Added endpoint for user account deletion

3 files changed, 32 insertions, 0 deletions

diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index 57f8be894..5c2123f2d 100644
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -1,7 +1,9 @@
 defmodule Pleroma.Web.CommonAPI.Utils do
   alias Pleroma.{Repo, Object, Formatter, Activity}
   alias Pleroma.Web.ActivityPub.Utils
+  alias Pleroma.User
   alias Calendar.Strftime
+  alias Comeonin.Pbkdf2
 
   # This is a hack for twidere.
   def get_by_id_or_ap_id(id) do
@@ -184,4 +186,19 @@ defmodule Pleroma.Web.CommonAPI.Utils do
       String.slice(name, 0..30) <> "…"
     end
   end
+
+  def confirm_current_password(user, params) do
+    case user do
+      nil ->
+        {:error, "Invalid credentials."}
+
+      _ ->
+        with %User{local: true} = db_user <- Repo.get(User, user.id),
+             true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do
+          {:ok, db_user}
+        else
+          _ -> {:error, "Invalid password."}
+        end
+    end
+  end
 end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index c202cb810..829d9fc7b 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -211,6 +211,8 @@ defmodule Pleroma.Web.Router do
     post("/account/update_profile_banner", TwitterAPI.Controller, :update_banner)
     post("/qvitter/update_background_image", TwitterAPI.Controller, :update_background)
 
+    post("/account/delete_account", TwitterAPI.Controller, :delete_account)
+
     post(
       "/account/most_recent_notification",
       TwitterAPI.Controller,
diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
index a99487738..a51cfa036 100644
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@@ -364,6 +364,19 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
     end
   end
 
+  def delete_account(%{assigns: %{user: user}} = conn, params) do
+    case CommonAPI.Utils.confirm_current_password(user, params) do
+      {:ok, user} ->
+        case User.delete(user) do
+          :ok -> json(conn, %{status: "success"})
+          :error -> error_json(conn, "Unable to delete user.")
+        end
+
+      {:error, msg} ->
+        forbidden_json_reply(conn, msg)
+    end
+  end
+
   def search(%{assigns: %{user: user}} = conn, %{"q" => _query} = params) do
     activities = TwitterAPI.search(user, params)