Add admin delete-account flow with yes/no confirmation

2026-02-28 20:06:43 -05:00
parent b0fa040d33
commit 906c320e51
12 changed files with 239 additions and 6 deletions
--- a/client/public/version.js
+++ b/client/public/version.js
@@ -1,5 +1,5 @@
 // Maintainer-controlled web client version.
 // Format: YYYY.MM.DD Rn (example: 2026.02.20 R2)
-window.CHGRID_WEB_VERSION = "2026.02.28 R318";
+window.CHGRID_WEB_VERSION = "2026.02.28 R319";
 // Optional display timezone for timestamps. Falls back to America/Detroit if unset/invalid.
 window.CHGRID_TIME_ZONE = "America/Detroit";
--- a/client/src/main.ts
+++ b/client/src/main.ts
@@ -210,7 +210,8 @@ type AdminUserSummary = {
 type AdminPendingUserMutation =
  | { action: 'set_role'; username: string; role: string }
  | { action: 'ban'; username: string }
-  | { action: 'unban'; username: string };
+  | { action: 'unban'; username: string }
+  | { action: 'delete_account'; username: string };

 type ItemManagementAction = 'delete' | 'transfer';

@@ -332,10 +333,11 @@ let adminRolePermissionIndex = 0;
 let adminRoleDeleteReplacementIndex = 0;
 let adminUsers: AdminUserSummary[] = [];
 let adminUserIndex = 0;
-let adminPendingUserAction: 'set_role' | 'ban' | 'unban' | null = null;
+let adminPendingUserAction: 'set_role' | 'ban' | 'unban' | 'delete_account' | null = null;
 let adminSelectedRoleName = '';
 let adminSelectedUsername = '';
 let adminPendingUserMutation: AdminPendingUserMutation | null = null;
+let adminDeleteConfirmIndex = 0;
 let itemManagementSelectedItemId: string | null = null;
 let itemManagementOptions: ItemManagementOption[] = [];
 let itemManagementOptionIndex = 0;
@@ -1830,6 +1832,16 @@ function handleAdminActionResult(message: Extract<IncomingMessage, { type: 'admi
          adminPendingUserAction = null;
        }
      }
+    } else if (adminPendingUserMutation.action === 'delete_account') {
+      adminUsers = adminUsers.filter((entry) => entry.username !== adminPendingUserMutation.username);
+      if (state.mode === 'adminUserList' && adminPendingUserAction === 'delete_account') {
+        if (adminUsers.length > 0) {
+          adminUserIndex = Math.max(0, Math.min(adminUserIndex, adminUsers.length - 1));
+        } else {
+          state.mode = 'adminMenu';
+          adminPendingUserAction = null;
+        }
+      }
    }
    adminPendingUserMutation = null;
  }
@@ -3029,6 +3041,12 @@ function handleAdminMenuModeInput(code: string, key: string): void {
      adminPendingUserAction = 'unban';
      signaling.send({ type: 'admin_users_list', action: 'unban' });
      updateStatus('Loading users...');
+      return;
+    }
+    if (selected.id === 'delete_account') {
+      adminPendingUserAction = 'delete_account';
+      signaling.send({ type: 'admin_users_list', action: 'delete_account' });
+      updateStatus('Loading users...');
    }
    return;
  }
@@ -3217,6 +3235,13 @@ function handleAdminUserListModeInput(code: string, key: string): void {
      adminPendingUserAction = 'unban';
      return;
    }
+    if (adminPendingUserAction === 'delete_account') {
+      adminDeleteConfirmIndex = 0;
+      state.mode = 'adminUserDeleteConfirm';
+      updateStatus(`Delete account ${selected.username}? ${YES_NO_OPTIONS[adminDeleteConfirmIndex].label}.`);
+      audio.sfxUiBlip();
+      return;
+    }
    return;
  }
  if (control.type === 'cancel') {
@@ -3254,6 +3279,48 @@ function handleAdminUserRoleSelectModeInput(code: string, key: string): void {
  }
 }

+/** Handles yes/no confirmation for delete-account admin flow. */
+function handleAdminUserDeleteConfirmModeInput(code: string, key: string): void {
+  if (!adminSelectedUsername || adminPendingUserAction !== 'delete_account') {
+    state.mode = 'adminUserList';
+    return;
+  }
+  const control = handleYesNoMenuInput(code, key, adminDeleteConfirmIndex);
+  if (control.type === 'move') {
+    adminDeleteConfirmIndex = control.index;
+    updateStatus(`Delete account ${adminSelectedUsername}? ${YES_NO_OPTIONS[adminDeleteConfirmIndex].label}.`);
+    audio.sfxUiBlip();
+    return;
+  }
+  if (control.type === 'cancel') {
+    state.mode = 'adminUserList';
+    const selected = adminUsers[adminUserIndex];
+    if (selected) {
+      updateStatus(`${selected.username}, ${selected.role}, ${selected.status}.`);
+    } else {
+      updateStatus('Select user.');
+    }
+    audio.sfxUiCancel();
+    return;
+  }
+  if (control.type === 'select') {
+    const choice = YES_NO_OPTIONS[adminDeleteConfirmIndex];
+    if (choice.id === 'no') {
+      state.mode = 'adminUserList';
+      const selected = adminUsers[adminUserIndex];
+      if (selected) {
+        updateStatus(`${selected.username}, ${selected.role}, ${selected.status}.`);
+      } else {
+        updateStatus('Select user.');
+      }
+      audio.sfxUiCancel();
+      return;
+    }
+    adminPendingUserMutation = { action: 'delete_account', username: adminSelectedUsername };
+    signaling.send({ type: 'admin_user_delete', username: adminSelectedUsername });
+  }
+}
+
 /** Handles text edit for new-role creation from admin role list. */
 function handleAdminRoleNameEditModeInput(code: string, key: string, ctrlKey: boolean): void {
  const editAction = getEditSessionAction(code);
@@ -3475,6 +3542,7 @@ function setupInputHandlers(): void {
        adminRoleDeleteReplacement: (currentCode, currentKey) => handleAdminRoleDeleteReplacementModeInput(currentCode, currentKey),
        adminUserList: (currentCode, currentKey) => handleAdminUserListModeInput(currentCode, currentKey),
        adminUserRoleSelect: (currentCode, currentKey) => handleAdminUserRoleSelectModeInput(currentCode, currentKey),
+        adminUserDeleteConfirm: (currentCode, currentKey) => handleAdminUserDeleteConfirmModeInput(currentCode, currentKey),
        adminRoleNameEdit: (currentCode, currentKey, currentCtrlKey) =>
          handleAdminRoleNameEditModeInput(currentCode, currentKey, currentCtrlKey),
        itemProperties: (currentCode, currentKey) => itemPropertyEditor.handleItemPropertiesModeInput(currentCode, currentKey),
--- a/client/src/network/protocol.ts
+++ b/client/src/network/protocol.ts
@@ -315,6 +315,7 @@ export const adminActionResultSchema = z.object({
    'user_set_role',
    'user_ban',
    'user_unban',
+    'user_delete',
  ]),
  message: z.string(),
 });
@@ -355,10 +356,11 @@ export type OutgoingMessage =
  | { type: 'admin_role_create'; name: string }
  | { type: 'admin_role_update_permissions'; role: string; permissions: string[] }
  | { type: 'admin_role_delete'; role: string; replacementRole: string }
-  | { type: 'admin_users_list'; action?: 'set_role' | 'ban' | 'unban' }
+  | { type: 'admin_users_list'; action?: 'set_role' | 'ban' | 'unban' | 'delete_account' }
  | { type: 'admin_user_set_role'; username: string; role: string }
  | { type: 'admin_user_ban'; username: string }
  | { type: 'admin_user_unban'; username: string }
+  | { type: 'admin_user_delete'; username: string }
  | { type: 'signal'; targetId: string; sdp?: RTCSessionDescriptionInit; ice?: RTCIceCandidateInit }
  | { type: 'update_position'; x: number; y: number }
  | { type: 'teleport_complete'; x: number; y: number }
--- a/client/src/state/gameState.ts
+++ b/client/src/state/gameState.ts
@@ -48,6 +48,7 @@ export type GameMode =
  | 'adminRoleDeleteReplacement'
  | 'adminUserList'
  | 'adminUserRoleSelect'
+  | 'adminUserDeleteConfirm'
  | 'adminRoleNameEdit'
  | 'pianoUse';

