feat: allow users to delete their account (Closes #410)#444
Conversation
Welcome to OSSfolio, @SakethSumanBathini! 🎉Thank you for opening this pull request and contributing to the open-source community! 🚀 To ensure a smooth review process, please make sure you have:
We will review your PR as soon as possible. Happy coding! 💻✨ |
|
Warning Review limit reached
Next review available in: 59 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
🎉 Your PR just got merged, @SakethSumanBathini — thank you for contributing to OSSfolio! Your work is now part of the project. Here's what to do next:
We really appreciate you taking the time. See you in the next PR! 🚀 |
Summary
Adds a
DELETE /api/settingsendpoint and a Danger zone in/settings, so a user can remove theirOSSfolio account.
Related Issue
Closes #410
Type of Change
Changes Made
src/app/api/settings/route.ts— aDELETEhandlersrc/app/settings/client.tsx— a Danger zone with a typed confirmationIt deletes the auth user, not the profile row — deliberately
This is the design decision worth reviewing, so I'll spell out the reasoning.
1. The cascade already does it.
profiles.idisreferences auth.users(id) on delete cascade, soremoving the auth user removes the profile with it, in the same transaction. Deleting the row
separately would be redundant, and would open a window where the profile is gone but the account
still exists.
2. Deleting from the client is revoked, and should stay revoked. Migration
20260713000000does
revoke insert, update, delete on public.profiles from anon, authenticated, on the grounds thatnothing in the app deletes a profile from the client. That's still the right call — re-granting DELETE
to
authenticatedjust to support this one endpoint would permanently widen the client's writesurface to serve a single server-side operation. Going through the auth admin API leaves that
hardening intact.
3.
auth.admin.deleteUserrequires the service-role key by design. The anon key can't call it,which is exactly why account deletion belongs on the server rather than in the browser.
Security
The user id comes from
auth.getUser()on a client scoped to the caller's bearer token — neverfrom the request body. If it came from the body, anyone holding any valid token could delete anyone
else's account simply by naming them. This follows the same auth pattern the existing
GETandPUThandlers in this file already use.
If
SUPABASE_SERVICE_ROLE_KEYisn't configured, it returns 503 rather than letting the admin callfail as an opaque 500 — "this deployment can't do that" is the truth, and it's a much easier thing to
debug than a generic server error.
UI
A Danger zone, visually and structurally separated from the settings above, because every control up
there is reversible and this one isn't.
The confirmation is a typed word rather than a second "are you sure?" dialog — a dialog gets
dismissed by reflex, typing doesn't. It asks for
DELETErather than the username because thiscomponent has no username prop; it would have to be dug out of
user_metadata, whose shape depends onthe OAuth provider, and a confirmation that silently fails to match is worse than one that's slightly
less personal. Happy to change it if you'd rather it echoed the username.
On success it signs out and does a hard navigation rather than a router push, because every cached
server component on the origin was rendered for a user who has just ceased to exist.
Both touch
api/settings/route.tsandsettings/client.tsx. Different regions — this appends aDELETEhandler and a Danger zone; #441 edits thevisibilityallow-list and the dropdown — so theyshould merge cleanly, but whichever lands second may want a quick rebase. Happy to rebase this one
onto #441 if you'd rather merge that first.
AI Usage
including which functions I changed, why I changed them, and what side effects they could create
Used Claude for coding.
Checklist
mainconsole.logleft insrc/schema.sqland a new migration file are includedDESIGN.mdand followed the design system(No schema change — the cascade already exists.)
How I tested it, and what I couldn't test
tsc,lintandbuildare clean.I ran the actual
DELETEhandler against a stubbed Supabase and checked the properties that matter:AuthorizationheadergetUser()rejects the tokengetUser()returned — not one from the bodySUPABASE_SERVICE_ROLE_KEYmissingWhat I could not test: the real
auth.admin.deleteUsercall, and the cascade actually firing. Idon't have a Supabase project, so the admin API was stubbed. The auth logic and every failure branch
are verified; "the row really disappears" rests on the
on delete cascadein the schema rather thanon something I've watched happen. Worth one manual check on a throwaway account before merging, and
I'd rather flag that than imply I've done it.