Add stricter client-side mobile number validation in self-registration

[Sithumli]

Purpose

Add stricter client-side mobile number validation in the self-registration flow to prevent invalid phone numbers from being submitted and causing backend validation failures with generic error pages.

Changes:

Item	Before	After
mobilePattern regex	/^\s*(?:\+?(\d{1,3}))?[-. (]*(\d{3})?[-. )]*(\d{3})?[-. ]*(\d{4,6})(?: *x(\d+))?\s*$/	/^\+[1-9]\d{9,14}$/
Format enforced	Loose pattern with optional groups	E.164 international format (10-15 digits)

Validation behavior:

Input	Before	After
+94712345678 (valid Sri Lanka)	✅ Pass	✅ Pass
+12025551234 (valid USA)	✅ Pass	✅ Pass
+942560025 (too short)	✅ Pass (fails server-side)	❌ Rejected client-side
1234abcd (invalid)	❌ Rejected	❌ Rejected

Related Issues

• Fixes Self-registration flow lacks client-side validation for username, email, and phone etc. causing backend validation failures and generic error page product-is#27211

Related PRs

• N/A

Checklist

• e2e cypress tests locally verified. (for internal contributors)
• Manual test round performed and verified.
• UX/UI review done on the final implementation.
• Documentation provided.
• Relevant backend changes deployed and verified
• Unit tests provided.
• Integration tests provided.

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines
• Ran FindSecurityBugs plugin and verified report
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

WSO2.Identity.Server.-.Google.Chrome.2026-04-12.13-10-51.mp4

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: d3d8002b-7ac1-4ac7-b63d-b5d6873f6463

📥 Commits

Reviewing files that changed from the base of the PR and between f345bba and fdb7716.

📒 Files selected for processing (1)

• identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp

🚧 Files skipped from review as they are similar to previous changes (1)

• identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp

---

📝 Walkthrough

Walkthrough

Updated self-registration form to add client-side validation for username and mobile number fields with E.164 format enforcement. Modified field DOM IDs and event handlers, and added a changesets entry documenting the patch release.

Changes

Cohort / File(s)	Summary
Form Validation Enhancement identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp	Added blur/input event handlers for alphanumeric and email-based username validation. Modified mobile claim field rendering to use dedicated DOM IDs (mobile_field, mobile_error, mobile_error_text). Updated mobile input binding to handlers showMobileNumberValidationStatus() / hideMobileNumberValidationStatus() with explicit id="mobileNumber". Replaced mobile validation regex with E.164-only pattern (^\+[1-9]\d{9,14}$) and adjusted pattern attribute logic to exclude mobile claims.
Release Documentation .changeset/bright-turtles-sell.md	Added changesets entry marking a patch release for @wso2is/identity-apps-core package documenting stricter client-side mobile number validation using E.164 format.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	The PR introduces client-side blur/input event handlers and DOM id modifications (mobile_field, mobile_error, mobile_error_text) that appear related to a broader validation refactoring beyond the stated mobile number regex change.	Clarify whether DOM restructuring and blur/input event handler additions are directly required by issue #27211 or represent additional enhancements beyond the E.164 validation scope.
Changeset Required	❓ Inconclusive	Changeset file verification requires actual repository access to determine if .changeset/bright-turtles-sell.md exists in the PR's changed files.	Execute the provided shell scripts in the repository context to verify changeset file presence and contents.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add stricter client-side mobile number validation in self-registration' is clear, specific, and directly describes the main change in the PR.
Description check	✅ Passed	The description includes detailed purpose, before/after comparison table, validation behavior examples, linked issue reference, partial checklist completion, and security checks—providing sufficient context for code review.
Linked Issues check	✅ Passed	The PR addresses the core requirement from issue #27211 by implementing stricter client-side mobile number validation using E.164 format, preventing invalid phone numbers from reaching backend validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp (1)

1179-1181: Consider avoiding repeated mobile-claim URI literals here.

This condition now carries behavior-critical branching; extracting the mobile claim URI into a single local constant in this JSP would reduce drift risk across the other http://wso2.org/claims/mobile checks in the same file.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp`
around lines 1179 - 1181, Extract the hard-coded mobile claim URI literal
"http://wso2.org/claims/mobile" into a single local constant and use it wherever
the literal appears; for example, declare a final String MOBILE_CLAIM_URI =
"http://wso2.org/claims/mobile" near the top of the JSP and replace occurrences
in the conditional that uses claim.getValidationRegex() and claim.getUri() (and
any other checks against the mobile claim) to compare against MOBILE_CLAIM_URI
instead of the string literal.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp`:
- Around line 1179-1181: Extract the hard-coded mobile claim URI literal
"http://wso2.org/claims/mobile" into a single local constant and use it wherever
the literal appears; for example, declare a final String MOBILE_CLAIM_URI =
"http://wso2.org/claims/mobile" near the top of the JSP and replace occurrences
in the conditional that uses claim.getValidationRegex() and claim.getUri() (and
any other checks against the mobile claim) to compare against MOBILE_CLAIM_URI
instead of the string literal.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 911a5390-7b9a-4a97-abad-d364788406a0

📥 Commits

Reviewing files that changed from the base of the PR and between 6601bbb and f0e2d59.

📒 Files selected for processing (9)

• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_de_DE.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_es_ES.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_fr_FR.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_ja_JP.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_pt_BR.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_pt_PT.properties
• identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_zh_CN.properties
• identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp

[Copilot]

Pull request overview

This PR tightens client-side validation for the self-registration mobile number field to better align with backend expectations and avoid backend-side validation failures.

Changes:

• Skip applying server-provided pattern validation regex for the mobile claim field in the self-registration form.
• Replace the existing permissive mobilePattern with a strict E.164 regex (^\+[1-9]\d{9,14}$).
• Add new i18n keys for email/username format errors across multiple locales.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp	Avoids applying claim regex pattern to the mobile field and enforces E.164 format via JS validation.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources.properties	Adds new email/username format error strings; existing mobile format message remains.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_zh_CN.properties	Adds localized email/username format error strings.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_pt_PT.properties	Adds localized email/username format error strings.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_pt_BR.properties	Adds localized email/username format error strings.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_ja_JP.properties	Adds localized email/username format error strings.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_fr_FR.properties	Adds localized email/username format error strings.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_es_ES.properties	Adds localized email/username format error strings.
identity-apps-core/apps/recovery-portal/src/main/resources/org/wso2/carbon/identity/mgt/recovery/endpoint/i18n/Resources_de_DE.properties	Adds localized email/username format error strings.

Comments suppressed due to low confidence (1)

identity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp:1186

• This adds another hard-coded mobile claim URI string. Since this JSP already uses IdentityManagementEndpointConstants.ClaimURIs.* for other claims, consider using the existing MOBILE_CLAIM constant here as well to avoid typos and keep claim URI handling centralized.

                                                onblur="showFieldValidationStatus(this)"
                                                oninput="hideFieldValidationStatus(this)"
                                                <% if (claim.getValidationRegex() != null && !StringUtils.equals(claim.getUri(), "http://wso2.org/claims/mobile")) { %>
                                                pattern="<%= Encode.forHtmlContent(claim.getValidationRegex()) %>"
                                                <% } %>
                                                <% if (claim.getRequired()) { %>
                                                    required
                                                <% } %>
                                                <% if (StringUtils.equals(claim.getUri(), "http://wso2.org/claims/mobile")) { %>
                                                    id="mobileNumber"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.