Add account deletion feature

Author: codicocodes

package.json

@@ -80,10 +80,15 @@
     "preset": "ts-jest",
     "testEnvironment": "node",
     "transform": {
-      "node_modules/variables/.+\\.(j|t)sx?$": "ts-jest"
+      "node_modules/variables/.+\\.(j|t)sx?$": ["ts-jest", {}],
+      "^.+\\.ts$": ["ts-jest", { "tsconfig": { "module": "commonjs", "preserveValueImports": false } }]
     },
     "transformIgnorePatterns": [
       "node_modules/(?!variables/.*)"
-    ]
+    ],
+    "moduleNameMapper": {
+      "^\\$lib/(.*)$": "<rootDir>/src/lib/$1",
+      "^\\$env/static/public$": "<rootDir>/src/__mocks__/env-public.ts"
+    }
   }
 }

src/__mocks__/env-public.ts

@@ -0,0 +1,2 @@
+export const PUBLIC_ADMIN_USER_GITHUB_ID = '999999';
+export const PUBLIC_MAINTENANCE_ENABLED = 'false';

src/lib/components/DeleteAccountModal.svelte

@@ -0,0 +1,76 @@
+<script lang="ts">
+	export let showModal: boolean;
+	export let username: string;
+	export let onClose: () => void;
+	export let onConfirm: () => Promise<void>;
+
+	let inputValue = '';
+	let loading = false;
+
+	$: canConfirm = inputValue === username && !loading;
+	$: confirmButtonClass = canConfirm
+		? 'border-red-500/60 hover:border-red-400 text-red-400'
+		: 'border-base-700 text-base-600 cursor-not-allowed';
+
+	async function handleConfirm() {
+		loading = true;
+		try {
+			await onConfirm();
+		} finally {
+			loading = false;
+		}
+	}
+
+	function handleClose() {
+		inputValue = '';
+		onClose();
+	}
+</script>
+
+{#if showModal}
+	<div
+		class="fixed inset-0 z-50 flex items-center justify-center bg-black/60"
+		on:click|self={handleClose}
+		on:keydown={(e) => e.key === 'Escape' && handleClose()}
+		role="dialog"
+		aria-modal="true"
+		aria-labelledby="delete-modal-title"
+		tabindex="-1"
+	>
+		<div class="bg-base-900 border border-base-700 rounded-xl p-6 w-full max-w-md flex flex-col gap-4 mx-4">
+			<h2 id="delete-modal-title" class="text-xl font-semibold">Delete your account</h2>
+			<p class="text-base-400 text-sm">
+				This action is <span class="text-white font-semibold">permanent and irreversible</span>.
+				Your profile, configurations, and all associated data will be deleted.
+			</p>
+			<div class="flex flex-col gap-2">
+				<label for="confirm-username" class="text-sm text-base-400">
+					Type <span class="font-mono text-white">{username}</span> to confirm
+				</label>
+				<input
+					id="confirm-username"
+					type="text"
+					bind:value={inputValue}
+					placeholder={username}
+					class="bg-black/30 border border-base-700 rounded-lg px-3 py-2 text-sm font-mono focus:outline-none focus:border-base-400 w-full"
+				/>
+			</div>
+			<div class="flex gap-2 justify-end">
+				<button
+					class="px-4 py-2 rounded-lg border border-base-700 hover:border-base-400 text-sm transition-all"
+					on:click={handleClose}
+					disabled={loading}
+				>
+					Cancel
+				</button>
+				<button
+					class="px-4 py-2 rounded-lg border text-sm transition-all {confirmButtonClass}"
+					on:click={handleConfirm}
+					disabled={!canConfirm}
+				>
+					{loading ? 'Deleting…' : 'Delete account'}
+				</button>
+			</div>
+		</div>
+	</div>
+{/if}

src/lib/server/prisma/users/service.ts

@@ -50,3 +50,7 @@ export async function getUserByUsername(username: string): Promise<User> {
   });
   return user;
 }
+
+export async function deleteUser(userId: number): Promise<void> {
+  await prismaClient.user.delete({ where: { id: userId } });
+}

