Add user delete API endpoint

The deleted user username will be changed to 'deleted_' plus the 13 initial characters of the standard format user_id. Email, hashed password and API key are all cleared for the user. The endpoint is currently only available through /api/users/me and only allows a logged-in user to delete their own account.
2019-08-15 16:12:01 +01:00 · 2019-08-15 16:12:01 +01:00 · 90da2a1522
commit 90da2a1522
parent 1901ebad42
2 changed files with 61 additions and 20 deletions
--- a/app/src/api/api.ts
+++ b/app/src/api/api.ts
@ -1,7 +1,7 @@
 import express from 'express';
 import bodyParser from 'body-parser';
-import { authUser, createUser, getUserById, getNewUserAPIKey } from './services/user';
+import { authUser, createUser, getUserById, getNewUserAPIKey, deleteUser } from './services/user';
 import { queryLocation } from './services/search';
 import buildingsRouter from './routes/buildingsRouter';
@ -45,6 +45,35 @@ server.post('/users', function (req, res) {
    });
 });
 // GET own user info
 server.route('/users/me')
    .get(function (req, res) {
        if (!req.session.user_id) {
            res.send({ error: 'Must be logged in' });
            return
        }
        getUserById(req.session.user_id).then(function (user) {
            res.send(user);
        }).catch(function (error) {
            res.send(error);
        });
    })
    .delete((req, res) => {
        if (!req.session.user_id) {
            return res.send({ error: 'Must be logged in' });
        }
        console.log(`Deleting user ${req.session.user_id}`);
        deleteUser(req.session.user_id).then(
            () => logout(req.session)
        ).then(() => {
            res.send({ success: true });
        }).catch(err => {
            res.send({ error: err });
        });
    })
 // POST user auth
 server.post('/login', function (req, res) {
    authUser(req.body.username, req.body.password).then(function (user: any) { // TODO: remove any
@ -61,29 +90,23 @@ server.post('/login', function (req, res) {
 // POST user logout
 server.post('/logout', function (req, res) {
-    req.session.user_id = undefined;
+    logout(req.session).then(() => {
    req.session.destroy(function (err) {
        if (err) {
            console.error(err);
            res.send({ error: 'Failed to end session' })
        }
        res.send({ success: true });
    }).catch(err => {
        console.error(err);
        res.send({ error: 'Failed to end session'});
    });
 });
-// GET own user info
+function logout(session) {
-server.get('/users/me', function (req, res) {
+    return new Promise((resolve, reject) => {
-    if (!req.session.user_id) {
+        session.user_id = undefined;
-        res.send({ error: 'Must be logged in' });
+        session.destroy(err => {
-        return
+            if (err) return reject(err);
-    }
+            return resolve();
-
+        });
    getUserById(req.session.user_id).then(function (user) {
        res.send(user);
    }).catch(function (error) {
        res.send(error);
    });
-});
+}
 // POST generate API key
 server.post('/api/key', function (req, res) {
--- a/app/src/api/services/user.ts
+++ b/app/src/api/services/user.ts
@ -122,4 +122,22 @@ function authAPIUser(key) {
    });
 }
-export { getUserById, createUser, authUser, getNewUserAPIKey, authAPIUser }
+function deleteUser(id) {
    return db.none(
        `UPDATE users
        SET
            email = null,
            pass = null,
            api_key = null,
            username = concat('deleted_', cast(user_id as char(13))),
            is_deleted = true,
            deleted_on = now() at time zone 'utc'
        WHERE user_id = $1
        `, [id]
    ).catch((error) => {
        console.error('Error:', error);
        return {error: 'Database error'};
    });
 }
 export { getUserById, createUser, authUser, getNewUserAPIKey, authAPIUser, deleteUser }