support delete resources associated with site

2026-06-27 17:49:04 +00:00 · 2026-06-24 17:45:44 -04:00
parent 6fe4eee336
commit 4eba51de72
9 changed files with 507 additions and 121 deletions
--- a/server/routers/site/deleteSite.ts
+++ b/server/routers/site/deleteSite.ts
@@ -14,18 +14,41 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { cleanupSiteAssociations } from "@server/lib/rebuildClientAssociations";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
+import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
+import {
+    deleteAssociatedResourcesForSite,
+    exceedsSiteAssociatedResourceDeleteLimit,
+    getAssociatedResourceCountForSite,
+    runDeleteSiteAssociatedResourcesSideEffects,
+    MAX_SITE_ASSOCIATED_RESOURCES_FOR_BULK_DELETE,
+    type DeleteSiteAssociatedResourcesSideEffects
+} from "@server/lib/deleteSiteAssociatedResources";

 const deleteSiteSchema = z.strictObject({
    siteId: z.coerce.number().int().positive()
 });

+const deleteSiteQuerySchema = z.strictObject({
+    deleteResources: z
+        .enum(["true", "false"])
+        .transform((v) => v === "true")
+        .optional()
+        .catch(false)
+        .openapi({
+            type: "boolean",
+            description:
+                "When true, also deletes all public and private resources associated with this site"
+        })
+});
+
 registry.registerPath({
    method: "delete",
    path: "/site/{siteId}",
    description: "Delete a site and all its associated data.",
    tags: [OpenAPITags.Site],
    request: {
-        params: deleteSiteSchema
+        params: deleteSiteSchema,
+        query: deleteSiteQuerySchema
    },
    responses: {
        200: {
@@ -61,7 +84,18 @@ export async function deleteSite(
            );
        }

+        const parsedQuery = deleteSiteQuerySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
        const { siteId } = parsedParams.data;
+        const { deleteResources } = parsedQuery.data;

        const [site] = await db
            .select()
@@ -78,20 +112,67 @@ export async function deleteSite(
            );
        }

+        if (deleteResources) {
+            const canDeletePublic = await checkUserActionPermission(
+                ActionsEnum.deleteResource,
+                req
+            );
+            const canDeletePrivate = await checkUserActionPermission(
+                ActionsEnum.deleteSiteResource,
+                req
+            );
+
+            if (!canDeletePublic || !canDeletePrivate) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "User does not have permission to delete associated resources"
+                    )
+                );
+            }
+
+            const associatedResourceCount =
+                await getAssociatedResourceCountForSite(siteId, site.orgId);
+
+            if (
+                exceedsSiteAssociatedResourceDeleteLimit(
+                    associatedResourceCount
+                )
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        `Cannot delete site and associated resources when the site has more than ${MAX_SITE_ASSOCIATED_RESOURCES_FOR_BULK_DELETE} resources`
+                    )
+                );
+            }
+        }
+
        const [deletedNewt] = await db
            .select()
            .from(newts)
            .where(eq(newts.siteId, siteId))
            .limit(1);

+        let resourceSideEffects: DeleteSiteAssociatedResourcesSideEffects = {
+            resources: [],
+            siteResources: []
+        };
+
        await db.transaction(async (trx) => {
+            if (deleteResources) {
+                resourceSideEffects = await deleteAssociatedResourcesForSite(
+                    siteId,
+                    site.orgId,
+                    trx
+                );
+            }
+
            if (site.type == "wireguard") {
                if (site.pubKey) {
                    await deletePeer(site.exitNodeId!, site.pubKey);
                }
            } else if (site.type == "newt") {
-                // Clean up all client associations and send peer/proxy removal
-                // messages in a single efficient pass before deleting the row.
                await cleanupSiteAssociations(site, trx);
            }

@@ -99,13 +180,17 @@ export async function deleteSite(
            await usageService.add(site.orgId, FeatureId.SITES, -1, trx);
        });

-        // Send termination message outside of transaction to prevent blocking
+        if (deleteResources) {
+            await runDeleteSiteAssociatedResourcesSideEffects(
+                resourceSideEffects
+            );
+        }
+
        if (deletedNewt) {
            const payload = {
                type: `newt/wg/terminate`,
                data: {}
            };
-            // Don't await this to prevent blocking the response
            sendToClient(deletedNewt.newtId, payload).catch((error) => {
                logger.error(
                    "Failed to send termination message to newt:",
@@ -123,6 +208,9 @@ export async function deleteSite(
        });
    } catch (error) {
        logger.error(error);
+        if (createHttpError.isHttpError(error)) {
+            return next(error);
+        }
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );