Restrict login names.

There's no good reason to use an empty string as your login name, or to use one so long as to annoy others. Names beginning or ending with whitespace, or containing runs of whitespace, are also a technical problem, so they're also prohibited.

This change does not implement [UTS #39], as I haven't yet fully understood how to do so.

[UTS #39]: https://www.unicode.org/reports/tr39/

1 files changed, 13 insertions, 0 deletions

diff --git a/docs/api/invitations.md b/docs/api/invitations.md
index ddbef8a..83e5145 100644
--- a/docs/api/invitations.md
+++ b/docs/api/invitations.md
@@ -130,6 +130,15 @@ The request must have the following fields:
 | `name`     | string | The new login's name. |
 | `password` | string | The new login's password, in plain text. |
 
+<!-- Reproduced in initial-setup.md. Edit in both places. -->
+The proposed `name` must be valid. The precise definition of valid is still up in the air, but, at minimum:
+
+* It must be non-empty.
+* It must not be "too long." (Currently, 64 characters is too long.)
+* It must begin with an alphanumeric character.
+* It must end with an alphanumeric character.
+* It must not contain runs of multiple whitespace characters.
+
 ### Success
 
 <!-- This prose is duplicated from authentication.md, with small changes for context. If you edit it here, edit it there, too. -->
@@ -162,6 +171,10 @@ The cookie will expire if it is not used regularly.
 
 This endpoint will respond with a status of `404 Not Found` when the invitation ID either does not exist, or has already been accepted.
 
+### Name not valid
+
+This endpoint will respond with a status of `400 Bad Request` if the proposed `name` is not valid.
+
 ### Name in use
 
 This endpoint will respond with a status of `409 Conflict` if the requested login name has already been taken.