Support self-service account deactivation/deletion for users

[hughns]

The self-service account UI should expose a UI to allow a user to delete their own account.

An admin should be able to disable this function if they choose. e.g. if deactivation is handled via an upstream IdP or some other means.

Open questions:

• how do we protect that flow? Send a confirmation by email? How does that work if there is no email attached to the account?
• do we set a grace period to prevent accidental deletions?
• do we send an account deletion notification? -> yes
• what about GDPR erasure?

Relevant design screens:

• Account deletion modal
• Account deletion button

[hughns]

@pmaier1 we need some product input on this, please.

Should the user be required to complete any additional verification step ahead of being able to delete their account? e.g. OTP via email and/or re-authenticate?

Do you want the re-auth requirements to be configurable by the server admin?

[hughns]

@jaywink please can you confirm if this is needed or not for the Element One migration? If not I will change the phase on the issue in the project board.

[jaywink]

@jaywink please can you confirm if this is needed or not for the Element One migration? If not I will change the phase on the issue in the project board.

@hughns This is not a blocker for EO, in fact we would actually want "An admin should be able to disable this function" to exist once MAS supports self-serve account deactivation.

[americanrefugee]

Here is the final design in Figma.

[matrixbot]

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: https://github.com/element-hq/matrix-authentication-service/issues/1876