'Delete user' - BACK #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

hyunnbunt wants to merge 10 commits into plasmicapp:master from hyunnbunt:delete-user-back

Contributor

hyunnbunt commented Jul 24, 2025

Connect '/auth/self/deactivate-user' API request to a new module 'deactivateSelfUser'

hyunnbunt added 2 commits

July 24, 2025 12:29


          Add deactivateSelfUser

d5e9bb4


          Delete front code

16e906f

vercel bot commented Jul 24, 2025 •

edited

Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
examples-plasmic-cms-i18n	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 25, 2025 7:48am
examples-react-email	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 25, 2025 7:48am

github-actions bot commented Jul 24, 2025 •

edited

Loading

Thank you for your submission, we really appreciate it! ❤️

Like many open-source projects, we ask that you sign our Individual Contributor License Agreement before we can accept your contribution. If you are contributing on behalf of a company, please contact us at [email protected] to sign a Corporate Contributor License Agreement.

You can sign the individual CLA by posting a comment with the below text.

I have read, agree to, and hereby sign Plasmic's Individual Contributor License Agreement

_{You can retrigger this bot by commenting recheck in this Pull Request.}_{Posted by the CLA Assistant Lite bot.}

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 24, 2025 04:27

View deployment

vercel bot deployed to Preview – examples-react-email

July 24, 2025 04:28

View deployment


          Clear cookie after deleting user

dc6fb6e

vercel bot deployed to Preview – examples-react-email

July 24, 2025 05:38

View deployment

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 24, 2025 05:39

View deployment

jaslong requested changes

View reviewed changes

Member

jaslong left a comment

Please also add a test for delete in routes.spec.ts

platform/wab/src/wab/server/AppServer.ts Outdated

    
                  sensitiveRateLimiter,

                  withNext(authRoutes.updateSelfPassword)

                );

                app.post(

Member

jaslong Jul 24, 2025

Use app.delete("/api/v1/auth/self") as the route

platform/wab/src/wab/server/auth/routes.ts Outdated

    
              }

              export async function deactivateSelfUser(req: Request, res: Response) {

                const mgr = superDbMgr(req);

Member

jaslong Jul 24, 2025

This would allow anyone to delete anyone in the database. Only the currently logged in user should be able to delete themselves. You need to use checkUserIdIsSelf to get the user ID.

platform/wab/src/wab/server/auth/routes.ts Outdated

    
              export async function deactivateSelfUser(req: Request, res: Response) {

                const mgr = superDbMgr(req);

                const email = req.body.email;

Member

jaslong Jul 24, 2025

There should not be a user identifier passed to the server, since the server already has access to the cookie that identifies the user.

platform/wab/src/wab/server/auth/routes.ts Outdated

Comment on lines 348 to 353

    
                res.clearCookie("plasmic-observer");

                // Must reset the session to prevent session fixation attacks, reset the CSRF

                // token, etc.

                if (req.session) {

                  await util.promisify(req.session.destroy.bind(req.session))();

                }

Member

jaslong Jul 24, 2025

I think we should just call doLogout instead. Can you also move the highlighted lines into the doLogout function?

platform/wab/src/wab/server/auth/routes.ts Outdated

    
                );

              }

              export async function deactivateSelfUser(req: Request, res: Response) {

Member

jaslong Jul 24, 2025

Rename to deleteSelf


          Change route POST -> DELETE

deb40b1

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 25, 2025 05:10

View deployment

vercel bot deployed to Preview – examples-react-email

July 25, 2025 05:11

View deployment

hyunnbunt added 6 commits

July 25, 2025 14:13


          Call doLogout inside deleteUser

1c49a38


          Move some codes of ending session to doLogout

eca6aec


          Switch the order of session ending and logout request

941f464


          Change doLogout to take Response and clear cookie inside

07575d2


          Add selfUser verification

f1c55c9


          Change code lines

80bbfdb

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 25, 2025 07:48

View deployment

vercel bot deployed to Preview – examples-react-email

July 25, 2025 07:48

View deployment

jaslong approved these changes

View reviewed changes

Member

jaslong left a comment

LGTM, I will merge this, no need to make the change in the comment

platform/wab/src/wab/server/auth/routes.ts

    
              export async function deleteSelf(req: Request, res: Response) {

                const mgr = userDbMgr(req);

                const id = getUser(req, { allowUnverifiedEmail: true }).id;

Member

jaslong Jul 25, 2025

I believe you can call checkUserIdIsSelf() without an argument, it will return the current user ID of the DbMgr. So getUser should be unnecessary.

plasmicops pushed a commit that referenced this pull request


          feat: allow users to delete their account (#1521)

316a33c

* Squash #152

Clear cookie after deleting user

Change route POST -> DELETE

Call doLogout inside deleteUser

Switch the order of session ending and logout request

Change doLogout to take Response and clear cookie inside

Add selfUser verification

Change code lines

* Squash #154

Add menu, confirm

(cherry picked from commit 06e291b)

Add deactivateSelfUser

(cherry picked from commit d5e9bb4)

Delete front code

(cherry picked from commit 16e906f)

Redirect to login page

(cherry picked from commit 785a527)

Clear cookie after deleting user

(cherry picked from commit dc6fb6e)

Change route POST -> DELETE

(cherry picked from commit deb40b1)

Call doLogout inside deleteUser

(cherry picked from commit 1c49a38)

Change doLogout to take Response and clear cookie inside

(cherry picked from commit 07575d2)

Add selfUser verification

(cherry picked from commit f1c55c9)

Move deactivateUser after sendEmailVerification

(cherry picked from commit 70edba0)

Update Modal messages

(cherry picked from commit eacedcd)

Change code lines

(cherry picked from commit 80bbfdb)

Check if user has ownership

(cherry picked from commit 6f83dee)

Throw ForbiddenError

(cherry picked from commit 180c3c4)

Delete account request catch ForbiddenError

(cherry picked from commit 60a1f89)

New Error type: UserHasTeamOwnershipError

(cherry picked from commit 323c85f)

Removed wrong import

(cherry picked from commit c72a251)

Check isUserHasTeamOwnershipError

(cherry picked from commit ce9c110)

Simplified some code lines

(cherry picked from commit 0b33561)

* sync [email protected]

* delete self fixes

* add tests

---------

Co-authored-by: hyunnbunt <[email protected]>
GitOrigin-RevId: 9d897acc0bed4a7a008982429b9411a1c83f546f

Member

jaslong commented Aug 26, 2025

Merged in 316a33c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet