Fix deletion of unconfirmed users with Webauthn set (#33186)

2025-04-12 00:56:38 +02:00 · 2025-01-15 12:50:50 +01:00 · 2025-01-15 12:50:50 +01:00 · b6cf22000b
commit b6cf22000b
parent e358c195c3
2 changed files with 20 additions and 2 deletions
--- a/app/workers/scheduler/user_cleanup_scheduler.rb
+++ b/app/workers/scheduler/user_cleanup_scheduler.rb
@ -16,6 +16,7 @@ class Scheduler::UserCleanupScheduler
    User.where('confirmed_at is NULL AND confirmation_sent_at <= ?', 2.days.ago).reorder(nil).find_in_batches do |batch|
      # We have to do it separately because of missing database constraints
      AccountModerationNote.where(target_account_id: batch.map(&:account_id)).delete_all
+      WebauthnCredential.where(user_id: batch.map(&:id)).delete_all
      Account.where(id: batch.map(&:account_id)).delete_all
      User.where(id: batch.map(&:id)).delete_all
    end
--- a/spec/workers/scheduler/user_cleanup_scheduler_spec.rb
+++ b/spec/workers/scheduler/user_cleanup_scheduler_spec.rb
@ -7,6 +7,7 @@ describe Scheduler::UserCleanupScheduler do
  let!(:old_unconfirmed_user) { Fabricate(:user) }
  let!(:confirmed_user)       { Fabricate(:user) }
  let!(:moderation_note)      { Fabricate(:account_moderation_note, account: Fabricate(:account), target_account: old_unconfirmed_user.account) }
+  let!(:webauthn_credential)  { Fabricate(:webauthn_credential, user_id: old_unconfirmed_user.id) }

  describe '#perform' do
    before do
@ -16,8 +17,24 @@ describe Scheduler::UserCleanupScheduler do
      confirmed_user.update!(confirmed_at: 1.day.ago)
    end

-    it 'deletes the old unconfirmed user' do
-      expect { subject.perform }.to change { User.exists?(old_unconfirmed_user.id) }.from(true).to(false)
+    it 'deletes the old unconfirmed user and metadata while preserving confirmed user and newer unconfirmed user' do
+      expect { subject.perform }
+        .to change { User.exists?(old_unconfirmed_user.id) }
+        .from(true).to(false)
+        .and change { Account.exists?(old_unconfirmed_user.account_id) }
+        .from(true).to(false)
+      expect { moderation_note.reload }
+        .to raise_error(ActiveRecord::RecordNotFound)
+      expect { webauthn_credential.reload }
+        .to raise_error(ActiveRecord::RecordNotFound)
+      expect(User.exists?(new_unconfirmed_user.id))
+        .to be true
+      expect(User.exists?(confirmed_user.id))
+        .to be true
+      expect(Account.exists?(new_unconfirmed_user.account_id))
+        .to be true
+      expect(Account.exists?(confirmed_user.account_id))
+        .to be true
    end

    it "deletes the old unconfirmed user's account" do