Drop Email as User Id

[lautarodragan]

Since the email address of a user can change, and there is no other attribute of the user object that remains immutable, we need to introduce a new, immutable id attribute.

In the future, once we have decentralized ids and the API functions as a proper IDP, we'll need to research further into this topic and decide whether we can use the DID as the unique and only identifier or we'd rather keep the centralized ID of each user and associate it with a DID instead.

Right now, we need a more immediate solution.

A bit of research on centralized but collision resistant identifiers needs to be done. The ObjectId generated by MongoDB may do the job just fine, though.

Once we have the new ID in place, we should add it to the API Tokens and update the authorization middleware's validation not to verify the token's email but the immutable ID instead.

[wdavidturner]

Let's not rely on the database specific ObjectId here as that would lock us in to a vendor.

[lautarodragan]

You're right.

Maybe https://github.com/ericelliott/cuid
140k weekly downloads and up in npm

[lautarodragan]

14m for good old https://www.npmjs.com/package/uuid