[API] Delete Yourself

[6543]

the user should have an api to delete his own account

you just have to look at

gitea/routers/api/v1/admin/user.go

Lines 307 to 320 in a7f0ce6

	if err := user_service.DeleteUser(ctx.ContextUser); err != nil {
	if models.IsErrUserOwnRepos(err) ||
	models.IsErrUserHasOrgs(err) ||
	models.IsErrUserOwnPackages(err) {
	ctx.Error(http.StatusUnprocessableEntity, "", err)
	} else {
	ctx.Error(http.StatusInternalServerError, "DeleteUser", err)
	}
	return
	}
	log.Trace("Account deleted by admin(%s): %s", ctx.Doer.Name, ctx.ContextUser.Name)
	ctx.Status(http.StatusNoContent)
	}

[6543]

I would propose DELETE /user

and add some "save" mechansim like a option in body to say YES ... ?

[Gusted]

What's the point of a save mechanism?

The API then will need two requests from those who utilize it.
Those that use the API as a front-end wrapper, such as GitNex, could display a "Are you sure" screen for this action ahead of time and avoid having to deal with our save mechanism to show such a screen to the user.

Most use-cases for this API call, will just make the two requests unconditionally, which, if you ask me, is a waste of resources.

[6543]

also an opinion ...

[jolheiser]

I agree with @Gusted, a raw API has no need for a confirmation. That is a front-end job.

[6543]

ok so let it be one request to let them delete all ;)

[mscherer]

In fact, wouldn't it be better to have the API mark the user "to be deleted" and delete after X weeks ? This would make revert easier, in case someone account is compromised.

[6543]

good idea, will require extra work for ALL delete and GET fuctions from models, so i thin it's a own issue (and worth it's own pull)

[dhruvmanila]

This would also delete the admin user or should that be not allowed?

[6543]

why they need to do so

alternative frontends

[wxiaoguang]

why they need to do so

alternative frontends

For which case? Why? Is there anybody would delete their GitHub account by API?

[6543]

sorry I still dont understand why you are so frighten about such an api ?

[wxiaoguang]

sorry I still dont understand why you are so frighten about such an api ?

Sorry that I misunderstood some details, I see the latest reqBasicOrRevProxyAuth change.

[wxiaoguang]

After reading the code reqBasicOrRevProxyAuth, I have more questions now ....

In the reqBasicOrRevProxyAuth, if the AuthedMethod is ReverseProxy, then the IsBasicAuth and CheckForOTP will be skipped.

Imagine that some users deploy private Gitea instance with ReverseProxy auth mode, does it mean that with this PR, other users can use the token to purge their account?

When many options come together, the problem becomes more complex (back to my first feeling, could the existing web page for "Delete Acount" be enough for daily usage?)