feat(auth): implement deletion of associated credentials during account deletion

Author: Ubisoft-potato

pkg/account/api/account.go

@@ -33,6 +33,7 @@ import (
 	v2as "github.com/bucketeer-io/bucketeer/v2/pkg/account/storage/v2"
 	"github.com/bucketeer-io/bucketeer/v2/pkg/api/api"
 	domainauditlog "github.com/bucketeer-io/bucketeer/v2/pkg/auditlog/domain"
+	authstorage "github.com/bucketeer-io/bucketeer/v2/pkg/auth/storage"
 	domainevent "github.com/bucketeer-io/bucketeer/v2/pkg/domainevent/domain"
 	"github.com/bucketeer-io/bucketeer/v2/pkg/locale"
 	"github.com/bucketeer-io/bucketeer/v2/pkg/log"
@@ -979,6 +980,13 @@ func (s *AccountService) DeleteAccountV2(
 		if err = s.publisher.Publish(ctx, deleteAccountV2Event); err != nil {
 			return err
 		}
+		// Delete associated credentials if they exist
+		if err = s.credentialsStorage.DeleteCredentials(contextWithTx, account.Email); err != nil {
+			// Ignore error if credentials don't exist (e.g., SSO-only accounts)
+			if !errors.Is(err, authstorage.ErrCredentialsUnexpectedAffectedRows) {
+				return err
+			}
+		}
 		return s.accountStorage.DeleteAccountV2(contextWithTx, account)
 	})
 	if err != nil {

pkg/account/api/account_test.go

@@ -33,6 +33,8 @@ import (
 	accstoragemock "github.com/bucketeer-io/bucketeer/v2/pkg/account/storage/v2/mock"
 	"github.com/bucketeer-io/bucketeer/v2/pkg/api/api"
 	alstoragemock "github.com/bucketeer-io/bucketeer/v2/pkg/auditlog/storage/v2/mock"
+	authstorage "github.com/bucketeer-io/bucketeer/v2/pkg/auth/storage"
+	authstoragemock "github.com/bucketeer-io/bucketeer/v2/pkg/auth/storage/mock"
 	pkgErr "github.com/bucketeer-io/bucketeer/v2/pkg/error"
 	"github.com/bucketeer-io/bucketeer/v2/pkg/locale"
 	publishermock "github.com/bucketeer-io/bucketeer/v2/pkg/pubsub/publisher/mock"
@@ -1720,10 +1722,50 @@ func TestDeleteAccountV2MySQL(t *testing.T) {
 					err := fn(ctx, nil)
 					require.NoError(t, err)
 				}).Return(nil)
+				s.publisher.(*publishermock.MockPublisher).EXPECT().Publish(gomock.Any(), gomock.Any()).Return(nil)
+				s.credentialsStorage.(*authstoragemock.MockCredentialsStorage).EXPECT().DeleteCredentials(
+					gomock.Any(), "bucketeer@example.com",
+				).Return(nil)
 				s.accountStorage.(*accstoragemock.MockAccountStorage).EXPECT().DeleteAccountV2(
 					gomock.Any(), gomock.Any(),
 				).Return(nil)
+			},
+			req: &accountproto.DeleteAccountV2Request{
+				Email:          "bucketeer@example.com",
+				OrganizationId: "org0",
+			},
+			expectedErr: nil,
+		},
+		{
+			desc: "successWithoutCredentials",
+			setup: func(s *AccountService) {
+				s.accountStorage.(*accstoragemock.MockAccountStorage).EXPECT().GetAccountV2(
+					gomock.Any(), gomock.Any(), gomock.Any(),
+				).Return(&domain.AccountV2{
+					AccountV2: &accountproto.AccountV2{
+						Email:            "bucketeer@example.com",
+						FirstName:        "Test",
+						LastName:         "User",
+						OrganizationId:   "org0",
+						Language:         "en",
+						OrganizationRole: accountproto.AccountV2_Role_Organization_ADMIN,
+					},
+				}, nil).Times(2)
+
+				s.mysqlClient.(*mysqlmock.MockClient).EXPECT().RunInTransactionV2(
+					gomock.Any(), gomock.Any(),
+				).Do(func(ctx context.Context, fn func(ctx context.Context, tx mysql.Transaction) error) {
+					err := fn(ctx, nil)
+					require.NoError(t, err)
+				}).Return(nil)
 				s.publisher.(*publishermock.MockPublisher).EXPECT().Publish(gomock.Any(), gomock.Any()).Return(nil)
+				// Simulate account without credentials (e.g., SSO-only account)
+				s.credentialsStorage.(*authstoragemock.MockCredentialsStorage).EXPECT().DeleteCredentials(
+					gomock.Any(), "bucketeer@example.com",
+				).Return(authstorage.ErrCredentialsUnexpectedAffectedRows)
+				s.accountStorage.(*accstoragemock.MockAccountStorage).EXPECT().DeleteAccountV2(
+					gomock.Any(), gomock.Any(),
+				).Return(nil)
 			},
 			req: &accountproto.DeleteAccountV2Request{
 				Email:          "bucketeer@example.com",