Replace regex with string of legal username chars

src/Microsoft.AspNet.Identity/UserOptions.cs

@@ -11,37 +11,12 @@ namespace Microsoft.AspNet.Identity
     public class UserOptions
     {
         /// <summary>
-        /// Initializes a new instance of the <see cref="UserOptions"/> class.
-        /// </summary>
-        public UserOptions()
-        {
-            //User.RequireUniqueEmail = true; // TODO: app decision?
-        }
-
-        /// <summary>
-        /// Gets or sets the regular expression used to validate user names.
+        /// Gets or sets the list of allowed characters in the username used to validate user names.
         /// </summary>
         /// <value>
-        /// The regular expression used to validate user names.
+        /// The list of allowed characters in the username used to validate user names.
         /// </value>
-        /// <remarks>
-        /// As regular expressions can be subject to Denial of Service attacks, depending on their complexity and user input,
-        /// validation via regular expressions will timeout and fail after the value set in the <see cref="UserNameValidationRegexTimeout"/>
-        /// property.
-        /// </remarks>
-        public string UserNameValidationRegex { get; set; } = "^[a-zA-Z0-9@_\\.]+$";
-
-        /// <summary>
-        /// Gets or sets the timeout value used after which user name validation via the <see cref="UserNameValidationRegex"/> will fail if it has
-        /// not completed.
-        /// </summary>
-        /// <value>
-        /// The timeout value used after which user name validation via the <see cref="UserNameValidationRegex"/> will fail if it has not completed.
-        /// </value>
-        /// <remarks>
-        /// The default value is 20 milliseconds.
-        /// </remarks>
-        public TimeSpan UserNameValidationRegexTimeout { get; set; } = new TimeSpan(0,0,0,0,20);
+        public string AllowedUserNameCharacters { get; set; } = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@";
 
         /// <summary>
         /// Gets or sets a flag indicating whether the application requires unique emails for its users.

src/Microsoft.AspNet.Identity/UserValidator.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
 #if DNX451
 using System.Net.Mail;
 #endif
@@ -65,8 +66,8 @@ namespace Microsoft.AspNet.Identity
             {
                 errors.Add(Describer.InvalidUserName(userName));
             }
-            else if (manager.Options.User.UserNameValidationRegex != null && 
-                !Regex.IsMatch(userName, manager.Options.User.UserNameValidationRegex, RegexOptions.CultureInvariant, manager.Options.User.UserNameValidationRegexTimeout))
+            else if (!string.IsNullOrEmpty(manager.Options.User.AllowedUserNameCharacters) &&
+                userName.Any(c => !manager.Options.User.AllowedUserNameCharacters.Contains(c)))
             {
                 errors.Add(Describer.InvalidUserName(userName));
             }

test/Microsoft.AspNet.Identity.Test/IdentityOptionsTest.cs

@@ -28,7 +28,7 @@ namespace Microsoft.AspNet.Identity.Test
             Assert.True(options.Password.RequireUppercase);
             Assert.Equal(6, options.Password.RequiredLength);
 
-            Assert.Equal("^[a-zA-Z0-9@_\\.]+$", options.User.UserNameValidationRegex);
+            Assert.Equal("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@", options.User.AllowedUserNameCharacters);
             Assert.False(options.User.RequireUniqueEmail);
 
             Assert.Equal(ClaimTypes.Role, options.ClaimsIdentity.RoleClaimType);
@@ -75,7 +75,7 @@ namespace Microsoft.AspNet.Identity.Test
             Assert.Equal(usernameClaimType, options.ClaimsIdentity.UserNameClaimType);
             Assert.Equal(securityStampClaimType, options.ClaimsIdentity.SecurityStampClaimType);
             Assert.True(options.User.RequireUniqueEmail);
-            Assert.Equal("^[a-zA-Z0-9@_\\.]+$", options.User.UserNameValidationRegex);
+            Assert.Equal("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@", options.User.AllowedUserNameCharacters);
             Assert.False(options.Password.RequireDigit);
             Assert.False(options.Password.RequireLowercase);
             Assert.False(options.Password.RequireNonLetterOrDigit);

test/Microsoft.AspNet.Identity.Test/UserValidatorTest.cs

@@ -43,6 +43,7 @@ namespace Microsoft.AspNet.Identity.Test
         [InlineData("test_email@foo.com", true)]
         [InlineData("hao", true)]
         [InlineData("test123", true)]
+        [InlineData("hyphen-yes@foo-bar.com", true)]
         [InlineData("!noway", false)]
         [InlineData("foo@boz#.com", false)]
         public async Task DefaultAlphaNumericOnlyUserNameValidation(string userName, bool expectSuccess)
@@ -76,7 +77,7 @@ namespace Microsoft.AspNet.Identity.Test
         {
             // Setup
             var manager = MockHelpers.TestUserManager(new NoopUserStore());
-            manager.Options.User.UserNameValidationRegex = null;
+            manager.Options.User.AllowedUserNameCharacters = null;
             var validator = new UserValidator<TestUser>();
             var user = new TestUser {UserName = userName};
 

test/Shared/UserManagerTestBase.cs

@@ -43,7 +43,7 @@ namespace Microsoft.AspNet.Identity.Test
                 options.Password.RequireLowercase = false;
                 options.Password.RequireNonLetterOrDigit = false;
                 options.Password.RequireUppercase = false;
-                options.User.UserNameValidationRegex = null;
+                options.User.AllowedUserNameCharacters = null;
             });
         }