Skip to content

feat: Implement API to GDPR delete users #3224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Janis4411 wants to merge 1 commit into
base: main
Choose a base branch
from
+83 −0
Draft

feat: Implement API to GDPR delete users #3224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions app/controllers/api/internal/users/deletions_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# frozen_string_literal: true

module Api
module Internal
module Users
class DeletionsController < ApplicationController
protect_from_forgery with: :exception
before_action :authenticate_request!

def create
UserCleanupJob.perform_later(
params[:user_id]
)

head :ok
end

private

def authenticate_request!
verify_token!
verify_signature!
Comment on lines +21 to +22
Copy link
Copy Markdown

@sentry sentry bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Sequential calls to head :unauthorized in verify_token! and verify_signature! without a return can cause a DoubleRenderError if both checks fail.
Severity: MEDIUM

Suggested Fix

Add an explicit return statement after each head :unauthorized call in both the verify_token! and verify_signature! methods to ensure execution is halted after the response is rendered.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: app/controllers/api/internal/users/deletions_controller.rb#L21-L22

Potential issue: In the `deletions_controller`, the `authenticate_request!` method
sequentially calls `verify_token!` and `verify_signature!`. If a token is invalid,
`verify_token!` calls `head :unauthorized` but does not halt execution. Control then
proceeds to `verify_signature!`. If the signature is also invalid, it too calls `head
:unauthorized`. This second attempt to render a response in the same request cycle
triggers an `ActionController::DoubleRenderError`. This will occur for any API request
that has both an invalid token and an invalid signature.

Did we get this right? 👍 / 👎 to inform future reviews.

end

def verify_token!
token = request.headers['Authorization']&.remove('Bearer ')

unless ActiveSupport::SecurityUtils.secure_compare(
token.to_s,
ENV.fetch('OPENHPI_API_TOKEN')
)
head :unauthorized
return

Check warning on line 33 in app/controllers/api/internal/users/deletions_controller.rb

View workflow job for this annotation

GitHub Actions / lint 

[rubocop] reported by reviewdog 🐶
Redundant `return` detected.

Raw Output:
app/controllers/api/internal/users/deletions_controller.rb:33:13: C: Style/RedundantReturn: Redundant `return` detected.

Check warning on line 33 in app/controllers/api/internal/users/deletions_controller.rb

View workflow job for this annotation

GitHub Actions / lint 

[rubocop] reported by reviewdog 🐶
Redundant `return` detected.

Raw Output:
app/controllers/api/internal/users/deletions_controller.rb:33:13: C: Style/RedundantReturn: Redundant `return` detected.
end
end

def verify_signature!
expected = OpenSSL::HMAC.hexdigest(
'SHA256',
ENV.fetch('OPENHPI_WEBHOOK_SECRET'),
request.raw_post
)

provided = request.headers['X-Signature']

unless ActiveSupport::SecurityUtils.secure_compare(expected, provided.to_s)
head :unauthorized
return

Check warning on line 48 in app/controllers/api/internal/users/deletions_controller.rb

View workflow job for this annotation

GitHub Actions / lint 

[rubocop] reported by reviewdog 🐶
Redundant `return` detected.

Raw Output:
app/controllers/api/internal/users/deletions_controller.rb:48:13: C: Style/RedundantReturn: Redundant `return` detected.

Check warning on line 48 in app/controllers/api/internal/users/deletions_controller.rb

View workflow job for this annotation

GitHub Actions / lint 

[rubocop] reported by reviewdog 🐶
Redundant `return` detected.

Raw Output:
app/controllers/api/internal/users/deletions_controller.rb:48:13: C: Style/RedundantReturn: Redundant `return` detected.
end
end
end
end
end
end
21 changes: 21 additions & 0 deletions app/jobs/user_cleanup_job.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# frozen_string_literal: true

class UserCleanupJob < ApplicationJob
queue_as :default

retry_on StandardError, wait: :exponentially_longer, attempts: 10

def perform(user_id)
cleanup_user_data(user_id)
end

private

def cleanup_user_data(user_id)
user = ExternalUser.find_by(external_id: user_id, consumer_id: 1) # Consumer with ID 1 is openHPI.

if user.present?
user.update(name: 'Deleted User', email: nil)
end
end
end
8 changes: 8 additions & 0 deletions config/routes.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,14 @@
mount ActionCable.server => '/cable'
mount RailsAdmin::Engine => '/rails_admin', as: 'rails_admin'

namespace :api do
namespace :internal do
namespace :users do
post 'deleted', to: 'deletions#create'
end
end
end

# Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
# Can be used by load balancers and uptime monitors to verify that the app is live.
get 'up', to: 'rails/health#show', as: :rails_health_check
Expand Down
Loading