Summary
No way to delete a user. Required for GDPR and for the cascading cleanup that places, devices, and collector will hook into. Contracts#13 lands the event; this issue produces it.
Changes
contracts/proto/auth.proto — add rpc DeleteUser(DeleteUserRequest) returns (google.protobuf.Empty).backend/auth/src/handlers/auth.py — new handler requiring a fresh access token (iat within last 5 min).- New service method that, in a single transaction, removes the
User row, all its RefreshToken rows, and all OtpRequest rows.
- After commit, publish
UserDeleted to auth.user.deleted. Direct publish for now; auth has a single producer path and we accept best-effort delivery until operational pain justifies an outbox.
backend/gateway/src/api/users/ — DELETE /api/users/me.
Blocked by
Blocks
Verification
DELETE /api/users/me with fresh token returns 204.SELECT * FROM users WHERE id = ? in auth_db returns empty; refresh tokens and OTP requests for the user are gone.- A Kafka consumer on
auth.user.deleted receives the message with user_id, email, deleted_at.
Summary
No way to delete a user. Required for GDPR and for the cascading cleanup that places, devices, and collector will hook into. Contracts#13 lands the event; this issue produces it.
Changes
contracts/proto/auth.proto— addrpc DeleteUser(DeleteUserRequest) returns (google.protobuf.Empty).backend/auth/src/handlers/auth.py— new handler requiring a fresh access token (iatwithin last 5 min).Userrow, all itsRefreshTokenrows, and allOtpRequestrows.UserDeletedtoauth.user.deleted. Direct publish for now; auth has a single producer path and we accept best-effort delivery until operational pain justifies an outbox.backend/gateway/src/api/users/—DELETE /api/users/me.Blocked by
Blocks
Verification
DELETE /api/users/mewith fresh token returns 204.SELECT * FROM users WHERE id = ?inauth_dbreturns empty; refresh tokens and OTP requests for the user are gone.auth.user.deletedreceives the message withuser_id,email,deleted_at.