feat(account deletion): adds extra private scope for profile deletion & adds gql resolver guards (#272)

* feat(account deletion): adds extra private scope for profile deletion & adds gql resolver guards

* feat(account deletion): paranoia warnings

packages/server/modules/core/graph/resolvers/users.js

@@ -89,9 +89,15 @@ module.exports = {
       let user = await getUser( context.userId )
 
       if ( args.userConfirmation.email !== user.email ) {
-        return false
+        throw new UserInputError( 'Malformed input: emails do not match.' )
       }
+
+      // The below are not really needed anymore as we've added the hasRole and hasScope
+      // directives in the graphql schema itself. 
+      // Since I am paranoid, I'll leave them here too. 
       await validateServerRole( context, 'server:user' )
+      await validateScopes( context.scopes, 'profile:delete' )
+
       await deleteUser( context.userId, args.user )
       return true
     }

packages/server/modules/core/graph/schemas/user.graphql

@@ -51,6 +51,8 @@ extend type Mutation {
   Delete a user's account.
   """
   userDelete(userConfirmation: UserDeleteInput!): Boolean!
+    @hasRole(role: "server:user")
+    @hasScope(scope: "profile:delete")
 }
 
 input UserUpdateInput {

packages/server/modules/core/scopes.js

@@ -21,6 +21,11 @@ module.exports = [
     description: 'Grants access to the email address you registered with.',
     public: true
   },
+  {
+    name: 'profile:delete',
+    description: 'Allows a user to delete their account, with all associated data.',
+    public: false
+  },
   {
     name: 'users:read',
     description: 'Read other users\' profile on your behalf.',