Merge pull request #336 from TaloDev/delete-auth

Allow players to delete their Talo auth accounts

Author: tudddorrr

src/docs/player-auth-api.docs.ts

@@ -276,6 +276,27 @@ const PlayerAuthAPIDocs: APIDocs<PlayerAuthAPIService> = {
         }
       }
     ]
+  },
+  delete: {
+    description: 'Delete a player account',
+    params: {
+      headers: {
+        'x-talo-player': 'The ID of the player',
+        'x-talo-alias': 'The ID of the player\'s alias',
+        'x-talo-session': 'The session token'
+      },
+      body: {
+        currentPassword: 'The current password of the player'
+      }
+    },
+    samples: [
+      {
+        title: 'Sample request',
+        sample: {
+          currentPassword: 'password'
+        }
+      }
+    ]
   }
 }
 

src/entities/player-alias.ts

@@ -1,4 +1,4 @@
-import { Cascade, Entity, ManyToOne, PrimaryKey, Property } from '@mikro-orm/mysql'
+import { Cascade, Entity, Filter, ManyToOne, PrimaryKey, Property } from '@mikro-orm/mysql'
 import Player from './player'
 
 export enum PlayerAliasService {
@@ -11,6 +11,7 @@ export enum PlayerAliasService {
 }
 
 @Entity()
+@Filter({ name: 'notAnonymised', cond: { anonymised: false }, default: true })
 export default class PlayerAlias {
   @PrimaryKey()
   id: number
@@ -24,6 +25,9 @@ export default class PlayerAlias {
   @ManyToOne(() => Player, { cascade: [Cascade.REMOVE], eager: true })
   player: Player
 
+  @Property({ default: false })
+  anonymised: boolean
+
   @Property()
   createdAt: Date = new Date()
 

src/entities/player-auth-activity.ts

@@ -15,7 +15,9 @@ export enum PlayerAuthActivityType {
   VERFICIATION_TOGGLED,
   CHANGE_PASSWORD_FAILED,
   CHANGE_EMAIL_FAILED,
-  TOGGLE_VERIFICATION_FAILED
+  TOGGLE_VERIFICATION_FAILED,
+  DELETED_AUTH,
+  DELETE_AUTH_FAILED
 }
 
 @Entity()
@@ -76,6 +78,10 @@ export default class PlayerAuthActivity {
         return `${authAlias.identifier} failed to change their email`
       case PlayerAuthActivityType.TOGGLE_VERIFICATION_FAILED:
         return `${authAlias.identifier} failed to toggle verification`
+      case PlayerAuthActivityType.DELETED_AUTH:
+        return `${authAlias.identifier} deleted their account`
+      case PlayerAuthActivityType.DELETE_AUTH_FAILED:
+        return `${authAlias.identifier} failed to delete their account`
       default:
         return ''
     }

src/migrations/.snapshot-gs_dev.json

@@ -1230,6 +1230,17 @@
           "length": 255,
           "mappedType": "string"
         },
+        "anonymised": {
+          "name": "anonymised",
+          "type": "tinyint(1)",
+          "unsigned": false,
+          "autoincrement": false,
+          "primary": false,
+          "nullable": false,
+          "length": 1,
+          "default": "false",
+          "mappedType": "boolean"
+        },
         "created_at": {
           "name": "created_at",
           "type": "datetime",

src/migrations/20240920121232AddPlayerAliasAnonymisedColumn.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations'
+
+export class AddPlayerAliasAnonymisedColumn extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql('alter table `player_alias` add `anonymised` tinyint(1) not null default false;')
+  }
+
+  override async down(): Promise<void> {
+    this.addSql('alter table `player_alias` drop column `anonymised`;')
+  }
+
+}

src/migrations/index.ts

@@ -27,6 +27,7 @@ import { AddAPIKeyUpdatedAtColumn } from './20240614122547AddAPIKeyUpdatedAtColu
 import { CreatePlayerAuthTable } from './20240628155142CreatePlayerAuthTable'
 import { CreatePlayerAuthActivityTable } from './20240725183402CreatePlayerAuthActivityTable'
 import { UpdatePlayerAliasServiceColumn } from './20240916213402UpdatePlayerAliasServiceColumn'
+import { AddPlayerAliasAnonymisedColumn } from './20240920121232AddPlayerAliasAnonymisedColumn'
 
 export default [
   {
@@ -144,5 +145,9 @@ export default [
   {
     name: 'UpdatePlayerAliasServiceColumn',
     class: UpdatePlayerAliasServiceColumn
+  },
+  {
+    name: 'AddPlayerAliasAnonymisedColumn',
+    class: AddPlayerAliasAnonymisedColumn
   }
 ]

src/policies/api/player-auth-api.policy.ts

@@ -38,4 +38,8 @@ export default class PlayerAuthAPIPolicy extends Policy {
   async toggleVerification(): Promise<PolicyResponse> {
     return await this.hasScopes([APIKeyScope.READ_PLAYERS, APIKeyScope.WRITE_PLAYERS])
   }
+
+  async delete(): Promise<PolicyResponse> {
+    return await this.hasScopes([APIKeyScope.READ_PLAYERS, APIKeyScope.WRITE_PLAYERS])
+  }
 }

src/services/api/player-auth-api.service.ts

@@ -70,6 +70,12 @@ import { PlayerAuthActivityType } from '../../entities/player-auth-activity'
     path: '/toggle_verification',
     handler: 'toggleVerification',
     docs: PlayerAuthAPIDocs.toggleVerification
+  },
+  {
+    method: 'DELETE',
+    path: '/',
+    handler: 'delete',
+    docs: PlayerAuthAPIDocs.delete
   }
 ])
 export default class PlayerAuthAPIService extends APIService {
@@ -540,4 +546,53 @@ export default class PlayerAuthAPIService extends APIService {
       status: 204
     }
   }
+
+  @Validate({
+    headers: ['x-talo-player', 'x-talo-alias', 'x-talo-session'],
+    body: ['currentPassword']
+  })
+  @HasPermission(PlayerAuthAPIPolicy, 'delete')
+  async delete(req: Request): Promise<Response> {
+    const { currentPassword } = req.body
+    const em: EntityManager = req.ctx.em
+
+    const alias = await em.getRepository(PlayerAlias).findOne(req.ctx.state.currentAliasId, {
+      populate: ['player.auth']
+    })
+
+    const passwordMatches = await bcrypt.compare(currentPassword, alias.player.auth.password)
+    if (!passwordMatches) {
+      createPlayerAuthActivity(req, alias.player, {
+        type: PlayerAuthActivityType.DELETE_AUTH_FAILED,
+        extra: {
+          errorCode: PlayerAuthErrorCode.INVALID_CREDENTIALS
+        }
+      })
+      await em.flush()
+
+      req.ctx.throw(403, {
+        message: 'Current password is incorrect',
+        errorCode: PlayerAuthErrorCode.INVALID_CREDENTIALS
+      })
+    }
+
+    em.remove(alias.player.auth)
+
+    const prevIdentifier = alias.identifier
+    alias.identifier = `anonymised+${Date.now()}`
+    alias.anonymised = true
+
+    createPlayerAuthActivity(req, alias.player, {
+      type: PlayerAuthActivityType.DELETED_AUTH,
+      extra: {
+        identifier: prevIdentifier
+      }
+    })
+
+    await em.flush()
+
+    return {
+      status: 204
+    }
+  }
 }

