feat: Add team deletion flow for cloud-hosted (#5717)

server/routes/api/events/events.test.ts

@@ -1,9 +1,14 @@
+import env from "@server/env";
 import { buildEvent, buildUser } from "@server/test/factories";
 import { seed, getTestServer } from "@server/test/support";
 
 const server = getTestServer();
 
 describe("#events.list", () => {
+  beforeEach(() => {
+    env.DEPLOYMENT = "hosted";
+  });
+
   it("should only return activity events", async () => {
     const { user, admin, document, collection } = await seed();
     // audit event

server/routes/api/events/events.ts

@@ -42,7 +42,7 @@ router.post(
     }
 
     if (auditLog) {
-      authorize(user, "manage", user.team);
+      authorize(user, "audit", user.team);
       where.name = Event.AUDIT_EVENTS;
     }
 

server/routes/api/fileOperations/fileOperations.ts

@@ -48,7 +48,7 @@ router.post(
       type,
     };
     const team = await Team.findByPk(user.teamId);
-    authorize(user, "manage", team);
+    authorize(user, "update", team);
 
     const [exports, total] = await Promise.all([
       FileOperation.findAll({

server/routes/api/teams/schema.ts

@@ -53,3 +53,11 @@ export const TeamsUpdateSchema = BaseSchema.extend({
 });
 
 export type TeamsUpdateSchemaReq = z.infer<typeof TeamsUpdateSchema>;
+
+export const TeamsDeleteSchema = BaseSchema.extend({
+  body: z.object({
+    code: z.string(),
+  }),
+});
+
+export type TeamsDeleteSchemaReq = z.infer<typeof TeamsDeleteSchema>;

server/routes/api/teams/teams.ts

@@ -1,7 +1,11 @@
 import invariant from "invariant";
 import Router from "koa-router";
 import teamCreator from "@server/commands/teamCreator";
+import teamDestroyer from "@server/commands/teamDestroyer";
 import teamUpdater from "@server/commands/teamUpdater";
+import ConfirmTeamDeleteEmail from "@server/emails/templates/ConfirmTeamDeleteEmail";
+import env from "@server/env";
+import { ValidationError } from "@server/errors";
 import auth from "@server/middlewares/authentication";
 import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { transaction } from "@server/middlewares/transaction";
@@ -11,9 +15,11 @@ import { authorize } from "@server/policies";
 import { presentTeam, presentPolicies } from "@server/presenters";
 import { APIContext } from "@server/types";
 import { RateLimiterStrategy } from "@server/utils/RateLimiter";
+import { safeEqual } from "@server/utils/crypto";
 import * as T from "./schema";
 
 const router = new Router();
+const emailEnabled = !!(env.SMTP_HOST || env.ENVIRONMENT === "development");
 
 router.post(
   "team.update",
@@ -44,6 +50,63 @@ router.post(
   }
 );
 
+router.post(
+  "teams.requestDelete",
+  rateLimiter(RateLimiterStrategy.FivePerHour),
+  auth(),
+  async (ctx: APIContext) => {
+    const { user } = ctx.state.auth;
+    const { team } = user;
+    authorize(user, "delete", team);
+
+    if (emailEnabled) {
+      await new ConfirmTeamDeleteEmail({
+        to: user.email,
+        deleteConfirmationCode: team.getDeleteConfirmationCode(user),
+      }).schedule();
+    }
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+router.post(
+  "teams.delete",
+  rateLimiter(RateLimiterStrategy.TenPerHour),
+  auth(),
+  validate(T.TeamsDeleteSchema),
+  transaction(),
+  async (ctx: APIContext<T.TeamsDeleteSchemaReq>) => {
+    const { auth, transaction } = ctx.state;
+    const { code } = ctx.input.body;
+    const { user } = auth;
+    const { team } = user;
+
+    authorize(user, "delete", team);
+
+    if (emailEnabled) {
+      const deleteConfirmationCode = team.getDeleteConfirmationCode(user);
+
+      if (!safeEqual(code, deleteConfirmationCode)) {
+        throw ValidationError("The confirmation code was incorrect");
+      }
+    }
+
+    await teamDestroyer({
+      team,
+      user,
+      transaction,
+      ip: ctx.request.ip,
+    });
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
 router.post(
   "teams.create",
   rateLimiter(RateLimiterStrategy.FivePerHour),

server/routes/api/users/schema.ts

@@ -33,3 +33,12 @@ export const UsersUpdateSchema = BaseSchema.extend({
 });
 
 export type UsersUpdateReq = z.infer<typeof UsersUpdateSchema>;
+
+export const UsersDeleteSchema = BaseSchema.extend({
+  body: z.object({
+    code: z.string().optional(),
+    id: z.string().uuid().optional(),
+  }),
+});
+
+export type UsersDeleteSchemaReq = z.infer<typeof UsersDeleteSchema>;

server/routes/api/users/users.ts

@@ -28,7 +28,6 @@ import {
   assertSort,
   assertPresent,
   assertArray,
-  assertUuid,
 } from "@server/validation";
 import pagination from "../middlewares/pagination";
 import * as T from "./schema";
@@ -449,13 +448,15 @@ router.post(
   "users.delete",
   rateLimiter(RateLimiterStrategy.TenPerHour),
   auth(),
-  async (ctx: APIContext) => {
-    const { id, code = "" } = ctx.request.body;
+  validate(T.UsersDeleteSchema),
+  transaction(),
+  async (ctx: APIContext<T.UsersDeleteSchemaReq>) => {
+    const { transaction } = ctx.state;
+    const { id, code } = ctx.request.body;
     const actor = ctx.state.auth.user;
     let user: User;
 
     if (id) {
-      assertUuid(id, "id must be a UUID");
       user = await User.findByPk(id, {
         rejectOnEmpty: true,
       });
@@ -478,6 +479,7 @@ router.post(
       user,
       actor,
       ip: ctx.request.ip,
+      transaction,
     });
 
     ctx.body = {