fix(accounts): enforce blocked usernames containing special characters

[sahillllllllll-bit]

Closes #39182 1st part

Summary

This PR fixes an issue where usernames containing regex special characters (e.g., ., +, *) were not properly enforced when added to Blocked UsernameList.

Previously, the username was escaped both when constructing the blacklist regex and again when testing it. This double escaping caused blocked usernames such as john.doe to bypass validation.

Changes

• Removed the unnecessary escapeRegExp call when testing usernames against the blocked list.
• Ensured usernames containing special characters are correctly matched and blocked.

Result

Usernames explicitly added to BlockedUsernameList are now consistently enforced, regardless of whether they contain special characters.

Summary by CodeRabbit

• Bug Fixes
  • Improved username validation to accurately check blacklisted patterns, ensuring special characters are properly handled during availability checks.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9ad4ce1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c30636 and 9ad4ce1.

📒 Files selected for processing (1)

• apps/meteor/app/lib/server/functions/checkUsernameAvailability.ts

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/lib/server/functions/checkUsernameAvailability.ts

🧠 Learnings (2)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/lib/server/functions/checkUsernameAvailability.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/lib/server/functions/checkUsernameAvailability.ts

🔇 Additional comments (1)

apps/meteor/app/lib/server/functions/checkUsernameAvailability.ts (1)

18-19: LGTM! Correctly removes the double-escaping bug.

The fix is sound: toRegExp (line 12) already escapes regex metacharacters when building the blacklist patterns (e.g., john.doe → /^john\.doe$/i). Testing the raw username.trim() directly against these pre-escaped patterns ensures proper matching. The previous approach of escaping again during the test caused the literal backslash to be matched against the pattern, causing blocked usernames with special characters to slip through.

---

Walkthrough

Updated username blacklist check to test the raw trimmed username directly against RegExp patterns without escaping special characters first. This allows blocked usernames containing regex metacharacters (such as ., +, *) to be properly matched and enforced during validation.

Changes

Cohort / File(s)	Summary
Username Blacklist Validation apps/meteor/app/lib/server/functions/checkUsernameAvailability.ts	Removed character escaping before regex testing against blacklist patterns. Enables proper matching of blocked usernames containing special characters.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

type: bug, area: authentication

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing double-escaping to enforce blocked usernames containing special characters.
Linked Issues check	✅ Passed	The PR successfully addresses the backend portion of issue #39182 by removing unnecessary escapeRegExp during blacklist testing to enforce special-character usernames.
Out of Scope Changes check	✅ Passed	The change is narrowly focused on the backend username blacklist validation and does not include frontend UI changes, which are appropriately deferred to a separate PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

[sahillllllllll-bit]

@ggazzo please have a look at this issue ?