It would be nice to avoid yet another knob...

Username reuse is a larger security risk for Coder than these other products because many will name user-scoped infrastructure with usernames. This infrastructure could be secrets or personal volumes.

Perhaps we could prevent username reuse, except when the reuser originally held the username? With this approach we get redirects and secure default behavior.

Sure, we could do that instead.

I'll take a stab at this.

As I was testing this behavior, I changed my username which then accidently deleted my dogfood development environment, including about an hour of unpushed work.

I'm convinced until we do a better job of preventing persistent resource deletion, we shouldn't allow changing usernames at all.

@ammario does it apply to admins as well?

@ammario does it apply to admins as well?

I go back on my statement that we should prevent username edits. I wrote this doc on Resource Persistence that should help people keep their data.

This issue is becoming stale. In order to keep the tracker readable and actionable, I'm going close to this issue in 7 days if there isn't more activity.

We should turn off username edits even for admins for SSO/OIDC/GitHub accounts.

I believe support we this already

Admins can still edit their own usernames for OAuth accounts.