tests/services/_api/player-auth-api/delete.test.ts

@@ -0,0 +1,123 @@
+import request from 'supertest'
+import { APIKeyScope } from '../../../../src/entities/api-key'
+import createAPIKeyAndToken from '../../../utils/createAPIKeyAndToken'
+import PlayerFactory from '../../../fixtures/PlayerFactory'
+import { EntityManager } from '@mikro-orm/mysql'
+import bcrypt from 'bcrypt'
+import PlayerAuthFactory from '../../../fixtures/PlayerAuthFactory'
+import PlayerAuthActivity, { PlayerAuthActivityType } from '../../../../src/entities/player-auth-activity'
+import PlayerAlias from '../../../../src/entities/player-alias'
+
+describe('Player auth API service - delete', () => {
+  it('should delete the account if the current password is correct', async () => {
+    const [apiKey, token] = await createAPIKeyAndToken([APIKeyScope.READ_PLAYERS, APIKeyScope.WRITE_PLAYERS])
+
+    const player = await new PlayerFactory([apiKey.game]).withTaloAlias().state(async () => ({
+      auth: await new PlayerAuthFactory().state(async () => ({
+        password: await bcrypt.hash('password', 10)
+      })).one()
+    })).one()
+    const alias = player.aliases[0]
+    await (<EntityManager>global.em).persistAndFlush(player)
+
+    const sessionToken = await player.auth.createSession(alias)
+    await (<EntityManager>global.em).flush()
+
+    const prevIdentifier = alias.identifier
+
+    await request(global.app)
+      .delete('/v1/players/auth/')
+      .send({ currentPassword: 'password' })
+      .auth(token, { type: 'bearer' })
+      .set('x-talo-player', player.id)
+      .set('x-talo-alias', String(alias.id))
+      .set('x-talo-session', sessionToken)
+      .expect(204)
+
+
+    expect(await (<EntityManager>global.em).refresh(player.auth)).toBeNull()
+
+    await (<EntityManager>global.em).refresh(player, { populate: ['aliases'] })
+    expect(player.aliases).toHaveLength(0) // anonymous filter
+
+    const anonymisedAlias = await (<EntityManager>global.em).getRepository(PlayerAlias).findOne(alias.id, {
+      filters: {
+        notAnonymised: false
+      },
+      refresh: true
+    })
+    expect(anonymisedAlias.identifier.startsWith('anonymised+')).toBe(true)
+    expect(anonymisedAlias.anonymised).toBe(true)
+
+    const activity = await (<EntityManager>global.em).getRepository(PlayerAuthActivity).findOne({
+      type: PlayerAuthActivityType.DELETED_AUTH,
+      player: player.id,
+      extra: {
+        identifier: prevIdentifier
+      }
+    })
+    expect(activity).not.toBeNull()
+  })
+
+  it('should not delete the account if the current password is incorrect', async () => {
+    const [apiKey, token] = await createAPIKeyAndToken([APIKeyScope.READ_PLAYERS, APIKeyScope.WRITE_PLAYERS])
+
+    const player = await new PlayerFactory([apiKey.game]).withTaloAlias().state(async () => ({
+      auth: await new PlayerAuthFactory().state(async () => ({
+        password: await bcrypt.hash('password', 10)
+      })).one()
+    })).one()
+    const alias = player.aliases[0]
+    await (<EntityManager>global.em).persistAndFlush(player)
+
+    const sessionToken = await player.auth.createSession(alias)
+    await (<EntityManager>global.em).flush()
+
+    const res = await request(global.app)
+      .delete('/v1/players/auth/')
+      .send({ currentPassword: 'wrongpassword' })
+      .auth(token, { type: 'bearer' })
+      .set('x-talo-player', player.id)
+      .set('x-talo-alias', String(alias.id))
+      .set('x-talo-session', sessionToken)
+      .expect(403)
+
+    expect(res.body).toStrictEqual({
+      message: 'Current password is incorrect',
+      errorCode: 'INVALID_CREDENTIALS'
+    })
+
+    await (<EntityManager>global.em).refresh(player.auth)
+    expect(player.auth).not.toBeUndefined()
+
+    const activity = await (<EntityManager>global.em).getRepository(PlayerAuthActivity).findOne({
+      type: PlayerAuthActivityType.DELETE_AUTH_FAILED,
+      player: player.id
+    })
+    expect(activity).not.toBeNull()
+  })
+
+  it('should not delete the account if the api key does not have the correct scopes', async () => {
+    const [apiKey, token] = await createAPIKeyAndToken([])
+
+    const player = await new PlayerFactory([apiKey.game]).withTaloAlias().state(async () => ({
+      auth: await new PlayerAuthFactory().state(async () => ({
+        password: await bcrypt.hash('password', 10)
+      })).one()
+    })).one()
+    const alias = player.aliases[0]
+    await (<EntityManager>global.em).persistAndFlush(player)
+
+    const sessionToken = await player.auth.createSession(alias)
+    await (<EntityManager>global.em).flush()
+
+    await request(global.app)
+      .delete('/v1/players/auth/')
+      .send({ currentPassword: 'password' })
+      .auth(token, { type: 'bearer' })
+      .set('x-talo-player', player.id)
+      .set('x-talo-alias', String(alias.id))
+      .set('x-talo-session', sessionToken)
+      .expect(403)
+  })
+})