Removing own profile

[simison]

A feature for users to remove their own profile.

UI at the account page is already there, just backend missing.

Before removal:

• Generate a token with our secret, user ID and timestamp, that we can decrypt (think JWT).
• Send confirmation mail with token-URL in it
• To access this URL you have to be logged in?
• Token expires in 1h
• Record two points to stats: 1) user removal initiated, 2) user removed. See how statService e.g. at auth controller.
• Ask for feedback why user is leaving. Checkboxes. See the current form — questions could be different in the future. Send checkbox data to Stats servers.

Stuff to remove:

• Profile
• Profile photo if it's uploaded (it's always modules/users/img/profile/uploads/USER_ID/avatar/*.jpg) so just removing that folder will do.
• Hosting offer
• Mark all messages sent to that user as notified:true (so that unread-messages doesn't pick them up anymore). Leave messages from that user as is.
• Contacts
• -1 count for tribes user has joined
• Sessions (not sure how easy/possible/important) Edit: old sessions get cleaned out anyway over time, but maybe remove logic could "hit" logout logic? Or maybe it doesn't matter.

Future development:

• Send out an email to user after the profile removal.
• Collect freetext feedback, could be sent to our support mail.
• Prevent any user to sign up with that username afterwards? Leaving user object there would work for this, or some special reserved usernames table.
• Security: https://github.com/expressjs/csurf — would be great to have this, but JWT style tokens should be secure enough.

All this said, feel free to implement this in some other quicker/better/easier way! This is just what we brainstormed so far.

[guaka]

http://ideas.trustroots.org/account-removal/

[guaka]

#288 "profile deletion: find out why"

[mrkvon]

Thoughts:

• Why email confirmation? Isn't it enough to be logged in, send DELETE request to api, perhaps with a password provided?
• Currently if i know someone's username & email and i post it to the https://ideas.trustroots.org/account-removal/, will you distinguish between me and the real user?

[simison]

Why email confirmation? Isn't it enough to be logged in, send DELETE request to api, perhaps with a password provided?

You're right. I'm just protecting my back security-wise especially because we don't have CSRF implemented. :-)

[simison]

@mrkvon Feel free to change it tho! 👍

[mrkvon]

Well, that's a very valid point. Especially with the sensitive action of that kind.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

[simison]

Might be copying CSRF implementation from meanjs would've been faster than doing that email thingy tho! :-D But I mostly just copypasted it from forgot-password controller so not a biggie.

https://github.com/meanjs/mean/search?utf8=%E2%9C%93&q=CSRF&type=

[simison]

Currently if i know someone's username & email and i post it to the https://ideas.trustroots.org/account-removal/, will you distinguish between me and the real user?

Yep, we ask for an email reply to confirm. Still not extremely secure but better than nothing.