Hmm, I think this can be handled alternatively by putting the ID (DQL’s UID field) in the JWT. Then it is secure to non-reusable and also does not reveal a valid username for even more security best practices. This would then allow the user to login with a username but use the id in auth rules.
And just for others information, it is possible to have a username and id in the same type and work with both of them as needed.
type {
id: ID
username: String! @id
email: String! @id
name: String!
isActive: Boolean @search
# etc.
}