🗑️ fix: Remove All User Metadata on Deletion (#10534)

* remove all user metadata on deletion * chore: import order * fix: Update JSDoc types for deleteMessages function parameters and return value * fix: Enhance user deletion process by removing associated data and updating group memberships * fix: Add missing config middleware to user deletion route * fix: Refactor agent and prompt deletion processes to bulk delete and remove associated ACL entries * fix: Add deletion of OAuth tokens and ACL entries in user deletion process --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-17 00:40:14 +01:00 · 2025-11-21 18:03:26 +01:00 · 2025-11-21 18:03:26 +01:00 · 846e34b1d7
commit 846e34b1d7
parent 7aa8d49f3a
7 changed files with 144 additions and 42 deletions
--- a/api/server/controllers/UserController.js
+++ b/api/server/controllers/UserController.js
@ -3,32 +3,45 @@ const { Tools, CacheKeys, Constants, FileSources } = require('librechat-data-pro
 const {
  MCPOAuthHandler,
  MCPTokenStorage,
+  mcpServersRegistry,
  normalizeHttpError,
  extractWebSearchEnvVars,
 } = require('@librechat/api');
 const {
-  getFiles,
-  findToken,
-  updateUser,
-  deleteFiles,
-  deleteConvos,
-  deletePresets,
-  deleteMessages,
-  deleteUserById,
-  deleteAllSharedLinks,
  deleteAllUserSessions,
+  deleteAllSharedLinks,
+  deleteUserById,
+  deleteMessages,
+  deletePresets,
+  deleteConvos,
+  deleteFiles,
+  updateUser,
+  findToken,
+  getFiles,
 } = require('~/models');
+const {
+  ConversationTag,
+  Transaction,
+  MemoryEntry,
+  Assistant,
+  AclEntry,
+  Balance,
+  Action,
+  Group,
+  Token,
+  User,
+} = require('~/db/models');
 const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/services/PluginService');
 const { updateUserPluginsService, deleteUserKey } = require('~/server/services/UserService');
 const { verifyEmail, resendVerificationEmail } = require('~/server/services/AuthService');
 const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud');
 const { processDeleteRequest } = require('~/server/services/Files/process');
-const { Transaction, Balance, User, Token } = require('~/db/models');
 const { getMCPManager, getFlowStateManager } = require('~/config');
 const { getAppConfig } = require('~/server/services/Config');
 const { deleteToolCalls } = require('~/models/ToolCall');
+const { deleteUserPrompts } = require('~/models/Prompt');
+const { deleteUserAgents } = require('~/models/Agent');
 const { getLogStores } = require('~/cache');
-const { mcpServersRegistry } = require('@librechat/api');

 const getUserController = async (req, res) => {
  const appConfig = await getAppConfig({ role: req.user?.role });
@ -237,7 +250,6 @@ const deleteUserController = async (req, res) => {
    await deleteUserKey({ userId: user.id, all: true }); // delete user keys
    await Balance.deleteMany({ user: user._id }); // delete user balances
    await deletePresets(user.id); // delete user presets
-    /* TODO: Delete Assistant Threads */
    try {
      await deleteConvos(user.id); // delete user convos
    } catch (error) {
@ -249,7 +261,19 @@ const deleteUserController = async (req, res) => {
    await deleteUserFiles(req); // delete user files
    await deleteFiles(null, user.id); // delete database files in case of orphaned files from previous steps
    await deleteToolCalls(user.id); // delete user tool calls
-    /* TODO: queue job for cleaning actions and assistants of non-existant users */
+    await deleteUserAgents(user.id); // delete user agents
+    await Assistant.deleteMany({ user: user.id }); // delete user assistants
+    await ConversationTag.deleteMany({ user: user.id }); // delete user conversation tags
+    await MemoryEntry.deleteMany({ userId: user.id }); // delete user memory entries
+    await deleteUserPrompts(req, user.id); // delete user prompts
+    await Action.deleteMany({ user: user.id }); // delete user actions
+    await Token.deleteMany({ userId: user.id }); // delete user OAuth tokens
+    await Group.updateMany(
+      // remove user from all groups
+      { memberIds: user.id },
+      { $pull: { memberIds: user.id } },
+    );
+    await AclEntry.deleteMany({ principalId: user._id }); // delete user ACL entries
    logger.info(`User deleted account. Email: ${user.email} ID: ${user.id}`);
    res.status(200).send({ message: 'User deleted' });
  } catch (err) {
--- a/api/server/routes/user.js
+++ b/api/server/routes/user.js
@ -8,7 +8,12 @@ const {
  deleteUserController,
  getUserController,
 } = require('~/server/controllers/UserController');
-const { requireJwtAuth, canDeleteAccount, verifyEmailLimiter } = require('~/server/middleware');
+const {
+  verifyEmailLimiter,
+  configMiddleware,
+  canDeleteAccount,
+  requireJwtAuth,
+} = require('~/server/middleware');

 const router = express.Router();

@ -16,7 +21,7 @@ router.get('/', requireJwtAuth, getUserController);
 router.get('/terms', requireJwtAuth, getTermsStatusController);
 router.post('/terms/accept', requireJwtAuth, acceptTermsController);
 router.post('/plugins', requireJwtAuth, updateUserPluginsController);
-router.delete('/delete', requireJwtAuth, canDeleteAccount, deleteUserController);
+router.delete('/delete', requireJwtAuth, canDeleteAccount, configMiddleware, deleteUserController);
 router.post('/verify', verifyEmailController);
 router.post('/verify/resend', verifyEmailLimiter, resendVerificationController);