[maniacwhat]

The whole product seems to hinge around easy links to book meetings, but usernames appear to be case sensitive. I signed up with a capitalised name, but trying out the non capitalized link, I'm told this username is still available and you can register it.

Maybe I'm overly cautious, but this feels like this is a feature waiting to be abused.

[klabb3]

Unique links like this work well over trusted comms channels, like email or slack. I don’t think typo attacks are particularly fruitful, but sometimes you need to type manually, in which case you’ll break the link. They should probably make canonicalize identifiers.

What I would worry about though, is tracking. If you can see calendar status via a link you received (or even guessed), you can follow that person forever. That’d be fine for public use-cases, like therapists, but I would never share my calendar publicly, even if the details are masked.

A great compromise, imo, is to generate temporary links, that are hard-enough to guess. That let’s you avoid rolling your own permission system, while providing excellent privacy by default.

[singron]

If you want to do a rigorous job preventing these issues, you can try the skeleton algorithm from tr39. It provides a normal form where confusable characters are considered equivalent, which let's you easily find confusable identifiers in a database.

[ElijahLynn]

Going off of your comment, I just signed up with /ElijahLynn (CamelCase) and it looks like I have both https://cal.com/ElijahLynn and https://cal.com/elijahlynn available, redirecting to my profile. The UI displays https://cal.com/elijahlynn, fwiw.

[pbreit]

I used the link it gave me which seems fine: https://cal.com/patrick-breitenbach-6randomchars

[smugma]

I tried my name with a capital letter and got:

This is a premium username, get yours for $29/mo