fix: make username sanitization case-insensitive (#284)

[hydrandt]

Description

Fixes #284, makes username sanitization case-insensitive to avoid potential conflicts when creating account using oauth providers.

Performance impact

Should be minimal (using lower() 3x in sanitization loop, potentially could be optimized by only running it once and assigning to a variable, is it worth it?

Security impact

None.

Checklist

• My code matches the project's code style and yarn lint:fix passes.
• I've added tests for the new feature, and yarn test passes.
• I have detailed the new feature in the relevant documentation.
• I have added this feature to 'Pending' in the RELEASE_NOTES.md file (if one exists).
• If this is a breaking change I've explained why.

[benjie]

Is this actually required? Username is citext so it should already be compared case insensitively…

[benjie]

Ah the comparison is text due to concat; we should case the result of concat back to citext.

[benjie]

Could you try a different approach:

where users.username = (
  case
  when i = 0 then v_username
  else (v_username || i::text)::citext
  end
)

this should solve the issue but also means we can continue to use the username unique index.