commit: 8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6
parent 0b2119d4a791b3623b304b0bab683609d23271d4
Author: Alex Gleason <alex@alexgleason.me>
Date: Mon, 13 Dec 2021 16:15:33 -0500
TwitterAPI: allow deleting one's own account with request body
Diffstat:
3 files changed, 49 insertions(+), 5 deletions(-)
diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
@@ -188,6 +188,7 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
parameters: [
Operation.parameter(:password, :query, :string, "Password")
],
+ requestBody: request_body("Parameters", delete_account_request(), required: false),
responses: %{
200 =>
Operation.response("Success", "application/json", %Schema{
@@ -234,4 +235,22 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
responses: %{200 => Operation.response("Web Page", "test/html", %Schema{type: :string})}
}
end
+
+ defp delete_account_request do
+ %Schema{
+ title: "AccountDeleteRequest",
+ description: "POST body for deleting one's own account",
+ type: :object,
+ properties: %{
+ password: %Schema{
+ type: :string,
+ description: "The user's own password for confirmation.",
+ format: :password
+ }
+ },
+ example: %{
+ "password" => "prettyp0ony1313"
+ }
+ }
+ end
end
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -123,8 +123,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
end
end
- def delete_account(%{assigns: %{user: user}} = conn, params) do
- password = params[:password] || ""
+ def delete_account(%{assigns: %{user: user}, body_params: body_params} = conn, params) do
+ # This endpoint can accept a query param or JSON body for backwards-compatibility.
+ # Submitting a JSON body is recommended, so passwords don't end up in server logs.
+ password = body_params[:password] || params[:password] || ""
case CommonAPI.Utils.confirm_current_password(user, password) do
{:ok, user} ->
diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs
@@ -444,7 +444,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
test "with proper permissions and wrong or missing password", %{conn: conn} do
for params <- [%{"password" => "hi"}, %{}] do
- ret_conn = post(conn, "/api/pleroma/delete_account", params)
+ ret_conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> post("/api/pleroma/delete_account", params)
assert json_response_and_validate_schema(ret_conn, 200) == %{
"error" => "Invalid password."
@@ -452,8 +455,28 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
end
end
- test "with proper permissions and valid password", %{conn: conn, user: user} do
- conn = post(conn, "/api/pleroma/delete_account?password=test")
+ test "with proper permissions and valid password (URL query)", %{conn: conn, user: user} do
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> post("/api/pleroma/delete_account?password=test")
+
+ ObanHelpers.perform_all()
+ assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
+
+ user = User.get_by_id(user.id)
+ refute user.is_active
+ assert user.name == nil
+ assert user.bio == ""
+ assert user.password_hash == nil
+ end
+
+ test "with proper permissions and valid password (JSON body)", %{conn: conn, user: user} do
+ conn =
+ conn
+ |> put_req_header("content-type", "application/json")
+ |> post("/api/pleroma/delete_account", %{password: "test"})
+
ObanHelpers.perform_all()
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