--- a/docs/controls.md
+++ b/docs/controls.md
@@ -96,6 +96,7 @@ Applies to effect select, user/item list modes, item selection, item property li
  - change user role
  - ban user
  - unban user
+  - delete account
 - In admin role management:
  - role list includes role user-counts
  - `Enter` on role opens permission toggles
--- a/docs/protocol-notes.md
+++ b/docs/protocol-notes.md
@@ -18,9 +18,10 @@ This is a behavior guide for packet semantics beyond raw schemas.
 - `admin_role_create`: create role.
 - `admin_role_update_permissions`: replace one role permission set.
 - `admin_role_delete`: delete role with replacement role reassignment.
- `admin_users_list`: request user list for admin actions (`action`: `set_role | ban | unban`).
+- `admin_users_list`: request user list for admin actions (`action`: `set_role | ban | unban | delete_account`).
 - `admin_user_set_role`: set target user role.
 - `admin_user_ban` / `admin_user_unban`: disable/enable user account.
+- `admin_user_delete`: permanently delete target account.
 - `update_position`: client movement intent; server enforces world bounds and movement rate policy.
 - `teleport_complete`: client signals teleport landing; server rebroadcasts spatial landing cue.
 - `update_nickname`: nickname change request (server enforces uniqueness).
@@ -40,6 +41,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
 - `admin_roles_list`: role list response payload.
 - `admin_users_list`: user list response payload.
 - `admin_action_result`: structured result for admin actions.
+  - admin mutations include `user_delete` for account deletion.
 - `welcome`: initial snapshot with users/items plus server UI/world metadata.
 - `signal`: forwarded WebRTC offer/answer/ICE.
 - `update_position`, `update_nickname`, `user_left`: presence updates.
--- a/server/app/auth_service.py
+++ b/server/app/auth_service.py
@@ -438,6 +438,35 @@ class AuthService:
        self._db_commit()
        return normalized_username

+    def delete_user(self, target_username: str, *, actor_user_id: str | None = None) -> str:
+        """Delete one account and related session/state rows."""
+
+        normalized_username = self._normalize_username(target_username)
+        user_row = self._db_fetchone(
+            """
+            SELECT u.id, u.status, r.name AS role_name
+            FROM users u
+            JOIN roles r ON r.id = u.role_id
+            WHERE u.username = ?
+            """,
+            (normalized_username,),
+        )
+        if user_row is None:
+            raise AuthError("User not found.")
+        user_id = int(user_row["id"])
+        current_status = str(user_row["status"])
+        current_role = str(user_row["role_name"])
+        if current_role == "admin" and current_status == "active" and self._active_admin_count() <= 1:
+            raise AuthError("Cannot delete the last active admin.")
+        if actor_user_id is not None and str(user_id) == str(actor_user_id):
+            if current_role == "admin" and current_status == "active" and self._active_admin_count() <= 1:
+                raise AuthError("Cannot delete your own account while you are the last active admin.")
+        self._db_execute("DELETE FROM sessions WHERE user_id = ?", (user_id,))
+        self._db_execute("DELETE FROM user_state WHERE user_id = ?", (user_id,))
+        self._db_execute("DELETE FROM users WHERE id = ?", (user_id,))
+        self._db_commit()
+        return normalized_username
+
    def get_user_by_id(self, user_id: str) -> AuthUser | None:
        """Return one user by id with current role and permissions."""

