这是indexloc提供的服务，不要输入任何密码

'Delete user' - BACK #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

hyunnbunt wants to merge 10 commits into plasmicapp:master from hyunnbunt:delete-user-back

Contributor

hyunnbunt commented Jul 24, 2025

Connect '/auth/self/deactivate-user' API request to a new module 'deactivateSelfUser'

hyunnbunt added 2 commits

July 24, 2025 12:29


          Add deactivateSelfUser

d5e9bb4


          Delete front code

16e906f

vercel bot commented Jul 24, 2025 •

edited

Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
examples-plasmic-cms-i18n	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 25, 2025 7:48am
examples-react-email	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 25, 2025 7:48am

github-actions bot commented Jul 24, 2025 •

edited

Loading

Thank you for your submission, we really appreciate it! ❤️

Like many open-source projects, we ask that you sign our Individual Contributor License Agreement before we can accept your contribution. If you are contributing on behalf of a company, please contact us at help@plasmic.app to sign a Corporate Contributor License Agreement.

You can sign the individual CLA by posting a comment with the below text.

I have read, agree to, and hereby sign Plasmic's Individual Contributor License Agreement

_{You can retrigger this bot by commenting recheck in this Pull Request.}_{Posted by the CLA Assistant Lite bot.}

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 24, 2025 04:27

View deployment

vercel bot deployed to Preview – examples-react-email

July 24, 2025 04:28

View deployment


          Clear cookie after deleting user

dc6fb6e

vercel bot deployed to Preview – examples-react-email

July 24, 2025 05:38

View deployment

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 24, 2025 05:39

View deployment

jaslong requested changes

View reviewed changes

Member

jaslong left a comment

Please also add a test for delete in routes.spec.ts

platform/wab/src/wab/server/AppServer.ts Outdated

@@ @@ -1318,6 +1318,10 @@ export function addMainAppServerRoutes( @@
                   sensitiveRateLimiter,
                   withNext(authRoutes.updateSelfPassword)
                 );
+                app.post(

Member

jaslong Jul 24, 2025

Use app.delete("/api/v1/auth/self") as the route

platform/wab/src/wab/server/auth/routes.ts Outdated

                 );
               }
+              export async function deactivateSelfUser(req: Request, res: Response) {
+                const mgr = superDbMgr(req);

Member

jaslong Jul 24, 2025

This would allow anyone to delete anyone in the database. Only the currently logged in user should be able to delete themselves. You need to use checkUserIdIsSelf to get the user ID.

platform/wab/src/wab/server/auth/routes.ts Outdated

                 );
               }
+              export async function deactivateSelfUser(req: Request, res: Response) {
+                const mgr = superDbMgr(req);
+                const email = req.body.email;

Member

jaslong Jul 24, 2025

There should not be a user identifier passed to the server, since the server already has access to the cookie that identifies the user.

platform/wab/src/wab/server/auth/routes.ts Outdated

Comment on lines 348 to 353

+                res.clearCookie("plasmic-observer");
+                // Must reset the session to prevent session fixation attacks, reset the CSRF
+                // token, etc.
+                if (req.session) {
+                  await util.promisify(req.session.destroy.bind(req.session))();
+                }

Member

jaslong Jul 24, 2025

I think we should just call doLogout instead. Can you also move the highlighted lines into the doLogout function?

platform/wab/src/wab/server/auth/routes.ts Outdated

                 );
               }
+              export async function deactivateSelfUser(req: Request, res: Response) {

Member

jaslong Jul 24, 2025

Rename to deleteSelf


          Change route POST -> DELETE

deb40b1

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 25, 2025 05:10

View deployment

vercel bot deployed to Preview – examples-react-email

July 25, 2025 05:11

View deployment

hyunnbunt added 6 commits

July 25, 2025 14:13


          Call doLogout inside deleteUser

1c49a38


          Move some codes of ending session to doLogout

eca6aec


          Switch the order of session ending and logout request

941f464


          Change doLogout to take Response and clear cookie inside

07575d2


          Add selfUser verification

f1c55c9


          Change code lines

80bbfdb

vercel bot deployed to Preview – examples-plasmic-cms-i18n

July 25, 2025 07:48

View deployment

vercel bot deployed to Preview – examples-react-email

July 25, 2025 07:48

View deployment

jaslong approved these changes

View reviewed changes

Member

jaslong left a comment

LGTM, I will merge this, no need to make the change in the comment

platform/wab/src/wab/server/auth/routes.ts

+              export async function deleteSelf(req: Request, res: Response) {
+                const mgr = userDbMgr(req);
+                const id = getUser(req, { allowUnverifiedEmail: true }).id;

Member

jaslong Jul 25, 2025

I believe you can call checkUserIdIsSelf() without an argument, it will return the current user ID of the DbMgr. So getUser should be unnecessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet