fix(Identities): Sanitize identifiers

[emyller]

Contributes to #5490.

Rewrites how the endpoint /api/v1/identities/ handles input, properly validating data, and ultimately rejecting invalid identifiers.

This includes a state-only migration (safe to apply without database changes).

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Ignored	Preview		Sep 11, 2025 4:48pm
flagsmith-frontend-preview	Ignored	Preview		Sep 11, 2025 4:48pm
flagsmith-frontend-staging	Ignored	Preview		Sep 11, 2025 4:48pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.00%. Comparing base (a809f7c) to head (fa5b39e).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6024   +/-   ##
=======================================
  Coverage   97.99%   98.00%           
=======================================
  Files        1275     1277    +2     
  Lines       44892    44981   +89     
=======================================
+ Hits        43993    44083   +90     
+ Misses        899      898    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Docker builds report

Image	Build Status	Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-6024	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-6024	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-6024	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-api:pr-6024	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith:pr-6024	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-private-cloud:pr-6024	Finished ✅	Results ✅

[gagantrivedi]

Looks good, but we also need to update: https://github.com/Flagsmith/flagsmith/blob/main/api/edge_api/identities/serializers.py#L55 and add tests for https://github.com/Flagsmith/flagsmith/blob/main/api/environments/identities/views.py#L41 and https://github.com/Flagsmith/flagsmith/blob/main/api/environments/identities/views.py#L99 and https://github.com/Flagsmith/flagsmith/blob/main/api/environments/identities/traits/views.py#L112

[emyller]

Looks good, but we also need to update: (...) and add tests for (...)

@gagantrivedi Thanks! Unpacking the multiple changes:

1. Identifier validation is now also implemented in the edge-identifiers endpoint (e49a57d).
2. Tests were improved in 8f8167f.
3. Regarding a couple of the references, I prefer not to make changes because:
   • They are deprecated endpoints.
   • Their associated URLs (ref) already use a subset of the regular expression introduced to validate identifiers — let's not expand it.

[emyller]

Fair enough, but I guess we missed another SDK endpoint (that is no deprecated and should get some tests) https://github.com/Flagsmith/flagsmith/blob/main/api/environments/identities/traits/views.py#L182

You're right, added tests here: 1ba40b9. I also did a search through the API and it looks like these were all views affected by the model change. Thanks for pointing them out so far!