Handle user delete (#1113)

Implement user deletion across all IDP-ss. Expires all user peers when the user is deleted. Users are permanently removed from a local store, but in IDP, we remove Netbird attributes for the user untilUserDeleteFromIDPEnabled setting is not enabled. To test, an admin user should remove any additional users. Until the UI incorporates this feature, use a curl DELETE request targeting the /users/<USER_ID> management endpoint. Note that this request only removes user attributes and doesn't trigger a delete from the IDP. To enable user removal from the IdP, set UserDeleteFromIDPEnabled to true in account settings. Until we have a UI for this, make this change directly in the store file. Store the deleted email addresses in encrypted in activity store.
2026-04-16 07:16:38 +00:00 · 2023-09-19 20:08:40 +04:00
parent 8febab4076
commit d4b6d7646c
35 changed files with 744 additions and 112 deletions
--- a/management/server/idp/zitadel.go
+++ b/management/server/idp/zitadel.go
@@ -428,7 +428,7 @@ func (zm *ZitadelManager) UpdateUserAppMetadata(userID string, appMetadata AppMe
 		return err
 	}

-	resource := fmt.Sprintf("users/%s/metadata/_bulk", userID)
+	resource := fmt.Sprintf("users/%s", userID)
 	_, err = zm.post(resource, string(payload))
 	if err != nil {
 		return err
@@ -447,6 +447,21 @@ func (zm *ZitadelManager) InviteUserByID(_ string) error {
 	return fmt.Errorf("method InviteUserByID not implemented")
 }

+// DeleteUser from Zitadel
+func (zm *ZitadelManager) DeleteUser(userID string) error {
+	resource := fmt.Sprintf("users/%s", userID)
+	if err := zm.delete(resource); err != nil {
+		return err
+	}
+
+	if zm.appMetrics != nil {
+		zm.appMetrics.IDPMetrics().CountDeleteUser()
+	}
+
+	return nil
+
+}
+
 // getUserMetadata requests user metadata from zitadel via ID.
 func (zm *ZitadelManager) getUserMetadata(userID string) ([]zitadelMetadata, error) {
 	resource := fmt.Sprintf("users/%s/metadata/_search", userID)
@@ -500,6 +515,42 @@ func (zm *ZitadelManager) post(resource string, body string) ([]byte, error) {
 	return io.ReadAll(resp.Body)
 }

+// delete perform Delete requests.
+func (zm *ZitadelManager) delete(resource string) error {
+	jwtToken, err := zm.credentials.Authenticate()
+	if err != nil {
+		return err
+	}
+
+	reqURL := fmt.Sprintf("%s/%s", zm.managementEndpoint, resource)
+	req, err := http.NewRequest(http.MethodDelete, reqURL, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Add("authorization", "Bearer "+jwtToken.AccessToken)
+	req.Header.Add("content-type", "application/json")
+
+	resp, err := zm.httpClient.Do(req)
+	if err != nil {
+		if zm.appMetrics != nil {
+			zm.appMetrics.IDPMetrics().CountRequestError()
+		}
+
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		if zm.appMetrics != nil {
+			zm.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+
+		return fmt.Errorf("unable to delete %s, statusCode %d", reqURL, resp.StatusCode)
+	}
+
+	return nil
+}
+
 // get perform Get requests.
 func (zm *ZitadelManager) get(resource string, q url.Values) ([]byte, error) {
 	jwtToken, err := zm.credentials.Authenticate()