Add delete account API endpoint

[iaincollins]

There should be an endpoint at /api/auth/delete that deletes a user, all sessions and all account entries associated with that user.

Like the signout endpoint, it should require a POST request with CSRF token to protect against Cross Site Request Forgery attacks.

I feel strongly should be a hard delete feature; with the option for people to write their own routes for soft deleting if that is something they need to provide.

The reason I feel strongly about this is I want to encourage people to follow good practice (and legal compliance, as it's a legal issue in many places) and to make it as easy as possible for them.

This was a feature of v1 for the same reasons, but I have adopted a more relaxed approach for v2 because the priority was to be able to ship a working release and that this could be added later.

[shihfu]

Any update on this issue?

Is the only way to remove an account at the moment to log-in to the social platform then finding the linked-application and removing it there?

[muhaimincs]

I have a similar needs where the apps verify the user registration by member code on newUser page. If the user left the page after fail to provide the correct code, I fire the onBeforeUnload event to sign them out and intend to delete the account as well as the user information on users table.

[beaussan]

Since the delete user is already in the adapter typings, is there a api that is going to land for this any time soon ? Or is the other way to do it is a custom api that purges the db of a user and the social tokens ?

[nhuethmayr]

I'd also need this functionality 😦 Are there any workarounds available?

[nhuethmayr]

@iaincollins is this on the roadmap for the close future? It seems this item is sitting around here for a long time.

[mononoke-choi]

i'm waiting this functionality too 😥

[darklight9811]

Guess we will have to wait a little bit longer

[paulclark]

@iaincollins @balazsorban44 any updates here? Seems like there's consensus this is good practice and would give an easy way for next-auth users to be in compliance with major privacy laws (GDPR, etc.). In my case, using Zoom for oAuth, they require that oAuth apps respond to deauthorize events, so this would streamline implementation. Cheers!

[sandorTuranszky]

Any update on this feature by any chance?