fix(usernames): don't supply username in public fields if unverified

website/server/controllers/api-v3/members.js

@@ -109,6 +109,8 @@ api.getMember = {
 
     if (!member) throw new NotFound(res.t('userWithIDNotFound', {userId: memberId}));
 
+    if (!member.flags.verifiedUsername) delete member.auth.local.username;
+
     // manually call toJSON with minimize: true so empty paths aren't returned
     let memberToJSON = member.toJSON({minimize: true});
     User.addComputedStatsToJSONObj(memberToJSON.stats, member);

website/server/models/user/index.js

@@ -8,7 +8,8 @@ require('./methods');
 // A list of publicly accessible fields (not everything from preferences because there are also a lot of settings tha should remain private)
 export let publicFields = `preferences.size preferences.hair preferences.skin preferences.shirt
   preferences.chair preferences.costume preferences.sleep preferences.background preferences.tasks preferences.disableClasses profile stats
-  achievements party backer contributor auth.timestamps items inbox.optOut loginIncentives flags.classSelected auth.local.username`;
+  achievements party backer contributor auth.timestamps items inbox.optOut loginIncentives flags.classSelected
+  flags.verifiedUsername auth.local.username`;
 
 // The minimum amount of data needed when populating multiple users
 export let nameFields = 'profile.name';

website/server/models/user/methods.js

@@ -219,6 +219,9 @@ schema.statics.transformJSONUser = function transformJSONUser (jsonUser, addComp
   // Add id property
   jsonUser.id = jsonUser._id;
 
+  // Remove username if not verified
+  if (!jsonUser.flags.verifiedUsername) delete jsonUser.auth.local.username;
+
   if (addComputedStats) this.addComputedStatsToJSONObj(jsonUser.stats, jsonUser);
 };