A user can register with a FlakeID username to mirror another account
Similar to !2857 (merged) except this one is a bit harder to fix I think. It's because /api/v1/accounts/:nickname
is a thing.
Eg Lain's user ID is 9qrWmR0cKniB0YU0TA
. If I register on lain.com with my username as that FlakeID, visiting /users/9qrWmR0cKniB0YU0TA
will show Lain's profile instead of mine.
Seems like we should be able to do a simple validation in User.register_changeset to ensure the ID isn't a FlakeID, but FlakeId.flake_id?/1
has too many false positives. Eg:
iex(1)> FlakeId.flake_id?("lain")
true
It could maybe check that the username doesn't match the ID of any existing user instead.