added account deletion functionality, fixes #33

.gitignore

@@ -2,3 +2,4 @@ __pycache__
 config.json
 planning.txt
 *.pyc
+/debug

app/blacklist.json

@@ -13,5 +13,6 @@
 	"pl.765racing.com",
 	"yorishiro.space",
 	"pl.smuglo.li",
-	"albin.social"
+	"albin.social",
+	"social.sunshinegardens.org"
 ]

app/templates/close_account.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<title>FediBooks</title>
+	{% include 'imports.html' %}
+</head>
+
+<body>
+	<div class="container centred">
+		<h1 class="thin centred">Close your FediBooks account</h1>
+	</div>
+
+	{% include 'error.html' %}
+	
+	<div class="container centred">
+		<form method='POST'>
+			<h2>
+				<i class="fas fa-user-slash" style="font-size:3em;"></i>
+			</h2>
+			<div class="container centred">
+				<p>Are you sure you want to <strong>permanently</strong> delete your account?</p>
+				<p>All of your FediBooks bots will stop working, but their accounts will remain open. You can delete them manually or repurpose them for something else.</p>
+				<p>If you're sure you want to delete your account, enter your password below and click "Close my account".</p>
+				<p>
+					<input type="password" name="password" placeholder="Password">
+				</p>
+				<a class="button btn-secondary" href="/"><i class="fas fa-times"></i> Cancel</a>
+				<button class="button btn-dangerous"><i class="fas fa-trash"></i> Close my account</button>
+			</div>
+		</form>
+	</div>
+
+	{% include 'footer.html' %}
+</body>
+</html>

app/templates/settings.html

@@ -18,7 +18,7 @@
 		<form method="POST" class="full-width">
 			<div class="container light">
 				<h2 class="thin centred">Login settings</h2>
-				<p class="centred">Update your email and password here.</p>
+				<p class="centred">Update your email and password here, or close your account.</p>
 			</div>
 
 			<div class="row">
@@ -29,6 +29,10 @@
 				<label for="password" class="large">Password</label>
 				<input type="password" name="password"pattern=".{8,}" placeholder="Unchanged">
 			</div>
+			<div class="row">
+				<label for="delete" class="large">Delete account</label>
+				<a name="delete" class="button btn-dangerous" href="/delete"><i class="fas fa-trash"></i> Close account</a>
+			</div>
 
 			<div class="container light">
 				<h2 class="thin centred">Contact settings</h2>
@@ -73,10 +77,10 @@
 			</div>
 
 			<div class="container centred">
-					<button class="button btn-primary"><i class="fas fa-save"></i> Save</button>
+				<button class="button btn-primary"><i class="fas fa-save"></i> Save</button>
-					<a href="/" class="button btn-secondary"><i class="fas fa-times"></i> Cancel</a>
+				<a href="/" class="button btn-secondary"><i class="fas fa-times"></i> Cancel</a>
-					<a href="/help/settings" target="_blank" class="button btn-secondary"><i class="fas fa-question"></i> Help</a>
+				<a href="/help/settings" target="_blank" class="button btn-secondary"><i class="fas fa-question"></i> Help</a>
-				</div>
+			</div>
 		</form>
 	</div>
 

app/webui.py

@@ -61,6 +61,59 @@ def show_signup_page():
 def render_settings():
 	return settings(mysql)
 
+@app.route("/delete", methods=['GET', 'POST'])
+def render_delete():
+	if request.method == 'GET':
+		return render_template("close_account.html", error = session.pop('error', None))
+	else:
+		# deletion logic
+			pw_hashed = hashlib.sha256(request.form['password'].encode('utf-8')).digest().replace(b"\0", b"\1")
+			c = mysql.connection.cursor(MySQLdb.cursors.DictCursor)
+			c.execute("SELECT * FROM users WHERE id = %s", (session['user_id'],))
+			data = c.fetchone()
+			c.close()
+			if data == None:
+				# should never happen ;)
+				session['error'] = "An unknown error occurred."
+				return redirect(url_for("render_delete"), 303)
+			
+			if bcrypt.checkpw(pw_hashed, data['password']):
+				# passwords match, delete the account
+				session['error'] = "succ ess"
+				c = mysql.connection.cursor()
+				c.execute("SELECT credentials_id FROM bots WHERE user_id = %s", (session['user_id'],))
+				credentials_list = c.fetchall()
+				for credentials_id in credentials_list:
+					c.execute("SELECT client_id, client_secret, secret FROM credentials WHERE id = %s", (credentials_id,))
+					# TODO: maybe schedule the push deletions on a cron job or something, if the user has a lot of accounts (or they're on slow instances) this could take a while or even time out
+					credentials = c.fetchone()
+					try:
+						client = Mastodon(
+							credentials[0],
+							credentials[1],
+							credentials[2],
+							"https://{}".format(id.split("@")[2])
+						)
+						client.push_subscription_delete()
+					except:
+						# if it fails, don't prevent the user from deleting their account
+						# TODO: maybe notify that some accounts failed to unregister push
+						pass
+					c.execute("DELETE FROM `credentials` WHERE `id` = %s", (credentials_id,))
+
+				# the big boy step
+				c.execute("DELETE FROM users WHERE id = %s", (session['user_id'],))
+
+				c.close()
+				mysql.connection.commit()
+				
+				# TODO: show a "deletion successful" message or something
+				return redirect(url_for("do_signout"), 303)
+
+			else:
+				session['error'] = "Password incorrect."
+				return redirect(url_for("render_delete"), 303)
+
 @app.route("/bot/edit/<id>", methods = ['GET', 'POST'])
 def render_bot_edit(id):
 	return bot_edit(id, mysql)
@@ -287,7 +340,8 @@ def do_login():
 
 @app.route("/issue/bug")
 def report_bug():
-	return render_template("report_bug.html")
+	# return render_template("report_bug.html")
+	return render_template("coming_soon.html")
 
 @app.route("/help/settings")
 def help_settings():