PostHog / posthog

🦔 PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host.
https://posthog.com
Other
21.7k stars 1.3k forks source link

Extend the endpoint to delete user events #1569

Closed j-ochs closed 4 years ago

j-ochs commented 4 years ago

Is your feature request related to a problem? Please describe.

In order to comply with GDPR, I would like the ability to irreversibly delete all the data on an individual person 30 days after they have closed their account. I have a Rails server on the backend, and a React frontend which is connected to my PostHog instance.

Describe the solution you'd like

The easiest solution for my case would be an HTTP endpoint which can securely execute DELETE requests for an individual person. Alternatively, exposing this functionality from within the PostHog ruby integration could suffice.
Either way, the PostHog User's unique ID and the unique PostHog API key for this PostHog instance will easily be available from the Rails backend by being passed through in a request from the React frontend.

Describe alternatives you've considered

There already exists a Javascript API which handles this use case: https://github.com/PostHog/posthog/blob/411648a371372d7118006f76a0e37f633f561556/frontend/src/lib/api.js#L77-L95 This is hooked in to the "Delete all data on this person" button in the PostHog frontend: https://github.com/PostHog/posthog/blob/411648a371372d7118006f76a0e37f633f561556/frontend/src/lib/utils.js#L236-L242 However, this will not work for my use case since the request needs be initiated from the Rails backend, and the backend will not have access to the valid CSRF token cookie necessary for the request to resolve. Thanks for reading! Please advise

timgl commented 4 years ago

@j-ochs Hey, thanks for raising this! You can already do this using a personal API key: https://posthog.com/docs/api/api#authentication. You can then pass that token to api/person endpoint.

It'd be good to have this more tightly integrated into the various libraries, but this solution should work for now!

j-ochs commented 4 years ago

@timgl thanks for the quick response! Glad to hear this is already possible. I've followed the directions in the docs for getting an API key, and based on the example from the docs I tried a simple curl request like so:

curl -X DELETE --header "Authorization: Bearer <API_KEY>" https://<posthog_base_url>/api/person/<unique_person_id>

However, with this request I get the following response: Screen Shot 2020-09-09 at 9 49 12 AM

Making the request with http instead of https will return a 301 Moved Permanently response.

I'm a bit unsure what I'm missing here - any advice is greatly appreciated!

timgl commented 4 years ago

You need the trailing slash / at the end of the url I think!

Twixes commented 4 years ago

Yep, sorry for that, we just fixed this annoyance! (#1557)

j-ochs commented 4 years ago

Aha, thanks! Getting closer 🙂 With the trailing slash on that request, I'm now getting this response: {"detail":"Authentication credentials were not provided."} The Authorization header should be sufficient for authentication, yes?

timgl commented 4 years ago

Yes, are you using a personal api key or are you using the write-only key?

j-ochs commented 4 years ago

Ah that's the issue, I've been using the write-only key. 🤦 Closing this out now - thanks for all the help! Much appreciated