From a16117225f9a4da9da08013ae256d8ac02ee3ec5 Mon Sep 17 00:00:00 2001 From: Syldexia Date: Fri, 11 May 2018 12:32:59 +0100 Subject: [PATCH 1/4] Added endpoint for user account deletion --- lib/pleroma/web/common_api/utils.ex | 17 +++++++++ lib/pleroma/web/router.ex | 2 ++ .../web/twitter_api/twitter_api_controller.ex | 13 +++++++ test/web/common_api/common_api_utils_test.exs | 20 +++++++++++ .../twitter_api_controller_test.exs | 36 +++++++++++++++++++ 5 files changed, 88 insertions(+) diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index 57f8be894..5c2123f2d 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -1,7 +1,9 @@ defmodule Pleroma.Web.CommonAPI.Utils do alias Pleroma.{Repo, Object, Formatter, Activity} alias Pleroma.Web.ActivityPub.Utils + alias Pleroma.User alias Calendar.Strftime + alias Comeonin.Pbkdf2 # This is a hack for twidere. def get_by_id_or_ap_id(id) do @@ -184,4 +186,19 @@ defp shortname(name) do String.slice(name, 0..30) <> "…" end end + + def confirm_current_password(user, params) do + case user do + nil -> + {:error, "Invalid credentials."} + + _ -> + with %User{local: true} = db_user <- Repo.get(User, user.id), + true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do + {:ok, db_user} + else + _ -> {:error, "Invalid password."} + end + end + end end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index c202cb810..829d9fc7b 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -211,6 +211,8 @@ def user_fetcher(username) do post("/account/update_profile_banner", TwitterAPI.Controller, :update_banner) post("/qvitter/update_background_image", TwitterAPI.Controller, :update_background) + post("/account/delete_account", TwitterAPI.Controller, :delete_account) + post( "/account/most_recent_notification", TwitterAPI.Controller, diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index a99487738..a51cfa036 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -364,6 +364,19 @@ def update_profile(%{assigns: %{user: user}} = conn, params) do end end + def delete_account(%{assigns: %{user: user}} = conn, params) do + case CommonAPI.Utils.confirm_current_password(user, params) do + {:ok, user} -> + case User.delete(user) do + :ok -> json(conn, %{status: "success"}) + :error -> error_json(conn, "Unable to delete user.") + end + + {:error, msg} -> + forbidden_json_reply(conn, msg) + end + end + def search(%{assigns: %{user: user}} = conn, %{"q" => _query} = params) do activities = TwitterAPI.search(user, params) diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs index 689bdd61e..d59864c43 100644 --- a/test/web/common_api/common_api_utils_test.exs +++ b/test/web/common_api/common_api_utils_test.exs @@ -1,5 +1,6 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do alias Pleroma.Web.CommonAPI.Utils + alias Pleroma.Builders.{UserBuilder} use Pleroma.DataCase test "it adds attachment links to a given text and attachment set" do @@ -15,4 +16,23 @@ test "it adds attachment links to a given text and attachment set" do assert res == "
Sakura Mana – Turned on by a Se…" end + + describe "it confirms the password given is the current users password" do + test "with no credentials" do + assert Utils.confirm_current_password(nil, %{"password" => "test"}) == + {:error, "Invalid credentials."} + end + + test "with incorrect password given" do + {:ok, user} = UserBuilder.insert() + + assert Utils.confirm_current_password(user, %{"password" => ""}) == + {:error, "Invalid password."} + end + + test "with correct password given" do + {:ok, user} = UserBuilder.insert() + assert Utils.confirm_current_password(user, %{"password" => "test"}) == {:ok, user} + end + end end diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index 896fe246d..a9350d189 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -800,4 +800,40 @@ test "Convert newlines to
in bio", %{conn: conn} do user = Repo.get!(User, user.id) assert user.bio == "Hello,
World! I
