Hey Ben, what you actually want to do is the inverse. You want a regex that has only allowed characters and then you want to reject anything else. In other words, you have "I accept everything except, ..." which leads to you playing constant catch-up. What you really want is "I reject everything, except ..." or "I accept only X and reject everything else."
I would start with something like this:
if username =~ /^[a-zA-Z0-9]*$/
Another thing is to strip the username of spaces and then freeze it so that it doesn't get double interpreted or accidentally modified later in your program.