The basics for client and API

TODO: Change tokens a bit

Author: megoth

default-templates/new-account/index.html

@@ -64,6 +64,16 @@ <h1>Apps</h1>
       </div>
     </div>
   </section>
+  <section class="row">
+    <div class="col-md-12">
+      <h1>Settings</h1>
+      <div class="list-group">
+        <a href="/account/delete/" class="list-group-item">
+          <span class="lead">Delete account</span>
+        </a>
+      </div>
+    </div>
+  </section>
 </div>
 <script src="/common/js/solid-auth-client.bundle.js"></script>
 <script type="text/javascript">

default-views/account/account-deleted.hbs

@@ -0,0 +1,17 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Account Deleted</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h4>Account Deleted</h4>
+</div>
+<div class="container">
+  <p>Your account has been deleted.</p>
+</div>
+</body>
+</html>

default-views/account/delete-confirm.hbs

@@ -0,0 +1,51 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Delete Account</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h4>Delete Account</h4>
+</div>
+<div class="container">
+  <form method="post" action="/account/delete/confirm">
+    {{#if error}}
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-12">
+            <p class="text-danger"><strong>{{error}}</strong></p>
+          </div>
+        </div>
+      </div>
+    {{/if}}
+
+    {{#if validToken}}
+      <p>Beware that this is an irreversible action. All your data that is stored in the POD will be deleted.</p>
+
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-2">
+            <button type="submit" class="btn btn-danger">Delete account</button>
+          </div>
+        </div>
+
+        <input type="hidden" name="token" value="{{token}}" />
+      </div>
+    {{else}}
+      <div class="form-group">
+        <div class="row">
+          <div class="col-md-12">
+            <div>
+              <strong>Token not valid</strong>
+            </div>
+          </div>
+        </div>
+      </div>
+    {{/if}}
+  </form>
+</div>
+</body>
+</html>

default-views/account/delete.hbs

@@ -0,0 +1,51 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Delete Account</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+  <script></script>
+</head>
+<body>
+<div class="container">
+  <h4>Delete Account</h4>
+</div>
+<div class="container">
+  <form method="post" action="/account/delete">
+    <div class="form-group">
+      {{#if error}}
+        <div class="row">
+          <div class="col-md-12">
+            <p class="text-danger"><strong>{{error}}</strong></p>
+          </div>
+        </div>
+      {{/if}}
+      <div class="row">
+        <div class="col-md-12">
+          {{#if multiuser}}
+            <p>Please enter your account name. A delete account link will be
+              emailed to the address you provided during account registration.</p>
+
+            <label for="username">Account Name:</label>
+            <input type="text" class="form-control" name="username" id="username"
+                   placeholder="alice" />
+          {{else}}
+            <p>A delete account link will be
+              emailed to the address you provided during account registration.</p>
+          {{/if}}
+        </div>
+      </div>
+    </div>
+
+    <div class="form-group">
+      <div class="row">
+        <div class="col-md-2">
+          <button type="submit" class="btn btn-primary">Send Delete Account Link</button>
+        </div>
+      </div>
+    </div>
+  </form>
+</div>
+</body>
+</html>

lib/api/authn/webid-oidc.js

@@ -11,6 +11,8 @@ const { LoginRequest } = require('../../requests/login-request')
 
 const PasswordResetEmailRequest = require('../../requests/password-reset-email-request')
 const PasswordChangeRequest = require('../../requests/password-change-request')
+const DeleteAccountRequest = require('../../requests/delete-account-request')
+const DeleteAccountConfirmRequest = require('../../requests/delete-account-confirm-request')
 
 const {
   AuthCallbackRequest,
@@ -80,6 +82,12 @@ function middleware (oidc) {
   router.get('/account/password/change', PasswordChangeRequest.get)
   router.post('/account/password/change', bodyParser, PasswordChangeRequest.post)
 
+  router.get('/account/delete', DeleteAccountRequest.get)
+  router.post('/account/delete', bodyParser, DeleteAccountRequest.post)
+
+  router.get('/account/delete/confirm', DeleteAccountConfirmRequest.get)
+  router.post('/account/delete/confirm', bodyParser, DeleteAccountConfirmRequest.post)
+
   router.get('/logout', LogoutRequest.handle)
   router.post('/logout', LogoutRequest.handle)
 

lib/models/account-manager.js

@@ -461,6 +461,18 @@ class AccountManager {
     return resetUrl
   }
 
+  /**
+   * Returns a password reset URL (to be emailed to the user upon request)
+   *
+   * @param token {string} One-time-use expiring token, via the TokenService
+   * @param returnToUrl {string}
+   *
+   * @return {string}
+   */
+  getAccountDeleteUrl (token) {
+    return url.resolve(this.host.serverUri, `/account/delete/confirm?token=${token}`)
+  }
+
   /**
    * Parses and returns an account recovery email stored in a user's root .acl
    *
@@ -490,19 +502,37 @@ class AccountManager {
       })
   }
 
-  sendPasswordResetEmail (userAccount, returnToUrl) {
+  verifyEmailDependencies (userAccount) {
+    if (!this.emailService) {
+      throw new Error('Email service is not set up')
+    }
+
+    if (!userAccount.email) {
+      throw new Error('Account recovery email has not been provided')
+    }
+  }
+
+  sendDeleteAccountEmail (userAccount) {
     return Promise.resolve()
-      .then(() => {
-        if (!this.emailService) {
-          throw new Error('Email service is not set up')
-        }
+      .then(() => this.verifyEmailDependencies(userAccount))
+      .then(() => this.generateResetToken(userAccount))
+      .then(resetToken => {
+        const deleteUrl = this.getAccountDeleteUrl(resetToken)
 