am a test." end + + describe "POST /api/account/delete_account" do + setup [:valid_user] + + test "without credentials", %{conn: conn} do + conn = post(conn, "/api/account/delete_account") + assert json_response(conn, 403) == %{"error" => "Invalid credentials."} + end + + test "with credentials and invalid password", %{conn: conn, user: current_user} do + conn = + conn + |> with_credentials(current_user.nickname, "test") + |> post("/api/account/delete_account", %{ + "password" => "" + }) + + assert json_response(conn, 403) == %{ + "error" => "Invalid password.", + "request" => "/api/account/delete_account" + } + end + + test "with credentials and valid password", %{conn: conn, user: current_user} do + conn = + conn + |> with_credentials(current_user.nickname, "test") + |> post("/api/account/delete_account", %{ + "password" => "test" + }) + + assert json_response(conn, 200) == %{"status" => "success"} + fetched_user = Repo.get(User, current_user.id) + assert fetched_user.info == %{"deactivated" => true} + end + end end From 5bfb7b4ce6c23f84c27643e9871b78b867f86b7e Mon Sep 17 00:00:00 2001 From: Syldexia Date: Sun, 13 May 2018 14:24:15 +0100 Subject: [PATCH 2/4] Moved account deletion stuff to somewhere that hopefully makes more sense --- lib/pleroma/web/common_api/utils.ex | 16 +++++----------- lib/pleroma/web/router.ex | 3 +-- .../twitter_api/controllers/util_controller.ex | 14 ++++++++++++++ .../web/twitter_api/twitter_api_controller.ex | 13 ------------- .../twitter_api/twitter_api_controller_test.exs | 17 +++++------------ 5 files changed, 25 insertions(+), 38 deletions(-) diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index 5c2123f2d..d9f80ee0f 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -188,17 +188,11 @@ defp shortname(name) do end def confirm_current_password(user, params) do - case user do - nil -> - {:error, "Invalid credentials."} - - _ -> - with %User{local: true} = db_user <- Repo.get(User, user.id), - true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do - {:ok, db_user} - else - _ -> {:error, "Invalid password."} - end + with %User{local: true} = db_user <- Repo.get(User, user.id), + true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do + {:ok, db_user} + else + _ -> {:error, "Invalid password."} end end end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index 829d9fc7b..2b5209b75 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -73,6 +73,7 @@ def user_fetcher(username) do scope "/api/pleroma", Pleroma.Web.TwitterAPI do pipe_through(:authenticated_api) post("/follow_import", UtilController, :follow_import) + post("/delete_account", UtilController, :delete_account) end scope "/oauth", Pleroma.Web.OAuth do @@ -211,8 +212,6 @@ def user_fetcher(username) do post("/account/update_profile_banner", TwitterAPI.Controller, :update_banner) post("/qvitter/update_background_image", TwitterAPI.Controller, :update_background) - post("/account/delete_account", TwitterAPI.Controller, :delete_account) - post( "/account/most_recent_notification", TwitterAPI.Controller, diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index ea540b34c..3f3ddb9e4 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -4,6 +4,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do alias Pleroma.Web alias Pleroma.Web.OStatus alias Pleroma.Web.WebFinger + alias Pleroma.Web.CommonAPI alias Comeonin.Pbkdf2 alias Pleroma.Formatter alias Pleroma.Web.ActivityPub.ActivityPub @@ -195,4 +196,17 @@ def follow_import(%{assigns: %{user: user}} = conn, %{"list" => list}) do json(conn, "job started") end + + def delete_account(%{assigns: %{user: user}} = conn, params) do + case CommonAPI.Utils.confirm_current_password(user, params) do + {:ok, user} -> + case User.delete(user) do + :ok -> json(conn, %{status: "success"}) + :error -> json(conn, %{error: "Unable to delete user."}) + end + + {:error, msg} -> + json(conn, %{error: msg}) + end + end end diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index a51cfa036..a99487738 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -364,19 +364,6 @@ def update_profile(%{assigns: %{user: user}} = conn, params) do end end - def delete_account(%{assigns: %{user: user}} = conn, params) do - case CommonAPI.Utils.confirm_current_password(user, params) do - {:ok, user} -> - case User.delete(user) do - :ok -> json(conn, %{status: "success"}) - :error -> error_json(conn, "Unable to delete user.") - end - - {:error, msg} -> - forbidden_json_reply(conn, msg) - end - end - def search(%{assigns: %{user: user}} = conn, %{"q" => _query} = params) do activities = TwitterAPI.search(user, params) diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index a9350d189..170dda145 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -801,11 +801,11 @@ test "Convert newlines to
