Delete own account from the profile page or from admin API with own credentials?

[shrike71]

Not sure if this is on here in some other form, but is it possible for a user who has created a profile to "delete" his own account?

I was expecting some sort of function on the profile page. I also tried to call the admin user delete API with a token from the admin credentials, as well as the user's own credentials.

This is the self-hosted version of Fief (0.28.8), by the way

Is this possible at all?

Thanks in advance and keep up the good work!

Shrike71

[shrike71]

OK... I think i might have figured this one out. I was using the wrong credentials to access the admin API. I created an API token as an admin, and then used that in the bearer to delete the non-admin user. However, what this means is that I have to write an endpoint in my OWN API that references the fief admin API with the admin token, and then invoke the

DELETE /admin/api/users/[UUID]

endpoint with the admin token in the authorization to delete the required user. It seems like an awful lot of power to delegate to a client application. It would end up having admin access to the entire fief implementation, would it not? Might this not be open to an impersonation attack unless some pretty specific CORS rules were put in place?

[frankie567]

Indeed, there is currently no self-service endpoint for a user to delete its own account.

The main difficulty when removing a user is all the implications that might happen to your own app: what do you do with all the data related to that user? The answer highly depends on your app.

My advice would be to, like you suggest, implement an endpoint in your app for this purpose. The logic is up to you but it can be something like:

• Remove or anonymize the user data
• Put the user in a deletion queue that get flushed after X days
• etc.

Regarding calling the Fief Admin API from your backend, there is nothing wrong with that. What you need is to keep the Admin API token safe in your backend (e.g. as environment variable) and have well-defined logic and input validation to make sure the end-user can't abuse it.

[shrike71]

Thanks Francois,

I was kind of expecting this, in fact i've done the removal, detached the user and done a direct removal (so far, as opposed to a queue) from a service endpoint in my own app. Absolutely agree re your point about safeguarding the DELETE endpoint safety in the client application.

However, this confirms that fief is really multi-application, rather than multi-tenanted, does it not? In other words, any application that had an admin API token COULD, in essence, perform fief admin operations on any other applications it was aware of. No applications for separate business entities could realistically share the same fief implementation, right?

Thanks again and keep up the good work,

Shrike71

[frankie567]

Well, yes. The way I think about it initially is a Fief server being run by a SaaS company which may have several business clients, each one of this having their own tenant to store their users; but in the background it's the same SaaS company owning all the data.

But I agree that having tokens scoped to a single tenant makes total sense. I'll think about it :)