src/lib/trpc/deleteAccount.spec.ts

@@ -0,0 +1,59 @@
+jest.mock('$lib/server/prisma/users/service', () => ({ deleteUser: jest.fn() }));
+jest.mock('$lib/server/auth/services', () => ({ logout: jest.fn() }));
+jest.mock('$lib/utils', () => ({ isAdmin: jest.fn(() => false) }));
+
+import { t } from './t';
+import { deleteAccount } from './procedures/deleteAccount';
+import { deleteUser } from '$lib/server/prisma/users/service';
+import { logout } from '$lib/server/auth/services';
+import { isAdmin } from '$lib/utils';
+import { makeCaller, mockUser, mockCookies } from './test-utils';
+
+const mockDeleteUser = jest.mocked(deleteUser);
+const mockLogout = jest.mocked(logout);
+const mockIsAdmin = jest.mocked(isAdmin);
+
+const router = t.router({ deleteAccount });
+const createCaller = t.createCallerFactory(router);
+
+beforeEach(() => jest.clearAllMocks());
+
+describe('deleteAccount', () => {
+  it('deletes the authenticated user and clears the session', async () => {
+    await makeCaller(createCaller, mockUser).deleteAccount();
+
+    expect(mockDeleteUser).toHaveBeenCalledTimes(1);
+    expect(mockDeleteUser).toHaveBeenCalledWith(mockUser.id);
+    expect(mockLogout).toHaveBeenCalledWith(mockCookies);
+  });
+
+  it('can only delete the authenticated user — no input means no other target is possible', async () => {
+    const anotherUser = { ...mockUser, id: 999, username: 'anotheruser' };
+
+    await makeCaller(createCaller, anotherUser).deleteAccount();
+
+    expect(mockDeleteUser).toHaveBeenCalledWith(anotherUser.id);
+    expect(mockDeleteUser).not.toHaveBeenCalledWith(mockUser.id);
+    expect(mockLogout).toHaveBeenCalledWith(mockCookies);
+  });
+
+  it('throws UNAUTHORIZED and skips deletion when not authenticated', async () => {
+    await expect(makeCaller(createCaller, null).deleteAccount()).rejects.toMatchObject({
+      code: 'UNAUTHORIZED',
+    });
+
+    expect(mockDeleteUser).not.toHaveBeenCalled();
+    expect(mockLogout).not.toHaveBeenCalled();
+  });
+
+  it('throws FORBIDDEN and skips deletion for admin accounts', async () => {
+    mockIsAdmin.mockReturnValue(true);
+
+    await expect(makeCaller(createCaller, mockUser).deleteAccount()).rejects.toMatchObject({
+      code: 'FORBIDDEN',
+    });
+
+    expect(mockDeleteUser).not.toHaveBeenCalled();
+    expect(mockLogout).not.toHaveBeenCalled();
+  });
+});

src/lib/trpc/procedures/deleteAccount.ts

@@ -0,0 +1,17 @@
+import { TRPCError } from '@trpc/server';
+import { logout } from '$lib/server/auth/services';
+import { deleteUser } from '$lib/server/prisma/users/service';
+import { isAdmin } from '$lib/utils';
+import * as middlewares from '../middlewares/auth';
+import { t } from '../t';
+
+export const deleteAccount = t.procedure
+  .use(middlewares.isAuthenticated)
+  .mutation(async ({ ctx }) => {
+    const user = ctx.getAuthenticatedUser();
+    if (isAdmin(user)) {
+      throw new TRPCError({ code: 'FORBIDDEN', message: 'Admin account cannot be deleted' });
+    }
+    await deleteUser(user.id);
+    logout(ctx.event.cookies);
+  });

src/lib/trpc/router.ts

@@ -1,4 +1,5 @@
 import * as middlewares from './middlewares/auth';
+import { deleteAccount } from './procedures/deleteAccount';
 import { t } from './t';
 import { z } from 'zod';
 import {
@@ -596,6 +597,7 @@ export const router = t.router({
       });
     }),
 
+  deleteAccount,
   getDotfyleStatisitics: t.procedure.query(async () => {
     const installsP = prismaClient.neovimConfigPlugins.count();
     const usersP = prismaClient.user.count();

src/lib/trpc/test-utils.ts

@@ -0,0 +1,29 @@
+import { TRPCError } from '@trpc/server';
+import type { Context } from './context';
+
+type User = Context['user'];
+
+export const mockCookies = {};
+
+export const mockUser = {
+  id: 1,
+  githubId: 12345,
+  username: 'testuser',
+  avatarUrl: 'https://example.com/avatar.png',
+  createdAt: new Date(),
+};
+
+export function makeContext(user: User): Context {
+  return {
+    user,
+    event: { cookies: mockCookies } as Context['event'],
+    getAuthenticatedUser() {
+      if (!user) throw new TRPCError({ code: 'UNAUTHORIZED' });
+      return user;
+    },
+  };
+}
+
+export function makeCaller<T>(createCaller: (ctx: Context) => T, user: User) {
+  return createCaller(makeContext(user));
+}

src/routes/+layout.svelte

@@ -13,6 +13,7 @@
 	import { faDiscord, faGithub, faTwitch } from '@fortawesome/free-brands-svg-icons';
 	import {
 		faBars,
+		faGear,
 		faKeyboard,
 		faPlus,
 		faRss,
@@ -231,6 +232,18 @@
 							Profile</a
 						>
 					</CoolTextOnHover>
+					<CoolTextOnHover>
+						<a
+							on:click={close}
+							href="/settings"
+							class="px-4 py-2 flex gap-2 items-center"
+						>
+							<div class="force-white-text">
+								<Fa icon={faGear} class="text-base-100" />
+							</div>
+							Settings
+						</a>
+					</CoolTextOnHover>
 					<CoolTextOnHover>
 						<button class="px-4 py-2 flex gap-2 items-center" on:click={logout}>
 							<div class="force-white-text">

src/routes/settings/+page.server.ts

@@ -0,0 +1,11 @@
+import { verifyToken } from '$lib/server/auth/services';
+import { redirect } from '@sveltejs/kit';
+import type { PageServerLoad, PageServerLoadEvent } from './$types';
+
+export const load: PageServerLoad = async (event: PageServerLoadEvent) => {
+  const user = verifyToken(event.cookies);
+  if (!user) {
+    throw redirect(302, '/');
+  }
+  return { user };
+};