A nice writeup on how canonical forms can cause problems when using extended UNICODE alphabets.
Not so good since the function apparently was not idempotent, but at least it provided insight into why the attack worked. When you registered an account ‘ᴮᴵᴳᴮᴵᴿᴰ’, canonical_username got applied once, and an account with canonical username ‘BIGBIRD’ got registered which was allowed since it did not collide with the existing account with canonical username ‘bigbird’. When resetting the password for ‘ᴮᴵᴳᴮᴵᴿᴰ’ canonical_username was applied once, so the email to send the password reset to got sent to the address associated with the newly created account with canonical username ‘BIGBIRD’. However, when the link was used, canonical_username was once again applied, yielding ‘bigbird’ so that the new password was instead set for the ‘bigbird’ account. We were relying on nodeprep.prepare being idempotent, and it wasn’t.
Also intriguing was the fast that ultimately the problem was traced to a python library update.