From 8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Mon, 13 Dec 2021 16:15:33 -0500 Subject: [PATCH] TwitterAPI: allow deleting one's own account with request body --- .../operations/twitter_util_operation.ex | 19 ++++++++++++ .../controllers/util_controller.ex | 6 ++-- .../web/twitter_api/util_controller_test.exs | 29 +++++++++++++++++-- 3 files changed, 49 insertions(+), 5 deletions(-) diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex index 879b2227e..be45720b1 100644 --- a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex +++ b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex @@ -188,6 +188,7 @@ def delete_account_operation do parameters: [ Operation.parameter(:password, :query, :string, "Password") ], + requestBody: request_body("Parameters", delete_account_request(), required: false), responses: %{ 200 => Operation.response("Success", "application/json", %Schema{ @@ -234,4 +235,22 @@ def remote_subscribe_operation do responses: %{200 => Operation.response("Web Page", "test/html", %Schema{type: :string})} } end + + defp delete_account_request do + %Schema{ + title: "AccountDeleteRequest", + description: "POST body for deleting one's own account", + type: :object, + properties: %{ + password: %Schema{ + type: :string, + description: "The user's own password for confirmation.", + format: :password + } + }, + example: %{ + "password" => "prettyp0ony1313" + } + } + end end diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index ef43f7682..a4e44efdd 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -123,8 +123,10 @@ def change_email(%{assigns: %{user: user}, body_params: body_params} = conn, %{} end end - def delete_account(%{assigns: %{user: user}} = conn, params) do - password = params[:password] || "" + def delete_account(%{assigns: %{user: user}, body_params: body_params} = conn, params) do + # This endpoint can accept a query param or JSON body for backwards-compatibility. + # Submitting a JSON body is recommended, so passwords don't end up in server logs. + password = body_params[:password] || params[:password] || "" case CommonAPI.Utils.confirm_current_password(user, password) do {:ok, user} -> diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs index f030483d8..e944228cc 100644 --- a/test/pleroma/web/twitter_api/util_controller_test.exs +++ b/test/pleroma/web/twitter_api/util_controller_test.exs @@ -444,7 +444,10 @@ test "without permissions", %{conn: conn} do test "with proper permissions and wrong or missing password", %{conn: conn} do for params <- [%{"password" => "hi"}, %{}] do - ret_conn = post(conn, "/api/pleroma/delete_account", params) + ret_conn = + conn + |> put_req_header("content-type", "application/json") + |> post("/api/pleroma/delete_account", params) assert json_response_and_validate_schema(ret_conn, 200) == %{ "error" => "Invalid password." @@ -452,8 +455,28 @@ test "with proper permissions and wrong or missing password", %{conn: conn} do end end - test "with proper permissions and valid password", %{conn: conn, user: user} do - conn = post(conn, "/api/pleroma/delete_account?password=test") + test "with proper permissions and valid password (URL query)", %{conn: conn, user: user} do + conn = + conn + |> put_req_header("content-type", "application/json") + |> post("/api/pleroma/delete_account?password=test") + + ObanHelpers.perform_all() + assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"} + + user = User.get_by_id(user.id) + refute user.is_active + assert user.name == nil + assert user.bio == "" + assert user.password_hash == nil + end + + test "with proper permissions and valid password (JSON body)", %{conn: conn, user: user} do + conn = + conn + |> put_req_header("content-type", "application/json") + |> post("/api/pleroma/delete_account", %{password: "test"}) + ObanHelpers.perform_all() assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}