--- a/server/app/models.py
+++ b/server/app/models.py
@@ -86,7 +86,7 @@ class AdminRoleDeletePacket(BasePacket):

 class AdminUsersListPacket(BasePacket):
    type: Literal["admin_users_list"]
-    action: Literal["set_role", "ban", "unban"] | None = None
+    action: Literal["set_role", "ban", "unban", "delete_account"] | None = None


 class AdminUserSetRolePacket(BasePacket):
@@ -105,6 +105,11 @@ class AdminUserUnbanPacket(BasePacket):
    username: str = Field(min_length=1, max_length=128)


+class AdminUserDeletePacket(BasePacket):
+    type: Literal["admin_user_delete"]
+    username: str = Field(min_length=1, max_length=128)
+
+
 class PingPacket(BasePacket):
    type: Literal["ping"]
    clientSentAt: int
@@ -187,6 +192,7 @@ ClientPacket = (
    | AdminUserSetRolePacket
    | AdminUserBanPacket
    | AdminUserUnbanPacket
+    | AdminUserDeletePacket
    | PingPacket
    | ItemAddPacket
    | ItemPickupPacket
@@ -449,5 +455,6 @@ class AdminActionResultPacket(BasePacket):
        "user_set_role",
        "user_ban",
        "user_unban",
+        "user_delete",
    ]
    message: str
--- a/server/app/server.py
+++ b/server/app/server.py
@@ -63,6 +63,7 @@ from .models import (
    AdminRolesListPacket,
    AdminRolesListResultPacket,
    AdminUserBanPacket,
+    AdminUserDeletePacket,
    AdminUserSetRolePacket,
    AdminUserUnbanPacket,
    AdminUsersListPacket,
@@ -133,6 +134,7 @@ ADMIN_MENU_ACTION_DEFINITIONS: tuple[dict[str, str], ...] = (
    {"id": "change_user_role", "label": "Change user role", "permission": "user.change_role"},
    {"id": "ban_user", "label": "Ban user", "permission": "user.ban_unban"},
    {"id": "unban_user", "label": "Unban user", "permission": "user.ban_unban"},
+    {"id": "delete_account", "label": "Delete account", "permission": "account.delete.any"},
 )


@@ -1671,6 +1673,7 @@ class SignalingServer:
            "user_set_role",
            "user_ban",
            "user_unban",
+            "user_delete",
        ],
        message: str,
    ) -> None:
@@ -1831,6 +1834,7 @@ class SignalingServer:
                AdminUserSetRolePacket,
                AdminUserBanPacket,
                AdminUserUnbanPacket,
+                AdminUserDeletePacket,
            ),
        ):
            return False
@@ -1861,6 +1865,7 @@ class SignalingServer:
            if not (
                self._client_has_permission(client, "user.change_role")
                or self._client_has_permission(client, "user.ban_unban")
+                or self._client_has_permission(client, "account.delete.any")
            ):
                await deny("user_set_role", "Not authorized.")
                return True
@@ -2012,6 +2017,34 @@ class SignalingServer:
            )
            return True

+        if isinstance(packet, AdminUserDeletePacket):
+            if not self._client_has_permission(client, "account.delete.any"):
+                await deny("user_delete", "Not authorized.")
+                return True
+            target_id = self.auth_service.get_user_id_by_username(packet.username)
+            try:
+                username = self.auth_service.delete_user(packet.username, actor_user_id=client.user_id)
+            except AuthError as exc:
+                await deny("user_delete", str(exc))
+                return True
+            if target_id:
+                for active in list(self.clients.values()):
+                    if active.user_id != target_id:
+                        continue
+                    await self._send(
+                        active.websocket,
+                        AuthResultPacket(type="auth_result", ok=False, message="Account deleted."),
+                    )
+                    await active.websocket.close()
+            LOGGER.info("user deleted actor=%s target=%s", client.user_id, username)
+            await self._send_admin_action_result(
+                client,
+                ok=True,
+                action="user_delete",
+                message=f"Deleted account {username}.",
+            )
+            return True
+
        return True

