private AuthResult byUserName(final HttpServletResponse rsp, final String userName) {
   try {
     final ReviewDb db = schema.open();
     try {
       AccountExternalId.Key key = new AccountExternalId.Key(SCHEME_USERNAME, userName);
       return auth(db.accountExternalIds().get(key));
     } finally {
       db.close();
     }
   } catch (OrmException e) {
     getServletContext().log("cannot query database", e);
     return null;
   }
 }
  @Override
  public List<AccountExternalId> call() throws OrmException {
    final AccountExternalId.Key last = session.getLastLoginExternalId();
    final List<AccountExternalId> ids =
        db.accountExternalIds().byAccount(user.getAccountId()).toList();

    for (final AccountExternalId e : ids) {
      e.setTrusted(authConfig.isIdentityTrustable(Collections.singleton(e)));

      // The identity can be deleted only if its not the one used to
      // establish this web session, and if only if an identity was
      // actually used to establish this web session.
      //
      if (e.isScheme(SCHEME_USERNAME)) {
        e.setCanDelete(false);
      } else {
        e.setCanDelete(last != null && !last.equals(e.getKey()));
      }
    }
    return ids;
  }