Pseudonymise username in urls

app/helpers/routing/pseudonymization_helper.rb

@@ -4,6 +4,7 @@ module Routing
   module PseudonymizationHelper
     PSEUDONOMIZED_NAMESPACE = "namespace"
     PSEUDONOMIZED_PROJECT = "project"
+    PSEUDONOMIZED_USERNAME = "username"
     PSEUDONOMIZED_GROUP = "group"
     PSEUDONOMIZED_ID = "id"
 
@@ -38,6 +39,8 @@ def mask_params
           case key
           when :project_id
             [key, "project#{@project&.id}"]
+          when :username
+            [key, PSEUDONOMIZED_USERNAME]
           when :namespace_id, :group_id
             namespace = @group || @project&.namespace
             [key, "namespace#{namespace&.id}"]
@@ -72,6 +75,7 @@ def has_maskable_params?
           request_params.key?(:group_id) ||
           request_params.key?(:project_id) ||
           request_params.key?(:id) ||
+          request_params.key?(:username) ||
           @request.query_string.present?
       end
 
@@ -118,6 +122,8 @@ def masked_referrer_url(url)
         params[:id] = PSEUDONOMIZED_NAMESPACE
       when 'projects'
         params[:id] = PSEUDONOMIZED_PROJECT
+      when 'users'
+        params[:username] = PSEUDONOMIZED_USERNAME
       else
         params[:id] = PSEUDONOMIZED_ID if params[:id]
       end

spec/helpers/routing/pseudonymization_helper_spec.rb

@@ -148,6 +148,29 @@
       it_behaves_like 'masked url'
     end
 
+    context 'with username in path parameters' do
+      let(:masked_url) { "http://localhost/username" }
+      let(:request) do
+        double(
+          :Request,
+          path_parameters: {
+            controller: 'users',
+            action: 'show',
+            username: 'someuser'
+          },
+          protocol: 'http',
+          host: 'localhost',
+          query_string: ''
+        )
+      end
+
+      before do
+        allow(helper).to receive(:request).and_return(request)
+      end
+
+      it_behaves_like 'masked url'
+    end
+
     context 'when assignee_username is present' do
       let(:masked_url) { "http://localhost/dashboard/issues?assignee_username=masked_assignee_username" }
       let(:request) do
@@ -366,6 +389,21 @@
         expect(helper.masked_referrer_url(original_url)).to eq(masked_url)
       end
     end
+
+    context 'with controller for users' do
+      let(:original_url) { "http://localhost/someuser" }
+      let(:masked_url) { 'http://localhost/username' }
+
+      it 'masks username in the URL for users controller' do
+        allow(Rails.application.routes).to receive(:recognize_path)
+          .with(original_url)
+          .and_return({ controller: 'users', action: 'show', username: 'someuser' })
+
+        stub_feature_flags(mask_page_urls: true)
+
+        expect(helper.masked_referrer_url(original_url)).to eq(masked_url)
+      end
+    end
   end
 
   describe 'masked_query_params' do