Email confirmation on account deletion

[jaysonng]

New Feature / Enhancement Checklist

• [x] I am not disclosing a vulnerability.
• [x] I am not just asking a question.
• [x] I have searched through existing issues.

Current Limitation

Currently, when we delete an account from the Parse.User class, there is no email confirmation option.

Feature / Enhancement Description

See: https://community.parseplatform.org/t/docs/2698/16

With Apple requiring automated account deletion on apps by July 2022, It would be good to have a secondary line of defense when we delete User objects from the data before actually going through the deletion process.

Upon calling account deletion method, much like the built in resending of verificationEmail or forgot password methods, account deletion too should have a confirmation email.

Example Use Case

1. User request his account deletion via app.
2. Parse-server receives the request.
3. Parse-server sends out confirmation email to said account.
4. User checks his email and clicks on confirmation link.
5. Parse-server deletes the said account.
6. Developer can have other functions in afterDelete cloudcode to remove other objects that need to be deleted.

Alternatives / Workarounds

none.

3rd Party References

no.

[parse-github-assistant[bot]]

Thanks for opening this issue!

• 🎉 We are excited about your ideas for improvement!

[mtrezza]

Is it currently possible to write this feature yourself in Cloud Code. However, it would surely be nice to have such a feature built in. Do you want to open a PR?

[jaysonng]

Is it currently possible to write this feature yourself in Cloud Code. However, it would surely be nice to have such a feature built in. Do you want to open a PR?

I don't know where to start to have this built-in so I can't do a PR right now. If you point me on the right direction on which files to look at I could have a look at it.

Would it be a matter of just modifying the verificationEmail method?

[mtrezza]

That method would be a good source of inspiration. It has everything you will also need for the new route.

[okobsamoht]

hi @jaysonng i quickly go into the code and here is what i fount:

bsed on the "reset password process" we have 4 main parts to edit :

• needs to create the delete request handler inside src/Routers/UsersRouter.js with new specific POST route (like /requestAccountDeletion) and also the sendAccoundDeletionEmail function
• needs to create a simple public page inside /pulic that shows a confilm and cancel button within a form. the form's action will go to a specific (new) route
• the confirm deletion route should be inside src/Routers/PagesRouter with POST/GET and the functions. the GET will show the new public pages created, the POST wil call the deletion function
• the deletion function should be inside /src/Controllers/UserController.js where all the user config and actions are accessible

all the new functions can be based on all the similar functions and routes created for passwordReset.

!! this is the first part (parse-server) the next part is parse-sdk needs to go through the sdk and implement the new Parse.requesAccountDeletion('email') function and handle the responses.

and then here comes the specs .... :smile:

maybe i forgot something......

[mtrezza]

I think we also need an internal token (like with password reset), because:

• a) The deletion email link needs to expire for security reasons
• b) The endpoint to confirm the deletion needs to be secured, so that only the specific account can be deleted

[jaysonng]

awesome. Thanks for looking into it. I couldn't myself as I'm not versed well in how parse-server works internally. It would take me a lot of time and learning to get this actually working if I were to tackle this myself.