Add option for user to delete their account

src/invidious/helpers/helpers.cr

@@ -389,3 +389,51 @@ def extract_items(nodeset, ucid = nil)
 
   return items
 end
+
+def create_response(user_id, operation, key)
+  nonce = Random::Secure.hex(4)
+  expire = Time.now + 6.hours
+
+  challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}"
+  token = OpenSSL::HMAC.digest(:sha256, key, challenge)
+
+  challenge = Base64.urlsafe_encode(challenge)
+  token = Base64.urlsafe_encode(token)
+
+  return challenge, token
+end
+
+def validate_response(challenge, token, action, key)
+  if !challenge
+    raise "Hidden field \"challenge\" is a required field"
+  end
+
+  if !token
+    raise "Hidden field \"token\" is a required field"
+  end
+
+  challenge = Base64.decode_string(challenge)
+  if challenge.split("-").size == 4
+    expire, nonce, user_id, operation = challenge.split("-")
+
+    expire = expire.to_i?
+    expire ||= 0
+  else
+    raise "Invalid challenge"
+  end
+
+  challenge = OpenSSL::HMAC.digest(:sha256, HMAC_KEY, challenge)
+  challenge = Base64.urlsafe_encode(challenge)
+
+  if challenge != token
+    raise "Invalid token"
+  end
+
+  if operation != action
+    raise "Invalid token"
+  end
+
+  if expire < Time.now.to_unix
+    raise "Token is expired, please try again"
+  end
+end

src/invidious/views/clear_watch_history.ecr

@@ -0,0 +1,17 @@
+<div class="h-box">
+    <form class="pure-form pure-form-aligned" action="/clear_watch_history?referer=<%= URI.escape(referer) %>" method="post">
+        <legend>Clear watch history?</legend>
+
+        <div class="pure-g">
+            <div class="pure-u-1-2">
+                <button type="submit" name="submit" value="clear_watch_history" class="pure-button pure-button-primary">Yes</button>
+            </div>
+            <div class="pure-u-1-2">
+                <a class="pure-button" href="<%= referer %>">No</a>
+            </div>
+        </div>
+
+        <input type="hidden" name="token" value="<%= token %>">
+        <input type="hidden" name="challenge" value="<%= challenge %>">
+    </form>
+</div>

src/invidious/views/delete_account.ecr

@@ -0,0 +1,17 @@
+<div class="h-box">
+    <form class="pure-form pure-form-aligned" action="/delete_account?referer=<%= URI.escape(referer) %>" method="post">
+        <legend>Delete account?</legend>
+
+        <div class="pure-g">
+            <div class="pure-u-1-2">
+                <button type="submit" name="submit" value="delete_account" class="pure-button pure-button-primary">Yes</button>
+            </div>
+            <div class="pure-u-1-2">
+                <a class="pure-button" href="<%= referer %>">No</a>
+            </div>
+        </div>
+
+        <input type="hidden" name="token" value="<%= token %>">
+        <input type="hidden" name="challenge" value="<%= challenge %>">
+    </form>
+</div>

src/invidious/views/preferences.ecr

@@ -150,17 +150,21 @@ function update_value(element) {
             <legend>Data preferences</legend>
 
             <div class="pure-control-group">
-                <a href="/clear_watch_history?referer=<%= referer %>">Clear watch history</a>
+                <a href="/clear_watch_history?referer=<%= URI.escape(referer) %>">Clear watch history</a>
             </div>
             
             <div class="pure-control-group">
-                <a href="/data_control?referer=<%= referer %>">Import/Export data</a>
+                <a href="/data_control?referer=<%= URI.escape(referer) %>">Import/Export data</a>
             </div>
 
             <div class="pure-control-group">
                 <a href="/subscription_manager">Manage subscriptions</a>
             </div>
 
+            <div class="pure-control-group">
+                <a href="/delete_account?referer=<%= URI.escape(referer) %>">Delete account</a>
+            </div>
+
             <div class="pure-controls">
                 <button type="submit" class="pure-button pure-button-primary">Save preferences</button>
             </div>