feat(backend): add DELETE /users/@me endpoint

2023-03-08 10:32:18 +01:00 · 2023-03-08 10:32:18 +01:00 · ff3d612b06
commit ff3d612b06
parent c4b8b26ec7
9 changed files with 162 additions and 45 deletions
--- a/backend/server/auth/auth.go
+++ b/backend/server/auth/auth.go
@ -18,6 +18,9 @@ type Claims struct {
 	TokenID     xid.ID `json:"jti"`
 	UserIsAdmin bool   `json:"adm"`

+	// APIToken specifies whether this token was generated for the API or for the website.
+	// API tokens cannot perform some destructive actions, such as DELETE /users/@me.
+	APIToken bool `json:"atn"`
 	// TokenWrite specifies whether this token can be used for write actions.
 	// If set to false, this token can only be used for read actions.
 	TokenWrite bool `json:"twr"`
@ -48,7 +51,7 @@ const ExpireDays = 30

 // CreateToken creates a token for the given user ID.
 // It expires after 30 days.
-func (v *Verifier) CreateToken(userID, tokenID xid.ID, isAdmin bool, isWriteToken bool) (token string, err error) {
+func (v *Verifier) CreateToken(userID, tokenID xid.ID, isAdmin bool, isAPIToken bool, isWriteToken bool) (token string, err error) {
 	now := time.Now()
 	expires := now.Add(ExpireDays * 24 * time.Hour)

@ -56,6 +59,7 @@ func (v *Verifier) CreateToken(userID, tokenID xid.ID, isAdmin bool, isWriteToke
 		UserID:      userID,
 		TokenID:     tokenID,
 		UserIsAdmin: isAdmin,
+		APIToken:    isAPIToken,
 		TokenWrite:  isWriteToken,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "pronouns",
--- a/backend/server/errors.go
+++ b/backend/server/errors.go
@ -83,6 +83,7 @@ const (
 	ErrInvitesDisabled    = 1008 // invites are disabled (unneeded)
 	ErrInviteLimitReached = 1009 // invite limit reached (when creating invites)
 	ErrInviteAlreadyUsed  = 1010 // invite already used (when signing up)
+	ErrDeletionPending    = 1011 // own user deletion pending, returned with undo code

 	// User-related error codes
 	ErrUserNotFound = 2001
@ -94,7 +95,8 @@ const (
 	ErrNotOwnMember       = 3004

 	// General request error codes
-	ErrRequestTooBig = 4001
+	ErrRequestTooBig      = 4001
+	ErrMissingPermissions = 4002
 )

 var errCodeMessages = map[int]string{
@ -115,6 +117,7 @@ var errCodeMessages = map[int]string{
 	ErrInvitesDisabled:    "Invites are disabled",
 	ErrInviteLimitReached: "Your account has reached the invite limit",
 	ErrInviteAlreadyUsed:  "That invite code has already been used",
+	ErrDeletionPending:    "Your account is pending deletion",

 	ErrUserNotFound: "User not found",

@ -123,7 +126,8 @@ var errCodeMessages = map[int]string{
 	ErrMemberNameInUse:    "Member name already in use",
 	ErrNotOwnMember:       "Not your member",

-	ErrRequestTooBig: "Request too big (max 2 MB)",
+	ErrRequestTooBig:      "Request too big (max 2 MB)",
+	ErrMissingPermissions: "Your account or current token is missing required permissions for this action",
 }

 var errCodeStatuses = map[int]int{
@ -144,6 +148,7 @@ var errCodeStatuses = map[int]int{
 	ErrInvitesDisabled:    http.StatusForbidden,
 	ErrInviteLimitReached: http.StatusForbidden,
 	ErrInviteAlreadyUsed:  http.StatusBadRequest,
+	ErrDeletionPending:    http.StatusBadRequest,

 	ErrUserNotFound: http.StatusNotFound,

@ -152,5 +157,6 @@ var errCodeStatuses = map[int]int{
 	ErrMemberNameInUse:    http.StatusBadRequest,
 	ErrNotOwnMember:       http.StatusForbidden,

-	ErrRequestTooBig: http.StatusBadRequest,
+	ErrRequestTooBig:      http.StatusBadRequest,
+	ErrMissingPermissions: http.StatusForbidden,
 }