Type: New Feature
Affects Version/s: None
Fix Version/s: None
In order to resolve MEB-97, when a user deletes their account, MusicBrainz should ping other MetaBrainz projects that handle accounts at some specified endpoint with a fixed API (for example, /delete-user/Bob). This can be done in Controller::Admin::delete_user, either directly in that method, or via an external script invoked from there.
The /delete-user endpoints should take care of blanking the account on their respective projects and anonymizing the content added by it consistent with the points outlined in MEB-97. The endpoints should return a 200 response code if the user is successfully deleted, or a 404 if the user doesn't exist in that domain. Any other response code will indicate to MB that the user was not successfully removed, and that MB should retry the request.
To handle authentication:
- There will exist a special/internal user account on MB (let's name it UserDeleter).
- The /delete-user endpoint must only grant requests authorized as the UserDeleter account.
- To allow projects to verify the user's identity, MB will send an access_token query parameter, like /delete-user/Bob?access_token=Pb2xDcO7Xray1U45f3VI6B.
- The /delete-user endpoint must use the access token to query https://musicbrainz.org/oauth2/userinfo by sending an appropriate auth header: Authorization: Bearer Pb2xDcO7Xray1U45f3VI6B.
- The /delete-user endpoint must verify that the request is succesful, and that the JSON document returned has a "sub" key equal to "UserDeleter" and a "metabrainz_user_id" key equal to 2007538.
- Furthermore, the /delete-user endpoints should only be accessible from within our internal network (perhaps by blocking access to it from the gateways).