tenseleyflow/shithub / bf19c81

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"net/http"

+	"strings"

+	"time"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/password"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// deletionGraceWindow is the period during which a soft-deleted account

+// can be restored simply by signing in. Beyond this point the row stays

+// soft-deleted and the login path treats the user as nonexistent.

+const deletionGraceWindow = 14 * 24 * time.Hour

+

+// settingsDangerForm renders GET /settings/danger.

+func (h *Handlers) settingsDangerForm(w http.ResponseWriter, r *http.Request) {

+	h.renderDangerForm(w, r, "")

+}

+

+// settingsDangerDelete handles POST /settings/danger.

+//

+// Requires the user to retype their username and current password so a

+// stolen session can't trigger this. On success: SoftDeleteUser, audit,

+// bump session_epoch (kicks every other live session), clear THIS

+// session cookie, redirect to a goodbye page.

+func (h *Handlers) settingsDangerDelete(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	confirmName := strings.ToLower(strings.TrimSpace(r.PostFormValue("confirm_username")))

+	pw := r.PostFormValue("password")

+

+	if confirmName != user.Username {

+		h.renderDangerForm(w, r, "Type your username exactly to confirm.")

+		return

+	}

+	row, err := h.q.GetUserByID(r.Context(), h.d.Pool, user.ID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "danger: load user", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	ok, err := password.Verify(pw, row.PasswordHash)

+	if err != nil || !ok {

+		h.renderDangerForm(w, r, "Password is incorrect.")

+		return

+	}

+

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "danger: begin", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+

+	if err := h.q.SoftDeleteUser(r.Context(), tx, user.ID); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "danger: soft delete", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := h.q.BumpUserSessionEpoch(r.Context(), tx, user.ID); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "danger: bump epoch", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "danger: commit", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := h.d.Audit.Record(r.Context(), h.d.Pool, user.ID,

+		audit.ActionAccountDeleted, audit.TargetUser, user.ID, map[string]any{

+			"grace_days": int(deletionGraceWindow / (24 * time.Hour)),

+		}); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "danger: audit", "error", err)

+	}

+

+	// Sign out THIS browser. Even if the cookie weren't cleared, the

+	// epoch bump above would invalidate it on the next request.

+	h.d.SessionStore.Clear(w)

+

+	http.Redirect(w, r, "/?notice=account-deleted", http.StatusSeeOther)

+}

+

+// renderDangerForm is the shared render path.

+func (h *Handlers) renderDangerForm(w http.ResponseWriter, r *http.Request, errMsg string) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	h.renderPage(w, r, "settings/danger", map[string]any{

+		"Title":           "Delete account",

+		"CSRFToken":       middleware.CSRFTokenForRequest(r),

+		"SettingsActive":  "danger",

+		"Username":        user.Username,

+		"GraceWindowDays": int(deletionGraceWindow / (24 * time.Hour)),

+		"Error":           errMsg,

+	})

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"context"

+	"io"

+	"net/http"

+	"net/url"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgxpool"

+)

+

+func loginDangerUser(t *testing.T, name string) (cli *client, pool *pgxpool.Pool, captor *captureSender) {

+	t.Helper()

+	httpsrv, pool, captor := newTestServerWithPool(t, false)

+	cli = newClient(t, httpsrv)

+	mustSignup(t, cli, name, name+"@example.com", "correct horse battery staple")

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {name},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("login: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+	return cli, pool, captor

+}

+

+func TestDanger_DeleteRoundtripAndRestore(t *testing.T) {

+	t.Parallel()

+	cli, _, _ := loginDangerUser(t, "danga")

+

+	// Wrong username should be rejected.

+	csrf := cli.extractCSRF(t, "/settings/danger")

+	resp := cli.post(t, "/settings/danger", url.Values{

+		"csrf_token":       {csrf},

+		"confirm_username": {"not-me"},

+		"password":         {"correct horse battery staple"},

+	})

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "Type your username") {

+		t.Fatalf("expected confirm-username error, got: %s", body)

+	}

+

+	// Wrong password should be rejected.

+	csrf = cli.extractCSRF(t, "/settings/danger")

+	resp = cli.post(t, "/settings/danger", url.Values{

+		"csrf_token":       {csrf},

+		"confirm_username": {"danga"},

+		"password":         {"definitely-not-the-password"},

+	})

+	body, _ = io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "Password is incorrect") {

+		t.Fatalf("expected password error, got: %s", body)

+	}

+

+	// Correct credentials -> 303 to "/?notice=account-deleted".

