We also need to implement things like account deletion and username changing. Username changing needs to reserve the previous name for a set period of time to avoid immediate name scraping with the exception being the same user who changed their username just in case they want to change it back. Account deletion needs to delete all user data from the database after a set number of days (maybe 7-14) of no activity (attestations or logging in). The username of the deleted account should also be reserved temporarily once deleted. Both should simply require you to re-enter your password for verification.
I had some work on this but lost my changes unfortunately.
We also want to migrate hashing passwords from SCrypt to Argon2 which honestly shouldn't be that difficult to implement.