⭐ Issue #47 — ⚙️ Settings: Change Password & Delete Account (Magic Link Verified) #250
Description
📌 Overview
- This issue introduces the Settings page security actions for Cyber-Lens.
- It focuses on two core account operations:
- Changing the account password
- Deleting the account with email (magic link) verification
- The goal is to provide secure, intentional flows without expanding auth scope unnecessarily.
🎯 Goals
- Allow users to change their password securely
- Protect account deletion behind confirmation + email verification
- Reuse existing magic email verification utility
- Keep implementation consistent with current auth model
🧩 Scope
🔐 Change Password
Location: /settings
Flow:
- Input fields:
- Current password
- New password
- Confirm new password
- Validation:
- Current password must be correct
- New password and confirm password must match
- New password should not equal old password
- Show clear success and error messages
☠️ Delete Account (Magic Link Verified)
Location: /settings → Danger Zone
- Flow:
- User clicks Delete Account
- Show confirmation modal explaining:
- Action is permanent
- All associated data will be deleted
- On confirmation:
- Send a verification email (magic link) to the user
- Reuse existing magic email utility
- Account is deleted only after the magic link is verified
📩 Email Verification Details
Magic link should be:
- One-time use
- Time-bound (short expiry preferred)
- On successful verification:
- Delete user account
- Invalidate sessions
- Redirect to landing page
🧠 Implementation Notes
- Reuse existing magic email verification utility (do not introduce a new email system)
- No password re-entry is required for deletion (email ownership is the source of truth)
- Backend enforcement can be minimal, but the full flow must exist
- UI should clearly indicate that a verification email has been sent
✅ Acceptance Criteria
- Users can successfully change their password
- Delete account action is never one-click
- Confirmation modal is shown before deletion
- Verification email is sent on delete request
- Account is deleted only after magic link verification
- Clear UX feedback at each step
❌ Out of Scope
- Profile editing
- Avatar uploads
- Additional account preferences
- Multi-factor authentication
🧪 Testing Checklist
- Change password with valid inputs works
- Incorrect current password is rejected
- Password mismatch shows error
- Delete account sends verification email
- Account is not deleted without email verification
- Verified magic link deletes account successfully
🤝 Contribution Notes
- Keep changes scoped to Settings and auth utilities
- Avoid refactoring unrelated auth logic
- Follow existing backend patterns for magic links