Let user remove their account by themselves

[teolemon]

What

• Thanks to @john-gom (see https://github.com/openfoodfacts/openfoodfacts-server/issues/6435), it is now possible to remove the account from the website.
• We have to disable the account deletion forms and help users do it natively.
• It should be instrumented using matomo
• Optional: Small user survey on the causes of deletion (could trigger a custom Matomo event instead of having a survey backend)
• Blocked on https://github.com/openfoodfacts/openfoodfacts-dart/issues/746

Part of

• 1382

[teolemon]

@M123-dev @monsieurtanuki @g123k this one is really useful, since answering manually to deletion requests is a lot of recurring work

[monsieurtanuki]

@teolemon The thing is that I don't think we have such thing as "check that the user is logged in" in off-dart. That would mean anybody could delete any account. In short, I don't have clear thoughts on that issue, and I'm afraid there are tons of potential blunders here.

[teolemon]

What we could do is change the url of the webview to the deletion page on the website @monsieurtanuki This will make the process truly self service, and going native can be done later

[monsieurtanuki]

@teolemon Currently we go to this page:

    final Uri uri = Uri(
        scheme: 'https',
        host: 'blog.openfoodfacts.org',
        pathSegments: <String>[
          'en',
          'account-deletion',
        ],
        queryParameters: <String, String>{
          'your-subject': subject,
          if (userId != null && userId.isEmail)
            'your-mail': userId
          else if (userId != null)
            'your-name': userId
        });

What should the URL be instead?

[teolemon]

https://world.openfoodfacts.org/cgi/user.pl?type=edit&userid=teolemon (replace teolemon by user-id)

[monsieurtanuki]

I land on an "edit your profile" page, in English, and cannot see a "delete" button.

[teolemon]

@alexgarel @stephanegigandet will deploy that soon I believe. It should be live on .net, but I don't see it with my regular account, as opposed to my superadmin one

[monsieurtanuki]

Ping when it's available on .org.

[teolemon]

@monsieurtanuki it is live

[monsieurtanuki]

@teolemon It's not that easy.

If you're not connected before on the website, you land on an obscure "Error" page https://world.openfoodfacts.org/cgi/user.pl?type=edit&userid=teolemon

If I remove the "type=edit" parameter, I land on a "Register" page (with an improbable pessimistic "Delete account" button) https://world.openfoodfacts.org/cgi/user.pl?userid=monsieurtanuki

Is there a URL to the sign in page?

[teolemon]

https://world.openfoodfacts.org/cgi/session.pl

[monsieurtanuki]

@john-gom Just checking: anybody can call /cgi/user.pl and delete anybody, right?

• userid=xxx
• type=delete
• action=process
• delete=on

It would be much safer if you also asked for the password. I mean, in the context you developed (website) it's not very important (already connected), but it is for an API. Correct me if I'm wrong.

[teolemon]

• nope, you can't delete other people @monsieurtanuki :-)
• only admins can potentially do that kind of things (which is somewhat dangerous, since admins are also logged into the app)

[monsieurtanuki]

• nope, you can't delete other people @monsieurtanuki :-)

@teolemon I didn't mean that it was a desired feature: my limited knowledge of perl made me ask that while trying to reverse engineer /cgi/user.pl. As I have also a limited experience of curl there's probably something wrong in my syntax, but if I run the following statement I get a localized html page answer like "Permission denied". Perl/curl help needed!

curl
  -X POST https://fr.openfoodfacts.org/cgi/user.pl -H "Content-Type: application/x-www-form-urlencoded"
  -d "userid=test-del-20230703-1&type=edit&action=process&delete=on&password=test-del-20230703-1"

[john-gom]

You won't be able to call the API directly like that. You would need a session cookie for the user before it would work.

[monsieurtanuki]

Then is that possible only for the website or also for flutter? I don't know how it would work.

[alexgarel]

Sorry, it seems we may have to add an API point !

[monsieurtanuki]

@alexgarel It definitely looks so. We need a "password" parameter, in order to prevent someone to delete accidentally - or on purpose - other accounts.

Maybe it's not even enough, as someone could erase all users in bruteforce attack. I don't know how deleting a user works here:

1. do you send an email and a link to confirm?
2. do you remove the user or just flag it as "deleted", with a possibility to reactivate?

[stephanegigandet]

Users can only delete their own user account. To work, the request needs to be authenticated: either with a session cookie, or with userid + password.

[monsieurtanuki]

@stephanegigandet That's what I tried unsuccessfully with the code I mentioned earlier:

curl
  -X POST https://fr.openfoodfacts.org/cgi/user.pl -H "Content-Type: application/x-www-form-urlencoded"
  -d "userid=test-del-20230703-1&type=edit&action=process&delete=on&password=test-del-20230703-1"

Is there some typo in my request?

[teolemon]

A test is currently being written

https://github.com/openfoodfacts/openfoodfacts-server/pull/8723/files

[teolemon]

my %delete_form = ( name => 'Test', email => 'bob@test.com', password => '', confirm_password => '', delete => 'on', action => 'process', type => 'edit', userid => 'tests' );

[teolemon]

@monsieurtanuki I've successfully deleted the account in two steps from my browser, login in, and then deleting using the url you tried. It seems you can't do both at the same time. Curious how we do other user management operations

[monsieurtanuki]

@monsieurtanuki I've successfully deleted the account in two steps from my browser, login in, and then deleting using the url you tried. It seems you can't do both at the same time. Curious how we do other user management operations

@teolemon Actually we don't have that much methods in off-dart regarding users:

• login / login2, which is a "check password + get email, name and id" method
• register
• resetPassword, that doesn't use the password (sends a "reset password" email from the email or userId)

That said, there's nothing for the moment on the server side that would delete a user in just one command if you're not already connected to the website. Smoothie issue is stalled then.

[monsieurtanuki]

I believe we had this issue specifically for iOS, and we'll soon have the same issue for android:

December 7th, 2023 • User Data policy – Account Deletion requirement ◦ Watch RePlay episode 2 to learn more about the new data deletion policies

[M123-dev]

I've just created https://github.com/openfoodfacts/openfoodfacts-server/issues/8940. Please add any corrections if I am wrong @monsieurtanuki