diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index 57f8be894..e774743a2 100644
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -1,7 +1,9 @@
defmodule Pleroma.Web.CommonAPI.Utils do
alias Pleroma.{Repo, Object, Formatter, Activity}
alias Pleroma.Web.ActivityPub.Utils
+ alias Pleroma.User
alias Calendar.Strftime
+ alias Comeonin.Pbkdf2
# This is a hack for twidere.
def get_by_id_or_ap_id(id) do
@@ -184,4 +186,13 @@ defmodule Pleroma.Web.CommonAPI.Utils do
String.slice(name, 0..30) <> "…"
end
end
+
+ def confirm_current_password(user, params) do
+ with %User{local: true} = db_user <- Repo.get(User, user.id),
+ true <- Pbkdf2.checkpw(params["password"], db_user.password_hash) do
+ {:ok, db_user}
+ else
+ _ -> {:error, "Invalid password."}
+ end
+ end
end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index c202cb810..2b5209b75 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -73,6 +73,7 @@ defmodule Pleroma.Web.Router do
scope "/api/pleroma", Pleroma.Web.TwitterAPI do
pipe_through(:authenticated_api)
post("/follow_import", UtilController, :follow_import)
+ post("/delete_account", UtilController, :delete_account)
end
scope "/oauth", Pleroma.Web.OAuth do
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index ea540b34c..23e7408a0 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -4,6 +4,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
alias Pleroma.Web
alias Pleroma.Web.OStatus
alias Pleroma.Web.WebFinger
+ alias Pleroma.Web.CommonAPI
alias Comeonin.Pbkdf2
alias Pleroma.Formatter
alias Pleroma.Web.ActivityPub.ActivityPub
@@ -195,4 +196,15 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
json(conn, "job started")
end
+
+ def delete_account(%{assigns: %{user: user}} = conn, params) do
+ case CommonAPI.Utils.confirm_current_password(user, params) do
+ {:ok, user} ->
+ Task.start(fn -> User.delete(user) end)
+ json(conn, %{status: "success"})
+
+ {:error, msg} ->
+ json(conn, %{error: msg})
+ end
+ end
end
diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs
index 689bdd61e..23cce471f 100644
--- a/test/web/common_api/common_api_utils_test.exs
+++ b/test/web/common_api/common_api_utils_test.exs
@@ -1,5 +1,6 @@
defmodule Pleroma.Web.CommonAPI.UtilsTest do
alias Pleroma.Web.CommonAPI.Utils
+ alias Pleroma.Builders.{UserBuilder}
use Pleroma.DataCase
test "it adds attachment links to a given text and attachment set" do
@@ -15,4 +16,18 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
assert res ==
"
Sakura Mana – Turned on by a Se…"
end
+
+ describe "it confirms the password given is the current users password" do
+ test "incorrect password given" do
+ {:ok, user} = UserBuilder.insert()
+
+ assert Utils.confirm_current_password(user, %{"password" => ""}) ==
+ {:error, "Invalid password."}
+ end
+
+ test "correct password given" do
+ {:ok, user} = UserBuilder.insert()
+ assert Utils.confirm_current_password(user, %{"password" => "test"}) == {:ok, user}
+ end
+ end
end
diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs
index 896fe246d..02aba0bc8 100644
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@@ -800,4 +800,31 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
user = Repo.get!(User, user.id)
assert user.bio == "Hello,
World! I
am a test."
end
+
+ describe "POST /api/pleroma/delete_account" do
+ setup [:valid_user]
+
+ test "without credentials", %{conn: conn} do
+ conn = post(conn, "/api/pleroma/delete_account")
+ assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
+ end
+
+ test "with credentials and invalid password", %{conn: conn, user: current_user} do
+ conn =
+ conn
+ |> with_credentials(current_user.nickname, "test")
+ |> post("/api/pleroma/delete_account", %{"password" => "hi"})
+
+ assert json_response(conn, 200) == %{"error" => "Invalid password."}
+ end
+
+ test "with credentials and valid password", %{conn: conn, user: current_user} do
+ conn =
+ conn
+ |> with_credentials(current_user.nickname, "test")
+ |> post("/api/pleroma/delete_account", %{"password" => "test"})
+
+ assert json_response(conn, 200) == %{"status" => "success"}
+ end
+ end
end