API for deleting accounts without requiring cookies

[M123-dev]

Problem

We need to be able to delete an account from the mobile app to stay GDPR complient and make sure we wont get temporarely blocked by the App- and Play Store.

AFAIK, it's possible from the website already, but technically not from the mobile app.

Additional context

• Let user remove their account by themselves smooth-app#4162

Code pointers

• feat: Allow users to delete their own accounts #8548

Part of

• Allow to initiate account deletion from the website/API #6435
• Allow users to be removed while keeping moderation capabilities #8164
• Allow to initiate account deletion from the website/API #6435
• 🤳🥫 Support our mobile app (Tracker) #8919

[hangy]

Account deletion via API should still require some sort of confirmation, though? Preferably email or secure 2FA to avoid abuse

[monsieurtanuki]

@hangy What I had in mind was

• calling a URL from Smoothie, like https://world.openfoodfacts.org/api/delete_user?user=myuser_or-my_email&password=mypassword&lc=en
• that would send an email to the user like "You've just asked for your 'myuser' account deletion. Please click on the link to confirm. Please ignore this email if you did not ask for your account deletion and consider changing your password"
• and that will reply with a JSON stating things like "deletion email sent" or "incorrect user or password" (as hard coded tags and as localized strings)

Does that make sense?

[teolemon]

@M123-dev to get the previews, you need to put an hyphen at the beginning of the line (-)

[hangy]

Could be a dupe of #8655