reusable validate_username_no_at_symbol validator (and a USERNAME_VALIDATORS bundle).
• Add form-level validation + tests covering both the change-username flow and allauth adapter behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
fishauctions/settings.py	Wires allauth username validation to the project’s validator list.
auctions/validators.py	Adds the @-blocking username validator and exported USERNAME_VALIDATORS.
auctions/forms.py	Enforces the same rule in ChangeUsernameForm.clean_username().
auctions/tests.py	Adds regression tests for both form validation and allauth adapter validation.