+	csrf = cli.extractCSRF(t, "/settings/danger")

+	resp = cli.post(t, "/settings/danger", url.Values{

+		"csrf_token":       {csrf},

+		"confirm_username": {"danga"},

+		"password":         {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("delete: status=%d body=%s", resp.StatusCode, body)

+	}

+	if loc := resp.Header.Get("Location"); !strings.Contains(loc, "account-deleted") {

+		t.Fatalf("Location=%q", loc)

+	}

+	_ = resp.Body.Close()

+

+	// /settings/profile is now unreachable for this client (epoch stale +

+	// cookie cleared). RequireUser bounces to /login.

+	resp = cli.get(t, "/settings/profile")

+	defer func() { _ = resp.Body.Close() }()

+	if resp.StatusCode != http.StatusSeeOther && resp.StatusCode != http.StatusFound {

+		t.Fatalf("post-delete /settings/profile expected redirect, got %d", resp.StatusCode)

+	}

+

+	// Restore-on-login: signing in again with the SAME credentials

+	// should clear deleted_at. The login attempt itself returns the

+	// usual 303 to /.

+	cli2 := newClient(t, cli.srv)

+	csrf = cli2.extractCSRF(t, "/login")

+	resp = cli2.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"danga"},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("restore-login: status=%d body=%s", resp.StatusCode, body)

+	}

+	_ = resp.Body.Close()

+

+	// Now /settings/profile is back.

+	resp = cli2.get(t, "/settings/profile")

+	defer func() { _ = resp.Body.Close() }()

+	if resp.StatusCode != http.StatusOK {

+		t.Fatalf("post-restore /settings/profile expected 200, got %d", resp.StatusCode)

+	}

+}

+

+func TestDanger_PostGracePermanent(t *testing.T) {

+	t.Parallel()

+	cli, pool, _ := loginDangerUser(t, "dangb")

+

+	// Delete normally.

+	csrf := cli.extractCSRF(t, "/settings/danger")

+	resp := cli.post(t, "/settings/danger", url.Values{

+		"csrf_token":       {csrf},

+		"confirm_username": {"dangb"},

+		"password":         {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("delete: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+

+	// Backdate deleted_at past the grace window so the next login should

+	// be treated as nonexistent. Uses the SAME pool the test server is

+	// reading from — a fresh dbtest.NewTestDB call would clone a brand

+	// new database.

+	if _, err := pool.Exec(context.Background(),

+		"UPDATE users SET deleted_at = $1 WHERE username = 'dangb'",

+		time.Now().Add(-30*24*time.Hour),

+	); err != nil {

+		t.Fatalf("backdate: %v", err)

+	}

+

+	cli2 := newClient(t, cli.srv)

+	csrf = cli2.extractCSRF(t, "/login")

+	resp = cli2.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"dangb"},

+		"password":   {"correct horse battery staple"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Incorrect username or password") {

+		t.Fatalf("expected post-grace login to be treated as wrong, got: %s", body)

+	}

+}

+{{ define "page" -}}

+<div class="shithub-settings-page">

+  {{ template "settings-nav" . }}

+  <div class="shithub-settings-content">

+    <h1>Delete account</h1>

+

+    {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}

+

+    <section class="shithub-settings-section shithub-settings-danger-zone">

+      <h2>Permanently delete <code>{{ .Username }}</code></h2>

+      <p>This soft-deletes your account immediately. Any session you have open is signed out.</p>

+      <p>You have <strong>{{ .GraceWindowDays }} days</strong> to change your mind: just sign in again with your existing username and password and we'll restore the account. After that, the row stays deleted and can no longer be recovered through the normal sign-in flow.</p>

+      <p>To confirm, retype your username and your current password.</p>

+

+      <form method="POST" action="/settings/danger" novalidate>

+        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+        <label>

+          <span>Type your username (<code>{{ .Username }}</code>)</span>

+          <input type="text" name="confirm_username" required autocomplete="off" spellcheck="false">

+        </label>

+        <label>

+          <span>Current password</span>

+          <input type="password" name="password" required autocomplete="current-password">

+        </label>

+        <button type="submit" class="shithub-button shithub-button-danger">Delete my account</button>

+      </form>

+    </section>

+  </div>

+</div>

+{{- end }}