Username and password are not validated on PATCH

[jackodsteel]

Username and password constraints are not checked in PATCH, so users can set their username or password to a single digit.

Luckily the username is enforced unique at the DB level so you can't overwrite users or do anything too silly.