3 files changed, 24 insertions, 0 deletions

diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index 57f8be894..e774743a2 100644
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -1,7 +1,9 @@
 defmodule Pleroma.Web.CommonAPI.Utils do
   alias Pleroma.{Repo, Object, Formatter, Activity}
   alias Pleroma.Web.ActivityPub.Utils
+  alias Pleroma.User
   alias Calendar.Strftime
+  alias Comeonin.Pbkdf2
 
   # This is a hack for twidere.
   def get_by_id_or_ap_id(id) do
@@ -184,4 +186,13 @@ defmodule Pleroma.Web.CommonAPI.Utils do
       String.slice(name, 0..30) <> "…"
     end
   end
+
+  def confirm_current_password(user, params) do
+    with %User{local: true} = db_user <- Repo.get(User, user.id),
+         true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do
+      {:ok, db_user}
+    else
+      _ -> {:error, "Invalid password."}
+    end
+  end
 end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index c202cb810..2b5209b75 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -73,6 +73,7 @@ defmodule Pleroma.Web.Router do
   scope "/api/pleroma", Pleroma.Web.TwitterAPI do
     pipe_through(:authenticated_api)
     post("/follow_import", UtilController, :follow_import)
+    post("/delete_account", UtilController, :delete_account)
   end
 
   scope "/oauth", Pleroma.Web.OAuth do
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index ea540b34c..23e7408a0 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -4,6 +4,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   alias Pleroma.Web
   alias Pleroma.Web.OStatus
   alias Pleroma.Web.WebFinger
+  alias Pleroma.Web.CommonAPI
   alias Comeonin.Pbkdf2
   alias Pleroma.Formatter
   alias Pleroma.Web.ActivityPub.ActivityPub
@@ -195,4 +196,15 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
 
     json(conn, "job started")
   end
+
+  def delete_account(%{assigns: %{user: user}} = conn, params) do
+    case CommonAPI.Utils.confirm_current_password(user, params) do
+      {:ok, user} ->
+        Task.start(fn -> User.delete(user) end)
+        json(conn, %{status: "success"})
+
+      {:error, msg} ->
+        json(conn, %{error: msg})
+    end
+  end
 end