Create User response code 400 (bad request), but still created with "invalid" data #8
Description
I was playing around with the REST API to see if it could be used for another project of mine, not related to Minecraft, but that is not the focus here.
When making a POST request to /user to create a new user, the username provided is silently required to be a "semi-valid" Minecraft username, but this is not specified in the API documentation. I call it "semi-valid" because single letter names are considered valid (I understand this is necessary because of legacy account names), but names containing characters not allowed in Minecraft, such as dot (.) or at (@), are not.
When trying to create a user with an invalid character, the server returns a 400 (bad request), but when the request is repeated, the server returns a 409 (conflict) because the user already exists. Attempting to look up the user using the unique id provided previously confirms that the user was created with Minecraft-illegal characters.
The expected behaviour would be either error 400 (bad request) and the record not created, or response 201 (created). The documentation also states that error 400 is only returned if there is missing information, which in this case isn't missing, it's reported as bad data, but accepted anyway.
Can this check for Minecraft-illegal characters be turned off?