TwitterAPI: allow deleting one's own account with request body

author: Alex Gleason <alex@alexgleason.me> 2021-12-13 16:15:33 -0500
committer: Alex Gleason <alex@alexgleason.me> 2021-12-13 17:07:29 -0500
commit: 8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6 (patch)
tree: 890bd89aee5c21b1fe6106bf33fa2cdb89d2d826 /lib
parent: 0b2119d4a791b3623b304b0bab683609d23271d4 (diff)
download: pleroma-8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6.tar.gz
pleroma-8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6.zip
2 files changed, 23 insertions, 2 deletions
diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
index 879b2227e..be45720b1 100644
--- a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
@@ -188,6 +188,7 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
       parameters: [
         Operation.parameter(:password, :query, :string, "Password")
       ],
+      requestBody: request_body("Parameters", delete_account_request(), required: false),
       responses: %{
         200 =>
           Operation.response("Success", "application/json", %Schema{
@@ -234,4 +235,22 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
       responses: %{200 => Operation.response("Web Page", "test/html", %Schema{type: :string})}
     }
   end
+
+  defp delete_account_request do
+    %Schema{
+      title: "AccountDeleteRequest",
+      description: "POST body for deleting one's own account",
+      type: :object,
+      properties: %{
+        password: %Schema{
+          type: :string,
+          description: "The user's own password for confirmation.",
+          format: :password
+        }
+      },
+      example: %{
+        "password" => "prettyp0ony1313"
+      }
+    }
+  end
 end
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index ef43f7682..a4e44efdd 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -123,8 +123,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
     end
   end
 
-  def delete_account(%{assigns: %{user: user}} = conn, params) do
-    password = params[:password] || ""
+  def delete_account(%{assigns: %{user: user}, body_params: body_params} = conn, params) do
+    # This endpoint can accept a query param or JSON body for backwards-compatibility.
+    # Submitting a JSON body is recommended, so passwords don't end up in server logs.
+    password = body_params[:password] || params[:password] || ""
 
     case CommonAPI.Utils.confirm_current_password(user, password) do
       {:ok, user} ->
author	Alex Gleason <alex@alexgleason.me>	2021-12-13 16:15:33 -0500
committer	Alex Gleason <alex@alexgleason.me>	2021-12-13 17:07:29 -0500
commit	8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6 (patch)
tree	890bd89aee5c21b1fe6106bf33fa2cdb89d2d826 /lib
parent	0b2119d4a791b3623b304b0bab683609d23271d4 (diff)
download	pleroma-8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6.tar.gz pleroma-8672ad6b00e1bba59cd6e4f0a09fd26bc6ba6bd6.zip