    async def _handle_message(self, client: ClientConnection, raw_message: str) -> None:
--- a/server/tests/test_auth_service.py
+++ b/server/tests/test_auth_service.py
@@ -87,3 +87,15 @@ def test_update_role_permissions_rejects_admin(tmp_path: Path) -> None:
            service.update_role_permissions("admin", ["chat.send"])
    finally:
        service.close()
+
+
+def test_delete_user_removes_account(tmp_path: Path) -> None:
+    service = make_auth_service(tmp_path)
+    try:
+        service.register("alpha", "password99")
+        deleted = service.delete_user("alpha")
+        assert deleted == "alpha"
+        with pytest.raises(AuthError):
+            service.login("alpha", "password99")
+    finally:
+        service.close()
--- a/server/tests/test_models.py
+++ b/server/tests/test_models.py
@@ -36,3 +36,9 @@ def test_item_transfer_packet_validates() -> None:
    adapter = TypeAdapter(ClientPacket)
    packet = adapter.validate_python({"type": "item_transfer", "itemId": "i1", "targetId": "u2"})
    assert packet.type == "item_transfer"
+
+
+def test_admin_user_delete_packet_validates() -> None:
+    adapter = TypeAdapter(ClientPacket)
+    packet = adapter.validate_python({"type": "admin_user_delete", "username": "alpha"})
+    assert packet.type == "admin_user_delete"
--- a/server/tests/test_server_message_handling.py
+++ b/server/tests/test_server_message_handling.py
@@ -435,6 +435,78 @@ async def test_item_transfer_rejects_when_not_authorized(monkeypatch: pytest.Mon
    assert "not authorized" in result.message.lower()


+@pytest.mark.asyncio
+async def test_admin_user_delete_requires_permission(monkeypatch: pytest.MonkeyPatch) -> None:
+    server = SignalingServer("127.0.0.1", 8765, None, None)
+    ws = _fake_ws()
+    client = ClientConnection(
+        websocket=ws,
+        id="u1",
+        nickname="Tester",
+        authenticated=True,
+        user_id="1",
+        username="tester",
+        permissions={"user.ban_unban"},
+    )
+    server.clients[ws] = client
+
+    send_payloads: list[object] = []
+
+    async def fake_send(websocket: ServerConnection, packet: object) -> None:
+        send_payloads.append(packet)
+
+    monkeypatch.setattr(server, "_send", fake_send)
+
+    await server._handle_message(client, json.dumps({"type": "admin_user_delete", "username": "alpha"}))
+
+    assert send_payloads
+    packet = send_payloads[-1]
+    assert getattr(packet, "type", "") == "admin_action_result"
+    assert packet.ok is False
+    assert packet.action == "user_delete"
+    assert "not authorized" in packet.message.lower()
+
+
+@pytest.mark.asyncio
+async def test_admin_user_delete_calls_auth_service(monkeypatch: pytest.MonkeyPatch) -> None:
+    server = SignalingServer("127.0.0.1", 8765, None, None)
+    ws = _fake_ws()
+    client = ClientConnection(
+        websocket=ws,
+        id="u1",
+        nickname="Tester",
+        authenticated=True,
+        user_id="1",
+        username="tester",
+        permissions={"account.delete.any"},
+    )
+    server.clients[ws] = client
+
+    send_payloads: list[object] = []
+    calls: list[tuple[str, str | None]] = []
+
+    async def fake_send(websocket: ServerConnection, packet: object) -> None:
+        send_payloads.append(packet)
+
+    monkeypatch.setattr(server, "_send", fake_send)
+    monkeypatch.setattr(server.auth_service, "get_user_id_by_username", lambda _username: None)
+
+    def fake_delete_user(username: str, *, actor_user_id: str | None = None) -> str:
+        calls.append((username, actor_user_id))
+        return username
+
+    monkeypatch.setattr(server.auth_service, "delete_user", fake_delete_user)
+
+    await server._handle_message(client, json.dumps({"type": "admin_user_delete", "username": "alpha"}))
+
+    assert calls == [("alpha", "1")]
+    assert send_payloads
+    packet = send_payloads[-1]
+    assert getattr(packet, "type", "") == "admin_action_result"
+    assert packet.ok is True
+    assert packet.action == "user_delete"
+
+
@pytest.mark.asyncio
 async def test_broadcast_fanout_is_concurrent(monkeypatch: pytest.MonkeyPatch) -> None:
    server = SignalingServer("127.0.0.1", 8765, None, None)