From e0db8a36203aa37daa38534d2ac8942fc0f73055 Mon Sep 17 00:00:00 2001
From: Tosh Koevoets <tosh.koevoets@gmail.com>
Date: Thu, 8 Oct 2020 17:00:34 +0200
Subject: [PATCH 1/2] WIP

---
 src/middleware/site.js |  2 +-
 src/routes/api/user.js | 49 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/src/middleware/site.js b/src/middleware/site.js
index 0ac983e55..1d38a8094 100755
--- a/src/middleware/site.js
+++ b/src/middleware/site.js
@@ -22,7 +22,7 @@ module.exports = function( req, res, next ) {
 
   const where = { id: siteId }
 
-  db.Site
+  return db.Site
   	.findOne({ where })
   	.then(function( found ) {
   		if (!found) return next(new createError('400', 'Site niet gevonden'));
diff --git a/src/routes/api/user.js b/src/routes/api/user.js
index fde637d7b..7d24e43d1 100644
--- a/src/routes/api/user.js
+++ b/src/routes/api/user.js
@@ -238,9 +238,52 @@ router.route('/:userId(\\d+)')
 
 // delete idea
 // ---------
-	.delete(auth.can('user:delete'))
-	.delete(function(req, res, next) {
-		req.results
+	.delete(auth.can('User', 'delete'))
+	.delete(async function(req, res, next) {
+    const user = req.results;
+
+    /**
+     * An oauth user can have multiple users in the api, every site has it's own user and right
+     * In case for this oauth user there is only one site user in the API we also delete the oAuth user
+     * Otherwise we keep the oAuth user since it's still needed for the other website
+     */
+    const userForAllSites = await db.User.findAndCountAll({ where: { externalUserId: user.externalUserId } });
+
+    if (userForAllSites.length > 0) {
+      let siteOauthConfig = ( req.site && req.site.config && req.site.config.oauth && req.site.config.oauth['default'] ) || {};
+      let authServerUrl = siteOauthConfig['auth-server-url'] || config.authorization['auth-server-url'];
+      let authUserDeleteUrl = authServerUrl + '/api/admin/user/' + req.results.externalUserId + '/delete';
+      let authClientId = siteOauthConfig['auth-client-id'] || config.authorization['auth-client-id'];
+      let authClientSecret = siteOauthConfig['auth-client-secret'] || config.authorization['auth-client-secret'];
+
+      const apiCredentials = {
+       client_id: authClientId,
+       client_secret: authClientSecret,
+      }
+
+      const options = {
+       method: 'post',
+       hseaders: {
+         'Content-Type': 'application/json',
+       },
+       mode: 'cors',
+       body: JSON.stringify(Object.assign(apiCredentials, data))
+      }
+
+      await fetch(authUserDeleteUrl, options);
+    }
+
+   /**
+    * Delete all connected arguments, votes and ideas created by the user
+    */
+    await db.Idea.where({ userId: req.results.id }).destroy();
+    await db.Argument.where({ userId: req.results.id }).destroy();
+    await db.Vote.where({ userId: req.results.id }).destroy();
+
+    /**
+     * Make anonymous? Delete posts
+     */
+		return req.results
 			.destroy()
 			.then(() => {
 				res.json({ "user": "deleted" });

From 8c5799ecd54a43dfaae9ad2f89c354f775ddd244 Mon Sep 17 00:00:00 2001
From: Tosh Koevoets <tosh.koevoets@gmail.com>
Date: Fri, 9 Oct 2020 14:00:41 +0200
Subject: [PATCH 2/2] delete cascade users on api

---
 src/routes/api/user.js | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/routes/api/user.js b/src/routes/api/user.js
index d6ede8a08..4b4312f25 100644
--- a/src/routes/api/user.js
+++ b/src/routes/api/user.js
@@ -9,6 +9,7 @@ const auth = require('../../middleware/sequelize-authorization-middleware');
 const mail = require('../../lib/mail');
 const pagination = require('../../middleware/pagination');
 const {Op} = require('sequelize');
+const fetch = require('node-fetch');
 
 
 const router = express.Router({ mergeParams: true });
@@ -252,9 +253,13 @@ router.route('/:userId(\\d+)')
      * In case for this oauth user there is only one site user in the API we also delete the oAuth user
      * Otherwise we keep the oAuth user since it's still needed for the other website
      */
-    const userForAllSites = await db.User.findAndCountAll({ where: { externalUserId: user.externalUserId } });
+    const userForAllSites = await db.User.findAll({ where: { externalUserId: user.externalUserId } });
 
-    if (userForAllSites.length > 0) {
+
+    if (userForAllSites.length <= 1) {
+      /*
+        @todo move this calls to oauth to own apiClient
+       */
       let siteOauthConfig = ( req.site && req.site.config && req.site.config.oauth && req.site.config.oauth['default'] ) || {};
       let authServerUrl = siteOauthConfig['auth-server-url'] || config.authorization['auth-server-url'];
       let authUserDeleteUrl = authServerUrl + '/api/admin/user/' + req.results.externalUserId + '/delete';
@@ -267,23 +272,25 @@ router.route('/:userId(\\d+)')
       }
 
       const options = {
-       method: 'post',
-       hseaders: {
+       method: 'POST',
+       headers: {
          'Content-Type': 'application/json',
        },
        mode: 'cors',
-       body: JSON.stringify(Object.assign(apiCredentials, data))
+       body: JSON.stringify(apiCredentials)
       }
 
-      await fetch(authUserDeleteUrl, options);
+      authUserDeleteUrl = authUserDeleteUrl + '?client_id=' +authClientId +'&client_secret=' + authClientSecret;
+
+      const result = await fetch(authUserDeleteUrl, options);
     }
 
    /**
     * Delete all connected arguments, votes and ideas created by the user
     */
-    await db.Idea.where({ userId: req.results.id }).destroy();
-    await db.Argument.where({ userId: req.results.id }).destroy();
-    await db.Vote.where({ userId: req.results.id }).destroy();
+    await db.Idea.destroy({where:{ userId: req.results.id }});
+    await db.Argument.destroy({where:{ userId: req.results.id }});
+    await db.Vote.destroy({where:{ userId: req.results.id }});
 
     /**
      * Make anonymous? Delete posts
@@ -291,7 +298,7 @@ router.route('/:userId(\\d+)')
 		return req.results
 			.destroy()
 			.then(() => {
-				res.json({ "user": "deleted" });
+				 res.json({ "user": "deleted" });
 			})
 			.catch(next);
 	})