feat(accounts): delete social accts

website/common/locales/en/front.json

@@ -246,6 +246,7 @@
     "missingNewPassword": "Missing new password.",
     "invalidEmailDomain": "You cannot register with emails with the following domains: <%= domains %>",
     "wrongPassword": "Wrong password.",
+    "incorrectDeletePhrase": "Please type DELETE in all caps to delete your account.",
     "notAnEmail": "Invalid email address.",
     "emailTaken": "Email address is already used in an account.",
     "newEmailRequired": "Missing new email address.",

website/common/locales/en/settings.json

@@ -66,6 +66,7 @@
     "resetText1": "WARNING! This resets many parts of your account. This is highly discouraged, but some people find it useful in the beginning after playing with the site for a short time.",
     "resetText2": "You will lose all your levels, gold, and experience points. All your tasks (except those from challenges) will be deleted permanently and you will lose all of their historical data. You will lose all your equipment but you will be able to buy it all back, including all limited edition equipment or subscriber Mystery items that you already own (you will need to be in the correct class to re-buy class-specific gear). You will keep your current class and your pets and mounts. You might prefer to use an Orb of Rebirth instead, which is a much safer option and which will preserve your tasks and equipment.",
     "deleteLocalAccountText": "Are you sure? This will delete your account forever, and it can never be restored! You will need to register a new account to use Habitica again. Banked or spent Gems will not be refunded. If you're absolutely certain, type your password into the text box below.",
+    "deleteSocialAccountText": "Are you sure? This will delete your account forever, and it can never be restored! You will need to register a new account to use Habitica again. Banked or spent Gems will not be refunded. If you're absolutely certain, type \"DELETE\" into the text box below.",
     "API": "API",
     "APIv3": "API v3",
     "APIText": "Copy these for use in third party applications. However, think of your API Token like a password, and do not share it publicly. You may occasionally be asked for your User ID, but never post your API Token where others can see it, including on Github.",

website/server/controllers/api-v3/user.js

@@ -296,17 +296,18 @@ api.deleteUser = {
     let plan = user.purchased.plan;
 
     let password = req.body.password;
-    if (!password) throw new BadRequest(res.t('missingPassword'));
+    if(user.auth.local.hashed_password && user.auth.local.email) {
+      if (!password) throw new BadRequest(res.t('missingPassword'));
+
+      let isValidPassword = await passwordUtils.compare(user, password);
+      if (!isValidPassword) throw new NotAuthorized(res.t('wrongPassword'));
+    } else if ((user.auth.facebook.id || user.auth.google.id) && req.body.password !== 'DELETE') {
+        throw new NotAuthorized(res.t('incorrectDeletePhrase'))
+    }
 
     let feedback = req.body.feedback;
     if (feedback && feedback.length > 10000) throw new BadRequest(`Account deletion feedback is limited to 10,000 characters. For lengthy feedback, email ${TECH_ASSISTANCE_EMAIL}.`);
 
-    let validationErrors = req.validationErrors();
-    if (validationErrors) throw validationErrors;
-
-    let isValidPassword = await passwordUtils.compare(user, password);
-    if (!isValidPassword) throw new NotAuthorized(res.t('wrongPassword'));
-
     if (plan && plan.customerId && !plan.dateTerminated) {
       throw new NotAuthorized(res.t('cannotDeleteActiveAccount'));
     }