-        if (!userAccount.email) {
-          throw new Error('Account recovery email has not been provided')
+        const emailData = {
+          to: userAccount.email,
+          webId: userAccount.webId,
+          deleteUrl: deleteUrl
         }
 
-        return this.generateResetToken(userAccount)
+        return this.emailService.sendWithTemplate('delete-account', emailData)
       })
+  }
+
+  sendPasswordResetEmail (userAccount, returnToUrl) {
+    return Promise.resolve()
+      .then(() => this.verifyEmailDependencies(userAccount))
+      .then(() => this.generateResetToken(userAccount))
       .then(resetToken => {
         let resetUrl = this.passwordResetUrl(resetToken, returnToUrl)
 

lib/requests/delete-account-confirm-request.js

@@ -0,0 +1,171 @@
+'use strict'
+
+const AuthRequest = require('./auth-request')
+const debug = require('./../debug').accounts
+
+class DeleteAccountConfirmRequest extends AuthRequest {
+  /**
+   * @constructor
+   * @param options {Object}
+   * @param options.accountManager {AccountManager}
+   * @param options.userStore {UserStore}
+   * @param options.response {ServerResponse} express response object
+   * @param [options.token] {string} One-time reset password token (from email)
+   */
+  constructor (options) {
+    super(options)
+
+    this.token = options.token
+    this.validToken = false
+  }
+
+  /**
+   * Factory method, returns an initialized instance of DeleteAccountConfirmRequest
+   * from an incoming http request.
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   *
+   * @return {DeleteAccountConfirmRequest}
+   */
+  static fromParams (req, res) {
+    let locals = req.app.locals
+    let accountManager = locals.accountManager
+    let userStore = locals.oidc.users
+
+    let token = this.parseParameter(req, 'token')
+
+    let options = {
+      accountManager,
+      userStore,
+      token,
+      response: res
+    }
+
+    return new DeleteAccountConfirmRequest(options)
+  }
+
+  /**
+   * Handles a Change Password GET request on behalf of a middleware handler.
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   *
+   * @return {Promise}
+   */
+  static get (req, res) {
+    const request = DeleteAccountConfirmRequest.fromParams(req, res)
+
+    return Promise.resolve()
+      .then(() => request.validateToken())
+      .then(() => request.renderForm())
+      .catch(error => request.error(error))
+  }
+
+  /**
+   * Handles a Change Password POST request on behalf of a middleware handler.
+   *
+   * @param req {IncomingRequest}
+   * @param res {ServerResponse}
+   *
+   * @return {Promise}
+   */
+  static post (req, res) {
+    const request = DeleteAccountConfirmRequest.fromParams(req, res)
+
+    return DeleteAccountConfirmRequest.handlePost(request)
+  }
+
+  /**
+   * Performs the 'Change Password' operation, after the user submits the
+   * password change form. Validates the parameters (the one-time token,
+   * the new password), changes the password, and renders the success view.
+   *
+   * @param request {DeleteAccountConfirmRequest}
+   *
+   * @return {Promise}
+   */
+  static handlePost (request) {
+    return Promise.resolve()
+      .then(() => request.validateToken())
+      .then(tokenContents => request.deleteAccount(tokenContents))
+      .then(() => request.renderSuccess())
+      .catch(error => request.error(error))
+  }
+
+  /**
+   * Validates the one-time Password Reset token that was emailed to the user.
+   * If the token service has a valid token saved for the given key, it returns
+   * the token object value (which contains the user's WebID URI, etc).
+   * If no token is saved, returns `false`.
+   *
+   * @return {Promise<Object|false>}
+   */
+  validateToken () {
+    return Promise.resolve()
+      .then(() => {
+        if (!this.token) { return false }
+
+        return this.accountManager.validateResetToken(this.token)
+      })
+      .then(validToken => {
+        if (validToken) {
+          this.validToken = true
+        }
+
+        return validToken
+      })
+      .catch(error => {
+        this.token = null
+        throw error
+      })
+  }
+
+  /**
+   * Changes the password that's saved in the user store.
+   * If the user has no user store entry, it creates one.
+   *
+   * @param tokenContents {Object}
+   * @param tokenContents.webId {string}
+   *
+   * @return {Promise}
+   */
+  deleteAccount (tokenContents) {
+    let user = this.accountManager.userAccountFrom(tokenContents)
+
+    debug('Delete account for user:', user.webId)
+
+    return this.userStore.findUser(user.id)
+      .then(userStoreEntry => {
+        // TODO: @kjetilk delete the user here
+      })
+  }
+
+  /**
+   * Renders the 'change password' form.
+   *
+   * @param [error] {Error} Optional error to display
+   */
+  renderForm (error) {
+    let params = {
+      validToken: this.validToken,
+      token: this.token
+    }
+
+    if (error) {
+      params.error = error.message
+      this.response.status(error.statusCode)
+    }
+
+    this.response.render('account/delete-confirm', params)
+  }
+
+  /**
+   * Displays the 'password has been changed' success view.
+   */
+  renderSuccess () {
+    this.response.render('account/account-deleted')
+  }
+}
+
+module.exports = DeleteAccountConfirmRequest