Add soft delete for users with deleted users tab and E2E tests (#815)

### Summary & Motivation

Add soft delete functionality for users, allowing Tenant Owners and
Admins to delete users with the ability to restore them or permanently
purge them. Previously, user deletion was immediate and irreversible.
This feature provides a safety net for accidental deletions and
compliance with data retention requirements.

- Implement soft delete for User aggregate using the `ISoftDeletable`
interface from the shared kernel
- Add API endpoints for managing deleted users:
  - `GET /api/users/deleted` - list deleted users with pagination
  - `POST /api/users/{id}/restore` - restore a soft-deleted user
  - `DELETE /api/users/{id}/purge` - permanently delete a single user
- `POST /api/users/deleted/bulk-purge` - permanently delete multiple
users
- `POST /api/users/deleted/empty-recycle-bin` - purge all deleted users
- Create "Recycle bin" tab on the Users page with restore and purge
functionality, accessible only to Owners and Admins
- Add `SmartDate` component and `useSmartDate` hook for auto-updating
relative time display ("Just now", "5 minutes ago", "2 hours ago"), used
in the Users table for Created and Modified columns
- Simplify `formatDate` utility to use fixed English month names for
consistent formatting across browsers
- Add comprehensive backend tests for soft delete, restore, single
purge, bulk purge, and empty recycle bin operations
- Add test verifying soft-deleted users cannot log in (returns fake
login ID and sends unknown user email)
- Add E2E tests covering the complete soft delete workflow including tab
navigation, restore, and permanent deletion
- Rename `ForceHardDelete` to `ForcePurge` and `MarkForHardDelete` to
`MarkForPurge` in the `ISoftDeletable` interface for consistency
- Improve E2E test reliability and fix back-office tests by dynamically
reading internal email domain from platform-settings.jsonc

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary

Author: tjementum

application/account-management/Api/Endpoints/UserEndpoints.cs

@@ -46,6 +46,26 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
             => await mediator.Send(command)
         );
 
+        group.MapGet("/deleted", async Task<ApiResult<DeletedUsersResponse>> ([AsParameters] GetDeletedUsersQuery query, IMediator mediator)
+            => await mediator.Send(query)
+        ).Produces<DeletedUsersResponse>();
+
+        group.MapPost("/{id}/restore", async Task<ApiResult> (UserId id, IMediator mediator)
+            => await mediator.Send(new RestoreUserCommand(id))
+        );
+
+        group.MapDelete("/{id}/purge", async Task<ApiResult> (UserId id, IMediator mediator)
+            => await mediator.Send(new PurgeUserCommand(id))
+        );
+
+        group.MapPost("/deleted/bulk-purge", async Task<ApiResult> (BulkPurgeUsersCommand command, IMediator mediator)
+            => await mediator.Send(command)
+        );
+
+        group.MapPost("/deleted/empty-recycle-bin", async Task<ApiResult<int>> (IMediator mediator)
+            => await mediator.Send(new EmptyRecycleBinCommand())
+        ).Produces<int>();
+
         // The following endpoints are for the current user only
         group.MapGet("/me", async Task<ApiResult<CurrentUserResponse>> ([AsParameters] GetUserQuery query, IMediator mediator)
             => await mediator.Send(query)

application/account-management/Core/Database/Migrations/20260103000000_AddUserSoftDeleteAndEmailConstraint.cs

@@ -0,0 +1,25 @@
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+namespace PlatformPlatform.AccountManagement.Database.Migrations;
+
+[DbContext(typeof(AccountManagementDbContext))]
+[Migration("20260103000000_AddUserSoftDeleteAndEmailConstraint")]
+public sealed class AddUserSoftDeleteAndEmailConstraint : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<DateTimeOffset>(
+            name: "DeletedAt",
+            table: "Users",
+            type: "datetimeoffset",
+            nullable: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Users_TenantId_Email",
+            table: "Users",
+            columns: ["TenantId", "Email"],
+            unique: true,
+            filter: "[DeletedAt] IS NULL");
+    }
+}

application/account-management/Core/Features/TelemetryEvents.cs

@@ -93,6 +93,12 @@ public sealed class UserInvited(UserId userId)
 public sealed class UserLocaleChanged(string fromLocale, string toLocale)
     : TelemetryEvent(("from_locale", fromLocale), ("to_locale", toLocale));
 
+public sealed class UserPurged(UserId userId, UserPurgeReason reason)
+    : TelemetryEvent(("user_id", userId), ("reason", reason));
+
+public sealed class UserRestored(UserId userId)
+    : TelemetryEvent(("user_id", userId));
+
 public sealed class UserRoleChanged(UserId userId, UserRole fromRole, UserRole toRole)
     : TelemetryEvent(("user_id", userId), ("from_role", fromRole), ("to_role", toRole));
 

application/account-management/Core/Features/Users/Commands/BulkDeleteUsers.cs

@@ -49,11 +49,25 @@ public async Task<Result> Handle(BulkDeleteUsersCommand command, CancellationTok
             return Result.NotFound($"Users with ids '{string.Join(", ", missingUserIds.Select(id => id.ToString()))}' not found.");
         }
 
-        userRepository.RemoveRange(usersToDelete);
+        var usersToSoftDelete = usersToDelete.Where(u => u.EmailConfirmed).ToArray();
+        var usersToHardDelete = usersToDelete.Where(u => !u.EmailConfirmed).ToArray();
 
-        foreach (var userId in command.UserIds)
+        if (usersToSoftDelete.Length > 0)
         {
-            events.CollectEvent(new UserDeleted(userId, true));
+            userRepository.RemoveRange(usersToSoftDelete);
+            foreach (var user in usersToSoftDelete)
+            {
+                events.CollectEvent(new UserDeleted(user.Id, true));
+            }
+        }
+
+        if (usersToHardDelete.Length > 0)
+        {
+            userRepository.PermanentlyRemoveRange(usersToHardDelete);
+            foreach (var user in usersToHardDelete)
+            {
+                events.CollectEvent(new UserPurged(user.Id, UserPurgeReason.NeverActivated));
+            }
         }
 
         events.CollectEvent(new UsersBulkDeleted(command.UserIds.Length));

application/account-management/Core/Features/Users/Commands/BulkPurgeUsers.cs

@@ -0,0 +1,53 @@
+using FluentValidation;
+using JetBrains.Annotations;
+using PlatformPlatform.AccountManagement.Features.Users.Domain;
+using PlatformPlatform.SharedKernel.Cqrs;
+using PlatformPlatform.SharedKernel.Domain;
+using PlatformPlatform.SharedKernel.ExecutionContext;
+using PlatformPlatform.SharedKernel.Telemetry;
+
+namespace PlatformPlatform.AccountManagement.Features.Users.Commands;
+
+[PublicAPI]
+public sealed record BulkPurgeUsersCommand(UserId[] UserIds) : ICommand, IRequest<Result>;
+
+public sealed class BulkPurgeUsersValidator : AbstractValidator<BulkPurgeUsersCommand>
+{
+    public BulkPurgeUsersValidator()
+    {
+        RuleFor(x => x.UserIds)
+            .NotEmpty()
+            .WithMessage("At least one user must be selected for deletion.")
+            .Must(ids => ids.Length <= 100)
+            .WithMessage("Cannot delete more than 100 users at once.");
+    }
+}
+
+public sealed class BulkPurgeUsersHandler(IUserRepository userRepository, IExecutionContext executionContext, ITelemetryEventsCollector events)
+    : IRequestHandler<BulkPurgeUsersCommand, Result>
+{
+    public async Task<Result> Handle(BulkPurgeUsersCommand command, CancellationToken cancellationToken)
+    {
+        if (executionContext.UserInfo.Role != nameof(UserRole.Owner))
+        {
+            return Result.Forbidden("Only owners can permanently delete users from the recycle bin.");
+        }
+
+        var deletedUsers = await userRepository.GetDeletedByIdsAsync(command.UserIds, cancellationToken);
+
+        var missingUserIds = command.UserIds.Where(id => !deletedUsers.Select(u => u.Id).Contains(id)).ToArray();
+        if (missingUserIds.Length > 0)
+        {
+            return Result.NotFound($"Deleted users with ids '{string.Join(", ", missingUserIds.Select(id => id.ToString()))}' not found.");
+        }
+
+        userRepository.PermanentlyRemoveRange(deletedUsers);
+
+        foreach (var user in deletedUsers)
+        {
+            events.CollectEvent(new UserPurged(user.Id, UserPurgeReason.BulkUserPurge));
+        }
+
+        return Result.Success();
+    }
+}

application/account-management/Core/Features/Users/Commands/DeclineInvitation.cs

@@ -37,10 +37,10 @@ public async Task<Result> Handle(DeclineInvitationCommand command, CancellationT
         // Calculate how long the invitation existed
         var inviteExistedTimeInMinutes = (int)(timeProvider.GetUtcNow() - user.CreatedAt).TotalMinutes;
 
-        // Delete the user to decline the invitation
-        userRepository.Remove(user);
+        userRepository.PermanentlyRemove(user);
 
         events.CollectEvent(new UserInviteDeclined(user.Id, inviteExistedTimeInMinutes));
+        events.CollectEvent(new UserPurged(user.Id, UserPurgeReason.NeverActivated));
 
         return Result.Success();
     }

application/account-management/Core/Features/Users/Commands/DeleteUser.cs

@@ -25,9 +25,16 @@ public async Task<Result> Handle(DeleteUserCommand command, CancellationToken ca
         var user = await userRepository.GetByIdAsync(command.Id, cancellationToken);
         if (user is null) return Result.NotFound($"User with id '{command.Id}' not found.");
 
-        userRepository.Remove(user);
-
-        events.CollectEvent(new UserDeleted(user.Id));
+        if (user.EmailConfirmed)
+        {
+            userRepository.Remove(user);
+            events.CollectEvent(new UserDeleted(user.Id));
+        }
+        else
+        {
+            userRepository.PermanentlyRemove(user);
+            events.CollectEvent(new UserPurged(user.Id, UserPurgeReason.NeverActivated));
+        }
 
         return Result.Success();
     }

application/account-management/Core/Features/Users/Commands/EmptyRecycleBin.cs

@@ -0,0 +1,38 @@
+using JetBrains.Annotations;
+using PlatformPlatform.AccountManagement.Features.Users.Domain;
+using PlatformPlatform.SharedKernel.Cqrs;
+using PlatformPlatform.SharedKernel.ExecutionContext;
+using PlatformPlatform.SharedKernel.Telemetry;
+
+namespace PlatformPlatform.AccountManagement.Features.Users.Commands;
+
+[PublicAPI]
+public sealed record EmptyRecycleBinCommand : ICommand, IRequest<Result<int>>;
+
+public sealed class EmptyRecycleBinHandler(IUserRepository userRepository, IExecutionContext executionContext, ITelemetryEventsCollector events)
+    : IRequestHandler<EmptyRecycleBinCommand, Result<int>>
+{
+    public async Task<Result<int>> Handle(EmptyRecycleBinCommand command, CancellationToken cancellationToken)
+    {
+        if (executionContext.UserInfo.Role != nameof(UserRole.Owner))
+        {
+            return Result<int>.Forbidden("Only owners can empty the deleted users recycle bin.");
+        }
+
+        var deletedUsers = await userRepository.GetAllDeletedAsync(cancellationToken);
+
+        if (deletedUsers.Length == 0)
+        {
+            return 0;
+        }
+
+        userRepository.PermanentlyRemoveRange(deletedUsers);
+
+        foreach (var user in deletedUsers)
+        {
+            events.CollectEvent(new UserPurged(user.Id, UserPurgeReason.RecycleBinPurge));
+        }
+
+        return deletedUsers.Length;
+    }
+}

application/account-management/Core/Features/Users/Commands/InviteUser.cs

@@ -49,7 +49,13 @@ public async Task<Result> Handle(InviteUserCommand command, CancellationToken ca
 
         if (!await userRepository.IsEmailFreeAsync(command.Email, cancellationToken))
         {
-            return Result.BadRequest($"The user with '{command.Email}' already exists.");
+            var deletedUser = await userRepository.GetDeletedUserByEmailAsync(command.Email, cancellationToken);
+            if (deletedUser is not null)
+            {
+                return Result.BadRequest($"The user '{command.Email}' was previously deleted. Please restore or permanently delete the user before inviting again.");
+            }
+
+            return Result.BadRequest($"The user '{command.Email}' already exists.");
         }
 
         var result = await mediator.Send(

application/account-management/Core/Features/Users/Commands/PurgeUser.cs

@@ -0,0 +1,35 @@
+using JetBrains.Annotations;
+using PlatformPlatform.AccountManagement.Features.Users.Domain;
+using PlatformPlatform.SharedKernel.Cqrs;
+using PlatformPlatform.SharedKernel.Domain;
+using PlatformPlatform.SharedKernel.ExecutionContext;
+using PlatformPlatform.SharedKernel.Telemetry;
+
+namespace PlatformPlatform.AccountManagement.Features.Users.Commands;
+
+[PublicAPI]
+public sealed record PurgeUserCommand(UserId Id) : ICommand, IRequest<Result>;
+
+public sealed class PurgeUserHandler(IUserRepository userRepository, IExecutionContext executionContext, ITelemetryEventsCollector events)
+    : IRequestHandler<PurgeUserCommand, Result>
+{
+    public async Task<Result> Handle(PurgeUserCommand command, CancellationToken cancellationToken)
+    {
+        if (executionContext.UserInfo.Role is not (nameof(UserRole.Owner) or nameof(UserRole.Admin)))
+        {
+            return Result.Forbidden("Only owners and admins can permanently delete users.");
+        }
+
+        var user = await userRepository.GetDeletedByIdAsync(command.Id, cancellationToken);
+        if (user is null)
+        {
+            return Result.NotFound($"Deleted user with id '{command.Id}' not found.");
+        }
+
+        userRepository.PermanentlyRemove(user);
+
+        events.CollectEvent(new UserPurged(user.Id, UserPurgeReason.SingleUserPurge));
+
+        return Result.Success();
+    }
+}