Regarding the new @pixelfed Recovery service, @thisismissem pointed out that this could be a possible vector for abuse.

We're working on an even more advanced and abuse-resistant implementation!

That being said, I implemented some safeguards for the time being:

- Limited to accounts pixelfed.social knows
- Partial fuzzy matching
- Rate limited (5 reqs/min)
- Only pixelfed account results
- Access is limited to requests with a valid API key (which only our app has)

https://github.com/pixelfed/recovery/blob/main/app/Http/Controllers/ApiController.php