Don't check authorization on static assets Do not require unique username on user table (uniqueness check is on the service and service id composite.)