From b62ec27fd3cdf113daea849c8138cc39f8fa3be3 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Sat, 7 Aug 2021 15:32:53 +0200
Subject: [PATCH] Add routes to request and confirm a deletion

---
 pkg/routes/api/v1/user_deletion.go | 106 +++++++++++++++++++++++++++++
 pkg/routes/routes.go               |   4 ++
 2 files changed, 110 insertions(+)
 create mode 100644 pkg/routes/api/v1/user_deletion.go

diff --git a/pkg/routes/api/v1/user_deletion.go b/pkg/routes/api/v1/user_deletion.go
new file mode 100644
index 000000000..6838065cf
--- /dev/null
+++ b/pkg/routes/api/v1/user_deletion.go
@@ -0,0 +1,106 @@
+// Copyright 2021 Vikunja and contriubtors. All rights reserved.
+//
+// This file is part of Vikunja.
+//
+// Vikunja is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Vikunja is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Vikunja.  If not, see <https://www.gnu.org/licenses/>.
+
+package v1
+
+import (
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo/v4"
+	"net/http"
+)
+
+type UserDeletionRequest struct {
+	Password string `json:"password"`
+}
+
+type UserDeletionRequestConfirm struct {
+	Token string `json:"token"`
+}
+
+// UserRequestDeletion is the handler to request a user deletion process (sends a mail)
+// @Summary Request the deletion of the user
+// @Description Requests the deletion of the current user. It will trigger an email which has to be confirmed to start the deletion.
+// @tags user
+// @Accept json
+// @Produce json
+// @Param credentials body v1.UserDeletionRequest true "The user password."
+// @Success 200 {object} models.Message
+// @Failure 412 {object} web.HTTPError "Bad username provided."
+// @Failure 500 {object} models.Message "Internal error"
+// @Router /user/deletion/request [post]
+func UserRequestDeletion(c echo.Context) error {
+	var deletionRequest UserDeletionRequest
+	if err := c.Bind(&deletionRequest); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
+	}
+
+	s := db.NewSession()
+	defer s.Close()
+
+	u, err := user.GetCurrentUser(c)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	err = user.CheckUserPassword(u, deletionRequest.Password)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	err = user.RequestDeletion(s, u)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	return c.JSON(http.StatusOK, models.Message{Message: "Successfully requested deletion."})
+}
+
+// UserConfirmDeletion is the handler to confirm a user deletion process and start it
+// @Summary Confirm a user deletion request
+// @Description Confirms the deletion request of a user sent via email.
+// @tags user
+// @Accept json
+// @Produce json
+// @Param credentials body v1.UserDeletionRequestConfirm true "The token."
+// @Success 200 {object} models.Message
+// @Failure 412 {object} web.HTTPError "Bad token provided."
+// @Failure 500 {object} models.Message "Internal error"
+// @Router /user/deletion/confirm [post]
+func UserConfirmDeletion(c echo.Context) error {
+	var deleteConfirmation UserDeletionRequestConfirm
+	if err := c.Bind(&deleteConfirmation); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "No token provided.")
+	}
+
+	s := db.NewSession()
+	defer s.Close()
+
+	u, err := user.GetCurrentUser(c)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	err = user.ConfirmDeletion(s, u, deleteConfirmation.Token)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	return c.JSON(http.StatusNoContent, models.Message{Message: "Successfully confirmed the deletion request."})
+}
diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index a9b464c28..e972b8d5b 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -312,6 +312,10 @@ func registerAPIRoutes(a *echo.Group) {
 		u.GET("/settings/totp/qrcode", apiv1.UserTOTPQrCode)
 	}
 
+	// User deletion
+	u.POST("/deletion/request", apiv1.UserRequestDeletion)
+	u.POST("/deletion/confirm", apiv1.UserConfirmDeletion)
+
 	listHandler := &handler.WebHandler{
 		EmptyStruct: func() handler.CObject {
 			return &models.List{}