Feature: Add delete account route for the api (#1132)

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>

app/api/__init__.py

@@ -14,4 +14,5 @@ from .views import (
     export,
     phone,
     sudo,
+    user,
 )

app/api/views/user.py

@@ -0,0 +1,25 @@
+from flask import jsonify, g
+from sqlalchemy_utils.types.arrow import arrow
+
+from app.api.base import api_bp, require_api_sudo
+from app import config
+from app.log import LOG
+from app.models import Job
+
+
+@api_bp.route("/user", methods=["DELETE"])
+@require_api_sudo
+def delete_user():
+    """
+    Delete the user. Requires sudo mode.
+
+    """
+    # Schedule delete account job
+    LOG.w("schedule delete account job for %s", g.user)
+    Job.create(
+        name=config.JOB_DELETE_ACCOUNT,
+        payload={"user_id": g.user.id},
+        run_at=arrow.now(),
+        commit=True,
+    )
+    return jsonify(ok=True)

docs/api.md

@@ -11,6 +11,7 @@
 - [POST /api/auth/forgot_password](#post-apiauthforgot_password): Request reset password link.
 - [GET /api/user_info](#get-apiuser_info): Get user's information.
 - [PATCH /api/sudo](#patch-apisudo): Enable sudo mode.
+- [DELETE /api/user](#delete-apiuser): Delete the current user.
 - [PATCH /api/user_info](#patch-apiuser_info): Update user's information.
 - [POST /api/api_key](#post-apiapi_key): Create a new API key.
 - [GET /api/logout](#get-apilogout): Log out.
@@ -243,6 +244,21 @@ Output:
 - 200 with ```{"ok": true}``` if sudo mode has been enabled.
 - 403 with ```{"error": "Some error"}``` if there is an error.
 
+#### DELETE /api/user
+
+Delete the current user. It requires sudo mode.
+
+Input:
+
+- `Authentication` header that contains the api key
+
+Output:
+
+- 200 with ```{"ok": true}``` if account is scheduled to be deleted.
+- 440 with ```{"error": "Need sudo"}``` if sudo mode is not enabled.
+- 403 with ```{"error": "Some error"}``` if there is an error.
+
+
 #### POST /api/api_key
 
 Create a new API Key

tests/api/test_user.py

@@ -0,0 +1,52 @@
+from random import random
+
+from flask import url_for
+
+from app import config
+from app.db import Session
+from app.models import Job
+from tests.api.utils import get_new_user_and_api_key
+
+
+def test_delete_without_sudo(flask_client):
+    user, api_key = get_new_user_and_api_key()
+    for job in Job.all():
+        job.delete(job.id)
+    Session.commit()
+
+    r = flask_client.delete(
+        url_for("api.delete_user"),
+        headers={"Authentication": api_key.code},
+    )
+
+    assert r.status_code == 440
+    assert Job.count() == 0
+
+
+def test_delete_with_sudo(flask_client):
+    user, api_key = get_new_user_and_api_key()
+    password = f"passwd-{random()}"
+    user.set_password(password)
+    for job in Job.all():
+        job.delete(job.id)
+    Session.commit()
+
+    r = flask_client.patch(
+        url_for("api.enter_sudo"),
+        headers={"Authentication": api_key.code},
+        json={"password": password},
+    )
+
+    assert r.status_code == 200
+
+    r = flask_client.delete(
+        url_for("api.delete_user"),
+        headers={"Authentication": api_key.code},
+    )
+
+    assert r.status_code == 200
+    jobs = Job.all()
+    assert len(jobs) == 1
+    job = jobs[0]
+    assert job.name == config.JOB_DELETE_ACCOUNT
+    assert job.payload == {"user_id": user.id}