diff --git a/backend/src/routes/auth.js b/backend/src/routes/auth.js index ba1ec08..e1b0a82 100644 --- a/backend/src/routes/auth.js +++ b/backend/src/routes/auth.js @@ -48,4 +48,28 @@ router.post('/change-username', authenticate, (req, res) => { res.json({ success: true, username: newUsername.trim() }); }); +// DELETE /api/auth/delete-account – eigenen Account löschen (nicht für letzte Admins) +router.delete('/delete-account', authenticate, (req, res) => { + const { password } = req.body || {}; + const id = req.user.id; + const user = db.prepare('SELECT * FROM users WHERE id=?').get(id); + if (!user) return res.status(404).json({ error: 'Benutzer nicht gefunden' }); + if (password && !bcrypt.compareSync(password, user.password_hash)) + return res.status(400).json({ error: 'Passwort falsch' }); + if (!user) return res.status(404).json({ error: 'Benutzer nicht gefunden' }); + // Admin darf sich nicht löschen wenn er der letzte Admin ist + if (user.role === 'admin') { + const adminCount = db.prepare("SELECT COUNT(*) c FROM users WHERE role='admin'").get().c; + if (adminCount <= 1) return res.status(400).json({ error: 'Letzter Administrator kann sich nicht löschen' }); + } + // Alle Daten löschen + db.prepare('DELETE FROM calculations WHERE user_id=?').run(id); + db.prepare('DELETE FROM orders WHERE user_id=?').run(id); + db.prepare('DELETE FROM todos WHERE user_id=?').run(id); + db.prepare('DELETE FROM quick_links WHERE user_id=?').run(id); + db.prepare('DELETE FROM notes WHERE user_id=?').run(id); + db.prepare('DELETE FROM users WHERE id=?').run(id); + res.json({ success: true }); +}); + module.exports = router;