feat: add delete-account Cloud Function for permanent user auth deletion

Closes #758. The client-side Appwrite SDK has no hard-delete endpoint for
auth accounts. This server-side Cloud Function calls the Appwrite Users API
(users.deleteUser) to permanently remove the auth record after the Flutter
app has already cleaned up the profile doc, username doc, and profile picture.
Appwrite cascade relationships handle followers/friends automatically.

The function is secured by reading x-appwrite-user-id from the request header,
which Appwrite sets automatically when an authenticated user invokes a function,
ensuring users can only delete their own account.

Related Flutter PR: AOSSIE-Org/Resonate#786

Author: Muneerali199

appwrite.json

@@ -515,6 +515,31 @@
             "entrypoint": "src/main.js",
             "commands": "npm install",
             "path": "functions/sync-all-documents-with-meilisearch"
+        },
+        {
+            "$id": "delete-account",
+            "name": "Delete Account",
+            "runtime": "node-16.0",
+            "path": "functions/delete-account",
+            "entrypoint": "src/main.js",
+            "ignore": [
+                "node_modules",
+                ".npm"
+            ],
+            "vars": [],
+            "execute": [
+                "users"
+            ],
+            "events": [],
+            "schedule": "",
+            "timeout": 15,
+            "commands": "npm install",
+            "enabled": true,
+            "logging": true,
+            "scopes": [
+                "users.read",
+                "users.write"
+            ]
         }
     ],
     "buckets": [

functions/delete-account/package.json

@@ -0,0 +1,17 @@
+{
+    "name": "delete-account",
+    "version": "1.0.0",
+    "description": "",
+    "main": "src/main.js",
+    "type": "module",
+    "scripts": {
+        "start": "node src/main.js",
+        "format": "prettier --write ."
+    },
+    "dependencies": {
+        "node-appwrite": "^17.0.0"
+    },
+    "devDependencies": {
+        "prettier": "^3.0.0"
+    }
+}

functions/delete-account/src/main.js

@@ -0,0 +1,38 @@
+import { Client, Users } from 'node-appwrite';
+import { throwIfMissing } from './utils.js';
+
+export default async ({ req, res, log, error }) => {
+    throwIfMissing(process.env, ['APPWRITE_API_KEY']);
+
+    // Appwrite automatically sets x-appwrite-user-id when an authenticated
+    // user invokes a function — use this to ensure users can only delete
+    // their own account.
+    const userId = req.headers['x-appwrite-user-id'];
+    if (!userId) {
+        return res.json({ message: 'Unauthorized: no user session found' }, 401);
+    }
+
+    const client = new Client()
+        .setEndpoint(
+            process.env.APPWRITE_ENDPOINT ?? 'https://cloud.appwrite.io/v1'
+        )
+        .setProject(process.env.APPWRITE_FUNCTION_PROJECT_ID)
+        .setKey(process.env.APPWRITE_API_KEY);
+
+    try {
+        log(`Deleting auth account for user: ${userId}`);
+
+        // Hard-delete the Appwrite auth account. This is only possible
+        // server-side via the Users API — the client SDK has no equivalent.
+        // The client-side already handles: profile picture, user doc,
+        // username doc. Appwrite cascade relationships handle: followers, friends.
+        await new Users(client).deleteUser(userId);
+
+        log(`Auth account deleted successfully for user: ${userId}`);
+    } catch (e) {
+        error(String(e));
+        return res.json({ message: String(e) }, 500);
+    }
+
+    return res.json({ message: 'Account permanently deleted' });
+};

functions/delete-account/src/utils.js

@@ -0,0 +1,11 @@
+export const throwIfMissing = (obj, keys) => {
+    const missing = [];
+    for (let key of keys) {
+        if (!(key in obj) || !obj[key]) {
+            missing.push(key);
+        }
+    }
+    if (missing.length > 0) {
+        throw new Error(`Missing required fields: ${missing.join(', ')}`);
+    }
+};