As in it is possible to register as bob, bOb, bob@gmail.com, BoB@gmail.com etc. as separate accounts.

This is fixable by simply adding the following to Devise config:
config.case_insensitive_keys = [:username, :email]

The problem is that there are already accounts with duplicate usernames, so it needs some thought on how to handle these.

Initial proposal:

• For username duplicates: preserve the oldest user account as-is, and add some number to the duplicates to make them unique. Users could still authenticate via their email address.

• For email duplicates, "merge" the users by assigning all content to the oldest user and deleting duplicates. We can assume these are the same people as they would have had to confirm their email address.

• Make email/username case insensitive

• De-duplicate existing users with conflicting usernames/email addresses