People with visibility = everyone will show up to non-friends by fbid. I'd like to store name and profile picture for them.
This does raise the question of whether name should be customizable or forced to be the same as the Facebook name. Some ocnsiderations:
Should check if Facebook profile links (with app-scoped IDs) work for people who aren't friends with each other. If they do, then you can always see someone's Facebook name, and it seems harmless for their reciprocity name to be different.
If I don't expose arbitrary name editing, it seems potentially bad to have the capability still exist on the backend, which would naturally lead to having the auth-server fetch profiles and put the name in the jwt.
How much of an issue is impersonation? Seems like not much of an issue except where it leads to information disclosure to an unintended person, which it might do once we start sending e-mails. (The other case is where you match with someone, but it's an impersonator instead of the real person. That's embarrassing, but probably not so bad.)
People with visibility = everyone will show up to non-friends by fbid. I'd like to store name and profile picture for them.
This does raise the question of whether name should be customizable or forced to be the same as the Facebook name. Some ocnsiderations: