CS-64 Add a way to remove the device from the org (#1902)

* feat(app): create alert for removing device

* feat(api): create endpoint for unlinking device

* feat(app): integrate unlink-device endpoint on click of 'Remove Device' menu

* fix(app): hide Remove Device menu if the current user is not an owner

* feat(app): integrate fleet endpoint to delete the hosts

* fix(app): refresh after unlinking device

* fix(app): remove unused variable

---------

Co-authored-by: chasprowebdev <[email protected]>
Co-authored-by: Mariano Fuentes <[email protected]>

Author: 3 people

apps/api/src/lib/fleet.service.ts

@@ -77,4 +77,61 @@ export class FleetService {
       throw new Error('Failed to fetch multiple hosts');
     }
   }
+
+  /**
+   * Remove all hosts from FleetDM that belong to a specific label
+   * @param fleetDmLabelId - The FleetDM label ID
+   * @returns Promise with deletion results
+   */
+  async removeHostsByLabel(fleetDmLabelId: number): Promise<{
+    deletedCount: number;
+    failedCount: number;
+    hostIds: number[];
+  }> {
+    try {
+      // Get all hosts for this label
+      const labelHosts = await this.getHostsByLabel(fleetDmLabelId);
+
+      if (!labelHosts.hosts || labelHosts.hosts.length === 0) {
+        this.logger.log(`No hosts found for label ${fleetDmLabelId}`);
+        return {
+          deletedCount: 0,
+          failedCount: 0,
+          hostIds: [],
+        };
+      }
+
+      // Extract host IDs
+      const hostIds = labelHosts.hosts.map((host: { id: number }) => host.id);
+
+      // Delete each host
+      const deletePromises = hostIds.map(async (hostId: number) => {
+        try {
+          await this.fleetInstance.delete(`/hosts/${hostId}`);
+          this.logger.debug(`Deleted host ${hostId} from FleetDM`);
+          return { success: true, hostId };
+        } catch (error) {
+          this.logger.error(`Failed to delete host ${hostId}:`, error);
+          return { success: false, hostId };
+        }
+      });
+
+      const results = await Promise.all(deletePromises);
+      const deletedCount = results.filter((r) => r.success).length;
+      const failedCount = results.filter((r) => !r.success).length;
+
+      this.logger.log(
+        `Removed hosts from FleetDM for label ${fleetDmLabelId}: ${deletedCount} deleted, ${failedCount} failed`,
+      );
+
+      return {
+        deletedCount,
+        failedCount,
+        hostIds,
+      };
+    } catch (error) {
+      this.logger.error(`Failed to remove hosts for label ${fleetDmLabelId}:`, error);
+      throw new Error(`Failed to remove hosts for label ${fleetDmLabelId}: ${error.message}`);
+    }
+  }
 }

apps/api/src/people/people.controller.ts

@@ -7,6 +7,8 @@ import {
   Body,
   Param,
   UseGuards,
+  HttpCode,
+  HttpStatus,
 } from '@nestjs/common';
 import {
   ApiBody,
@@ -226,4 +228,36 @@ export class PeopleController {
         }),
     };
   }
+
+  @Patch(':id/unlink-device')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation(PEOPLE_OPERATIONS.unlinkDevice)
+  @ApiParam(PEOPLE_PARAMS.memberId)
+  @ApiResponse(UPDATE_MEMBER_RESPONSES[200])
+  @ApiResponse(UPDATE_MEMBER_RESPONSES[400])
+  @ApiResponse(UPDATE_MEMBER_RESPONSES[401])
+  @ApiResponse(UPDATE_MEMBER_RESPONSES[404])
+  @ApiResponse(UPDATE_MEMBER_RESPONSES[500])
+  async unlinkDevice(
+    @Param('id') memberId: string,
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    const updatedMember = await this.peopleService.unlinkDevice(
+      memberId,
+      organizationId,
+    );
+
+    return {
+      ...updatedMember,
+      authType: authContext.authType,
+      ...(authContext.userId &&
+        authContext.userEmail && {
+          authenticatedUser: {
+            id: authContext.userId,
+            email: authContext.userEmail,
+          },
+        }),
+    };
+  }
 }

apps/api/src/people/people.module.ts

@@ -1,12 +1,13 @@
 import { Module } from '@nestjs/common';
 import { AuthModule } from '../auth/auth.module';
+import { FleetService } from '../lib/fleet.service';
 import { PeopleController } from './people.controller';
 import { PeopleService } from './people.service';
 
 @Module({
   imports: [AuthModule],
   controllers: [PeopleController],
-  providers: [PeopleService],
+  providers: [PeopleService, FleetService],
   exports: [PeopleService],
 })
 export class PeopleModule {}

apps/api/src/people/people.service.ts

@@ -4,6 +4,7 @@ import {
   Logger,
   BadRequestException,
 } from '@nestjs/common';
+import { FleetService } from '../lib/fleet.service';
 import type { PeopleResponseDto } from './dto/people-responses.dto';
 import type { CreatePeopleDto } from './dto/create-people.dto';
 import type { UpdatePeopleDto } from './dto/update-people.dto';
@@ -15,6 +16,8 @@ import { MemberQueries } from './utils/member-queries';
 export class PeopleService {
   private readonly logger = new Logger(PeopleService.name);
 
+  constructor(private readonly fleetService: FleetService) {}
+
   async findAllByOrganization(
     organizationId: string,
   ): Promise<PeopleResponseDto[]> {
@@ -273,4 +276,66 @@ export class PeopleService {
       throw new Error(`Failed to delete member: ${error.message}`);
     }
   }
+
+  async unlinkDevice(
+    memberId: string,
+    organizationId: string,
+  ): Promise<PeopleResponseDto> {
+    try {
+      await MemberValidator.validateOrganization(organizationId);
+      const existingMember = await MemberQueries.findByIdInOrganization(
+        memberId,
+        organizationId,
+      );
+
+      if (!existingMember) {
+        throw new NotFoundException(
+          `Member with ID ${memberId} not found in organization ${organizationId}`,
+        );
+      }
+
+      // Remove hosts from FleetDM before unlinking the device
+      if (existingMember.fleetDmLabelId) {
+        try {
+          const removalResult = await this.fleetService.removeHostsByLabel(
+            existingMember.fleetDmLabelId,
+          );
+          this.logger.log(
+            `Removed ${removalResult.deletedCount} host(s) from FleetDM for label ${existingMember.fleetDmLabelId}`,
+          );
+          if (removalResult.failedCount > 0) {
+            this.logger.warn(
+              `Failed to remove ${removalResult.failedCount} host(s) from FleetDM`,
+            );
+          }
+        } catch (fleetError) {
+          // Log FleetDM error but don't fail the entire operation
+          this.logger.error(
+            `Failed to remove hosts from FleetDM for label ${existingMember.fleetDmLabelId}:`,
+            fleetError,
+          );
+          // Continue with unlinking the device even if FleetDM removal fails
+        }
+      }
+
+      const updatedMember = await MemberQueries.unlinkDevice(memberId);
+
+      this.logger.log(
+        `Unlinked device for member: ${updatedMember.user.name} (${memberId})`,
+      );
+      return updatedMember;
+    } catch (error) {
+      if (
+        error instanceof NotFoundException ||
+        error instanceof BadRequestException
+      ) {
+        throw error;
+      }
+      this.logger.error(
+        `Failed to unlink device for member ${memberId} in organization ${organizationId}:`,
+        error,
+      );
+      throw new Error(`Failed to unlink device: ${error.message}`);
+    }
+  }
 }

apps/api/src/people/schemas/people-operations.ts

@@ -31,4 +31,9 @@ export const PEOPLE_OPERATIONS: Record<string, ApiOperationOptions> = {
     description:
       'Permanently removes a member from the organization. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).',
   },
+  unlinkDevice: {
+    summary: 'Unlink device from member',
+    description:
+      'Resets the fleetDmLabelId for a member, effectively unlinking their device from FleetDM. This will disconnect the device from the organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).',
+  },
 };

apps/api/src/people/utils/member-queries.ts

@@ -144,6 +144,19 @@ export class MemberQueries {
     });
   }
 
+  /**
+   * Unlink device by resetting fleetDmLabelId to null
+   */
+  static async unlinkDevice(
+    memberId: string,
+  ): Promise<PeopleResponseDto> {
+    return db.member.update({
+      where: { id: memberId },
+      data: { fleetDmLabelId: null },
+      select: this.MEMBER_SELECT,
+    });
+  }
+
   /**
    * Bulk create members for an organization
    */