Add form for users to delete their own accounts

[seanh]

Add a new /account/delete form that allows a user to delete their own account by calling the new user deletion backend (UserDeleteService.delete_user(), https://github.com/hypothesis/h/pull/8700).

This completes the delivery of the "self-service user deletion" feature (PRD, DD).

UI Design Changes

I made some small changes to the design of h's account settings forms in order to accommodate the desired design for the user deletion UI.

Current design of account settings forms

Here's what the https://hypothes.is/account/settings form looks like currently:

If you navigate to the form from your user profile page it gets a Back to your profile page in the bottom-left of the footer:

This link instead reads Back to group overview page if navigated from a group page.

In fact all four account settings pages (Account details, Edit profile, Notifications and Developer) have two versions depending on how you navigate to them--with or without the Back... link in the footer:

The current design is inconsistent

Note that the Back link is sometimes shown below a grey horizontal line (marking the start of the form footer), but sometimes this line is not present:

New design

The design for the user deletion feature (https://github.com/hypothesis/h/issues/8504) calls for a Delete your account button in the bottom-right, beneath the horizontal grey line:

The design failed to account for the Back link that is sometimes present, but it's fairly obvious how this should be accommodated:

I've decided to change the base template shared by all the account settings form so that the Back... link will always be shown beneath a horizontal grey line. This is more consistent and it more clearly separates the Back... link from the form elements:

When there's no back link, and no other footer content to show, then the grey horizontal line marking the start of the footer will not be shown at all (this is the same as on main currently):

Testing

1. Log in as devdata_user: http://localhost:5000/login

2. Click on the gear icon in the top right and select Account details

3. Click on Delete your account in the bottom-right

4. You'll see this form:

   

5. Go to http://localhost:5000/docs/help and create one annotation then reload http://localhost:5000/account/delete and you should see this version of the form:

   

6. Create some more annotations then reload http://localhost:5000/account/delete and you should see this version of the form:

   

7. Finally, there's a version of the form when the oldest and newest annotations were created on different days. To get this, hack the created date of one of your annotations:

   $ make sql
   postgres=# update annotation set created = '1970-01-01' where id = 'a5d...d83';

   Now load http://localhost:5000/account/delete again and you'll see this version of the form:

   

8. Delete some of your annotations then reload http://localhost:5000/account/delete and test that your deleted annotations aren't counted, even if they haven't been purged from the DB yet.

9. If you try to submit the form without entering a password you'll get this error:

   

10. If you try to submit the form with the wrong password you'll get this error:

    

11. If you click the Back to safety link it'll take you back to http://localhost:5000/account/settings

12. Finally, if you enter the correct password and click Delete your account you'll be redirected to this page:

    

    You'll be logged out, including in any other tabs or clients etc that you had open.

    A "purge_user" job will have been added to the job table, and a row will have been added to the user_deletions table.

[marcospri]

Should make devdata mark everything it upserts as deleted=False?

[robertknight]

It looks like a login screen and you only discover that you can click on the fields, clicking the email gives you a "confirm password" field but clicking the password gives you "current, new and confirm password fields. The way it also takes focus until you save/cancel seem very unorthodox, I can see many places I'd like to click that for me should be an implicit "cancel".

I agree. The original design called for something that acted like a modal dialog but didn't have the visual "weight" of one. This was modeled after some other popular web property (I can't remember which) but I would prefer to make this a much more ordinary form. Something like:

Email: {current email} [Change email]
[Change password]

Where [...] indicates a button, and clicking the button would open a modal form.

Aside from behaving unconventionally, this has also been prone to problematic interactions with browser autocomplete and other features.

[seanh]

Should make devdata mark everything it upserts as deleted=False?

I think unfortunately this could produce confusing situations, if devdata changes a user from deleted=True to deleted=False but there's still a "purge_user" for for that user on the job queue. Maybe we could change the job queue to just delete the job is user.deleted is False