The following facts are true about Peertube’s account system, which I’m worried could together lead to spam username denial against a public instance:
-
Both channels and user accounts occupy the same set of usernames, and consequently cannot share a username.
-
When channels or accounts are deleted, regardless of how, they remain on the PostgreSQL database as “actors“ and their usernames cannot be reused.
-
If an instance administrator wishes to allow a deleted username to be reregistered, they must manually modify this database by deleting the actor for the username.
-
The limit on channels per user doesn’t count deleted channels.
If someone had an account on an instance and wanted to sabotage it, they could quickly create and delete channels with usernames that users may want to register in the future. They could very quickly eliminate a large pool of available usernames and fill the “actor” table with junk data. Additionally, it isn’t clear from the database which user created a given actor, which could hinder finding the responsible user (however, this can usually be found in logs).
Although preventing usernames from being reregistered has the benefit of preventing confusion or impersonation between new and deleted accounts, allowing username reregistration would likely be the best way to mitigate this issue. This could also be mitigated by including deleted channels in the channel limit, but doing so could cause other issues for user experience.