Skip to content
Start building
Back

Is my approach for deleting registered users safe?

  • 0
  • Web
  • Tools
  • Auth
  • Functions
  • REST API
View on Discord
Los Feliz
5 Jul, 2025, 20:44

A few weeks ago, I was advised not to use the registered users' id in my web app. Instead, I store the publicly viewable information such as username and email of each user in a collection, and use the document id as each user's preference. Now I want to allow the users to delete their account via their UI.

Is my approach safe for deleting registered users from my project via the UI?

My client-side:

TypeScript
export const deleteUser = async () => {
    try {
        const user = await account.get();

        const payload = JSON.stringify({ $id: user.$id });

        const funcId = await dbFuncKeysProvider('user_delete_function');

        const res = await functions.createExecution(funcId, payload);

        if (res.status === 'completed') {
            const res = JSON.parse(res.responseBody); 
            return res;
        } else { 
            return false;
        }
    } catch (err) { 
        return false;
    }
};

My server-side:

TypeScript
import { Client, Users, Databases } from 'node-appwrite';

export default async ({ req, res, log, error }) => {
  const client = new Client()
    .setEndpoint(process.env.VITE_ENDPOINT)
    .setProject(process.env.VITE_PROJ_ID)
    .setKey(process.env.API_KEY);

  const users = new Users(client);
  const databases = new Databases(client);

  try {
    if (!req.body) throw new Error('Missing request body');

    const data = typeof req.body === 'string' ? JSON.parse(req.body) : req.body;
 
    if (!data?.$id) {throw new Error('Missing user ID in request')};

    const user = await users.get(data?.$id);

    const profileId = user.prefs?.profile_id;

    await users.delete(data?.$id);

    if (profileId) {
      await databases.deleteDocument(
        process.env.VITE_DB_ID,
        process.env.VITE_USERS_COLLECTION,
        profileId
      );
    }

    return res.json({ success: true });
  } catch (err) {
    error('Failed: ' + err.message);
    return res.json({ success: false, error: err.message });
  }
};
TL;DR
The developers are discussing a method for deleting registered users from a project via the UI. The approach involves not using registered users' IDs directly but rather storing them as document IDs in a collection. The developers provide code for client-side and server-side operations, aiming to enhance security. The approach seems safe and includes handling user deletion and associated document removal.
Axistro
5 Jul, 2025, 20:55

In my opinion it looks good enough. Getting the id directly from session instead of saved collection is a good approach.

Los Feliz
5 Jul, 2025, 20:56

well, in my collection I do not save the ID of the registered person. I save the id of the doc of the user in my registred person's preference as a profile_id.

Axistro
5 Jul, 2025, 20:59

Yes Normally I do the opposite and considering its bounds. Although dont know if your method will add a layer of security. I mean i cant even do anything even if i have your auth user id. But, if there is your method is way better

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more