in bio", %{conn: conn} do assert user.bio == "Hello,
World! I
am a test." end - describe "POST /api/account/delete_account" do + describe "POST /api/pleroma/delete_account" do setup [:valid_user] test "without credentials", %{conn: conn} do - conn = post(conn, "/api/account/delete_account") + conn = post(conn, "/api/pleroma/delete_account") assert json_response(conn, 403) == %{"error" => "Invalid credentials."} end @@ -813,23 +813,16 @@ test "with credentials and invalid password", %{conn: conn, user: current_user} conn = conn |> with_credentials(current_user.nickname, "test") - |> post("/api/account/delete_account", %{ - "password" => "" - }) + |> post("/api/pleroma/delete_account", %{"password" => "hi"}) - assert json_response(conn, 403) == %{ - "error" => "Invalid password.", - "request" => "/api/account/delete_account" - } + assert json_response(conn, 200) == %{"error" => "Invalid password."} end test "with credentials and valid password", %{conn: conn, user: current_user} do conn = conn |> with_credentials(current_user.nickname, "test") - |> post("/api/account/delete_account", %{ - "password" => "test" - }) + |> post("/api/pleroma/delete_account", %{"password" => "test"}) assert json_response(conn, 200) == %{"status" => "success"} fetched_user = Repo.get(User, current_user.id) From 98b36d359a1a8c10ef9877902258d46b68331363 Mon Sep 17 00:00:00 2001 From: Syldexia Date: Sun, 13 May 2018 14:56:59 +0100 Subject: [PATCH 3/4] Fixed formatting and test --- lib/pleroma/web/common_api/utils.ex | 2 +- test/web/common_api/common_api_utils_test.exs | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index d9f80ee0f..e774743a2 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -189,7 +189,7 @@ defp shortname(name) do def confirm_current_password(user, params) do with %User{local: true} = db_user <- Repo.get(User, user.id), - true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do + true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do {:ok, db_user} else _ -> {:error, "Invalid password."} diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs index d59864c43..23cce471f 100644 --- a/test/web/common_api/common_api_utils_test.exs +++ b/test/web/common_api/common_api_utils_test.exs @@ -18,19 +18,14 @@ test "it adds attachment links to a given text and attachment set" do end describe "it confirms the password given is the current users password" do - test "with no credentials" do - assert Utils.confirm_current_password(nil, %{"password" => "test"}) == - {:error, "Invalid credentials."} - end - - test "with incorrect password given" do + test "incorrect password given" do {:ok, user} = UserBuilder.insert() assert Utils.confirm_current_password(user, %{"password" => ""}) == {:error, "Invalid password."} end - test "with correct password given" do + test "correct password given" do {:ok, user} = UserBuilder.insert() assert Utils.confirm_current_password(user, %{"password" => "test"}) == {:ok, user} end From d1366f8d46959229fdae398fe7920f6894d9d02a Mon Sep 17 00:00:00 2001 From: Syldexia Date: Sat, 19 May 2018 13:35:49 +0100 Subject: [PATCH 4/4] Modified deleting an account to run as a task --- lib/pleroma/web/twitter_api/controllers/util_controller.ex | 6 ++---- test/web/twitter_api/twitter_api_controller_test.exs | 2 -- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index 3f3ddb9e4..23e7408a0 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -200,10 +200,8 @@ def follow_import(%{assigns: %{user: user}} = conn, %{"list" => list}) do def delete_account(%{assigns: %{user: user}} = conn, params) do case CommonAPI.Utils.confirm_current_password(user, params) do {:ok, user} -> - case User.delete(user) do - :ok -> json(conn, %{status: "success"}) - :error -> json(conn, %{error: "Unable to delete user."}) - end + Task.start(fn -> User.delete(user) end) + json(conn, %{status: "success"}) {:error, msg} -> json(conn, %{error: msg}) diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index 170dda145..02aba0bc8 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -825,8 +825,6 @@ test "with credentials and valid password", %{conn: conn, user: current_user} do |> post("/api/pleroma/delete_account", %{"password" => "test"}) assert json_response(conn, 200) == %{"status" => "success"} - fetched_user = Repo.get(User, current_user.id) - assert fetched_user.info == %{"deactivated" => true} end end end