From e9500463bfcabc22cb25b63a9c8287851a38dbf1 Mon Sep 17 00:00:00 2001
From: gbuomprisco <giancarlopsk@gmail.com>
Date: Tue, 8 Oct 2024 00:37:35 +0200
Subject: [PATCH] Enforce deletion environment variables server side; added
 logging

---
 .../personal-accounts-server-actions.ts       | 21 +++++++++++++++
 .../delete-team-account-server-actions.ts     | 26 ++++++++++++++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/packages/features/accounts/src/server/personal-accounts-server-actions.ts b/packages/features/accounts/src/server/personal-accounts-server-actions.ts
index ec63d4262..4a964d293 100644
--- a/packages/features/accounts/src/server/personal-accounts-server-actions.ts
+++ b/packages/features/accounts/src/server/personal-accounts-server-actions.ts
@@ -6,6 +6,7 @@ import { redirect } from 'next/navigation';
 import { z } from 'zod';
 
 import { enhanceAction } from '@kit/next/actions';
+import { getLogger } from '@kit/shared/logger';
 import { getSupabaseServerAdminClient } from '@kit/supabase/server-admin-client';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
 
@@ -14,6 +15,9 @@ import { createDeletePersonalAccountService } from './services/delete-personal-a
 
 const emailSettings = getEmailSettingsFromEnvironment();
 
+const enableAccountDeletion =
+  process.env.NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_DELETION === 'true';
+
 export async function refreshAuthSession() {
   const client = getSupabaseServerClient();
 
@@ -24,6 +28,8 @@ export async function refreshAuthSession() {
 
 export const deletePersonalAccountAction = enhanceAction(
   async (formData: FormData, user) => {
+    const logger = await getLogger();
+
     // validate the form data
     const { success } = DeletePersonalAccountSchema.safeParse(
       Object.fromEntries(formData.entries()),
@@ -33,6 +39,19 @@ export const deletePersonalAccountAction = enhanceAction(
       throw new Error('Invalid form data');
     }
 
+    const ctx = {
+      name: 'account.delete',
+      userId: user.id,
+    };
+
+    if (!enableAccountDeletion) {
+      logger.warn(ctx, `Account deletion is not enabled`);
+
+      throw new Error('Account deletion is not enabled');
+    }
+
+    logger.info(ctx, `Deleting account...`);
+
     const client = getSupabaseServerClient();
 
     // create a new instance of the personal accounts service
@@ -49,6 +68,8 @@ export const deletePersonalAccountAction = enhanceAction(
       emailSettings,
     });
 
+    logger.info(ctx, `Account request successfully sent`);
+
     // clear the cache for all pages
     revalidatePath('/', 'layout');
 
diff --git a/packages/features/team-accounts/src/server/actions/delete-team-account-server-actions.ts b/packages/features/team-accounts/src/server/actions/delete-team-account-server-actions.ts
index 93d44f2d8..3cef74e86 100644
--- a/packages/features/team-accounts/src/server/actions/delete-team-account-server-actions.ts
+++ b/packages/features/team-accounts/src/server/actions/delete-team-account-server-actions.ts
@@ -5,26 +5,50 @@ import { redirect } from 'next/navigation';
 import type { SupabaseClient } from '@supabase/supabase-js';
 
 import { enhanceAction } from '@kit/next/actions';
+import { getLogger } from '@kit/shared/logger';
 import type { Database } from '@kit/supabase/database';
 import { getSupabaseServerClient } from '@kit/supabase/server-client';
 
 import { DeleteTeamAccountSchema } from '../../schema/delete-team-account.schema';
 import { createDeleteTeamAccountService } from '../services/delete-team-account.service';
 
+const enableTeamAccountDeletion =
+  process.env.NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_DELETION === 'true';
+
 export const deleteTeamAccountAction = enhanceAction(
   async (formData: FormData, user) => {
+    const logger = await getLogger();
+
     const params = DeleteTeamAccountSchema.parse(
       Object.fromEntries(formData.entries()),
     );
 
+    const ctx = {
+      name: 'team-accounts.delete',
+      userId: user.id,
+      accountId: params.accountId,
+    };
+
+    if (!enableTeamAccountDeletion) {
+      logger.warn(ctx, `Team account deletion is not enabled`);
+
+      throw new Error('Team account deletion is not enabled');
+    }
+
+    logger.info(ctx, `Deleting team account...`);
+
     await deleteTeamAccount({
       accountId: params.accountId,
       userId: user.id,
     });
 
+    logger.info(ctx, `Team account request successfully sent`);
+
     return redirect('/home');
   },
-  {},
+  {
+    auth: true,
+  },
 );
 
 async function deleteTeamAccount(params: {