DEV Community

137Foundry
137Foundry

Posted on

Why the Async Username Check Is the Worst Part of Most Signup Forms

#a11y #ux #webdev

I have looked at a lot of signup forms in the last year. Most of them have one specific bug that the team probably knows about but has not prioritized: the async username check.

The pattern shows up in slightly different shapes. Sometimes the field reports "available" for half a second before the server responds with "taken." Sometimes the spinner runs for two seconds and the user has already moved to the next field. Sometimes the submit button does not block while the check is pending, so a user who mashes submit can get past the validation entirely. Sometimes the check fails on a network timeout and the user sees a red error that says "username is required" when actually their network is just slow.

Each of these is the same underlying problem: the synchronous validation patterns are well-trodden, but the way forms handle a server roundtrip in the middle of inline feedback is where users get most confused. This is a writeup of how to get it right.

Close-up of a smartphone screen with a signup form
Photo by Sanket Mishra on Pexels

What the user experience is supposed to be

Strip out the engineering. From the user's perspective:

  1. User types a desired username.
  2. User pauses (or tabs away) and the form does a quick server check.
  3. The form tells the user either "this username is available" or "this is taken, here is what is wrong" within a second or so.
  4. The user fixes the username if needed and the field updates the moment they have a working one.
  5. The user submits and the username is reserved atomically with the rest of the form.

That is the spec. Now look at what most signup forms actually do and you will see at least one step where the implementation drifts.

Where the implementations actually fail

Fail mode 1: no debounce, one request per keystroke. The user types "j-o-h-n-s-m-i-t-h" and the form fires nine requests. Eight of them return results that no longer match the current input. The form has to track which request was the latest and ignore the older ones, which it usually does not, so the user sometimes sees "available" flash because an earlier in-flight request resolved last.

The fix is debouncing. Wait 300 to 500 ms after the user stops typing before firing the request. The user perception is "the form checks when I am done with the field," not "the form checks every letter."

Fail mode 2: no pending state. The form fires the request, the spinner is missing or hidden, and the user tabs away expecting that the field is now valid. Half a second later the server returns "taken" and the field flips to red while the user is already in the next field.

The fix is a visible pending state. A small spinner inside or next to the field, plus disabling the submit button. The user understands "this is still being checked" and waits, or at least is not surprised when the result comes in.

Fail mode 3: submit not blocked during pending check. The user types a username, mashes submit before the check completes, and the form sends with username_valid: true based on the assumption that the field looked fine at submit time. The server then either accepts the submission (creating a duplicate username state) or rejects it with a generic 400 that does not surface in the inline UI.

The fix is to disable submit while the check is pending. The button is gray, with a tooltip explaining why ("Verifying username...") until the check completes. The user sees the friction and waits a beat instead of submitting blind.

Fail mode 4: network errors masquerading as validation errors. The server timeout returns nothing or returns a 500. The form's error handler is wired to treat any non-success response as "username is invalid" and shows a red error. The user thinks they did something wrong; the actual problem is the network or the server.

The fix is to distinguish the two cases. A successful server response that says "taken" is a validation error and should show as one. A network timeout or a 5xx is an infrastructure error and should show as one ("we could not verify this right now, please try again"). The two messages are different because the user actions to fix them are different.

The pattern that handles all four

A small piece of pseudocode that captures the right shape:

let activeRequest = null;
let debounceTimer = null;

input.addEventListener('input', () => {
  // Clear any pending debounce and previous error
  clearTimeout(debounceTimer);
  clearError(input, errorElement);

  // Start a new debounce window
  debounceTimer = setTimeout(() => {
    runCheck(input.value);
  }, 400);
});

async function runCheck(value) {
  // Mark request as in flight and disable submit
  setPendingState(input, true);
  submitButton.disabled = true;

  const requestId = ++latestRequestId;
  try {
    const result = await fetch(`/api/usernames/check?value=${encodeURIComponent(value)}`);

    // If a newer request has started, ignore this one
    if (requestId !== latestRequestId) return;

    if (result.ok) {
      const data = await result.json();
      if (data.available) {
        clearError(input, errorElement);
      } else {
        showError(input, errorElement, `${value} is taken. Try another.`);
      }
    } else {
      showInfrastructureMessage(input, errorElement, 'We could not verify this right now. Please try again.');
    }
  } catch (e) {
    showInfrastructureMessage(input, errorElement, 'We could not verify this right now. Please try again.');
  } finally {
    setPendingState(input, false);
    submitButton.disabled = false;
  }
}
Enter fullscreen mode Exit fullscreen mode

The four fail modes map to four patterns in this code: debounce, in-flight tracking with a request id, distinguishing OK from network failure, and disabling submit.

The accessibility piece nobody hand-codes

Once the validation logic is correct, the announcement needs to be wired so screen readers convey the right state. The minimum:

  • aria-describedby="username-error" on the input pointing to the error element.
  • aria-invalid="true" set when the error is showing, cleared when it clears.
  • aria-live="polite" on the error element so the message is announced when it changes.
  • A separate live region or aria-busy="true" on the input while the check is pending, so the screen reader user knows the field is still being evaluated.

The W3C Web Content Accessibility Guidelines cover the formal requirements; the WAI-ARIA Authoring Practices Guide has worked examples of accessible form validation patterns. The pattern is stable across screen readers; the work is making sure your code actually emits the ARIA states consistently.

A small whiteboard with handwritten input flow sketches
Photo by Campaign Creators on Unsplash

The atomic uniqueness check on submit

Even with a perfect inline check, the server still needs to be authoritative on uniqueness. Two users picking the same username at the same time will both pass the inline check; only one will pass the server transaction.

The server-side pattern: the actual username reservation happens in a database transaction with a unique constraint. If the insert fails because of a conflict, the server returns a structured error that the form maps back to a friendly message ("That username was just taken. Try another."). The inline check is a UX optimization; the server is the source of truth.

This is the pattern that makes the form survive the rare race condition without confusing the user. The form respects the inline result for the common case and trusts the server for the conflict case.

How to test it

Three tests that catch most of the failure modes:

  1. Throttle the network. Use the browser dev tools to add 1 to 2 seconds of latency on the username-check endpoint. Confirm the pending state is visible, submit is disabled, and the eventual result lands correctly.
  2. Type fast and stop. Type a username quickly and stop. Confirm only one request fires (debounce working). Confirm the result is the result for the final input, not an earlier intermediate value.
  3. Test a network failure. Use the dev tools to block the username-check endpoint. Confirm the form shows the infrastructure message, not a validation error.

Add an automated test for the in-flight tracking specifically: fire two checks with a small delay, return the first response after the second response, and confirm the form ignores the stale result. The bug where the wrong result wins because requests resolve out of order is one of the most common in real signup flows and is invisible without a test for it.

For a broader accessibility audit, the WAVE browser extension catches missing ARIA attributes; running it on the form during testing surfaces wiring gaps that manual testing misses.

The longer read on the full validation design

This piece focuses on the async username check because it is the part most teams ship wrong. The full design of inline validation (when to trigger sync checks, what the error message should say, how to handle paste and autofill, when success states earn their place) sits in a longer guide on designing inline form validation that actually helps users on 137Foundry's web development service.

The async case is where validation systems leak. Getting the four patterns above right (debounce, pending state, submit blocked, distinguish network from validation) is the difference between a form that feels smooth and one that feels broken.

Top comments (0)