If a user navigates to the edu team sign up link (https://replit.com/teams/join/xxx), they are redirected to https://replit.com/signup?goto=%2Fteam%2Fxxx&invite=xxx&randomUsername=userXXX. If they type in a new username and password in the sign up boxes, and click “Create Account”, they are logged into an account with the username from the “randomUsername” URL param, not the username they entered into the username box.
I thought maybe, with the new enhanced security changes, that the username submitted into the sign up box would redirect to the randomly generated username on login, but attempting to log in with this username yields “invalid email/password”.
I’ve tried this with one other team, and tried again after regenerating the signup link and it returned the same result. Would appreciate others seeing if they could replicate the issue!
Potentially this is by design with the security changes…? I suggest the username box should be disabled then, as it’s misleading to be able to enter a new username.
Expected vs Current Behavior:
Current: Username in URL param overrides submitted username.
Expected: Submitted username should override the username in URL param.
Steps to reproduce:
- Navigate to Teams → Specific Team → Manage team members → Copy invite link.
- Use invite link to sign up a new member.
- Check new member username/attempt to sign in with submitted username.
Bug appears at this link: https://replit.com/teams/join/xxx, where xxx is the team’s randomly generated ID.
(I have regenerated the team invite link, so the link in this video is now invalid)
Browser/OS/Device: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/188.8.131.52 Safari/537.36
Have also replicated the issue on Firefox.
Replit Profile: https://replit.com/@RHAdvanced