Fix cascading deletion gaps for user and team cleanup

- Add ON DELETE CASCADE to users_teams, oauth_providers, admin_permissions and ON DELETE SET NULL (with nullable columns) to team_api_keys.created_by, hosts.created_by, host_tokens.created_by so HardDeleteExpiredUsers no longer fails with FK violations - User account deletion now cascades to sole-owned teams via DeleteTeamInternal, preventing orphaned teams with live sandboxes after account removal - ListActiveSandboxesByTeam now includes hibernated sandboxes so their disk snapshots are cleaned up during team deletion - Team soft-delete now hard-deletes sandbox metric points, metric snapshots, API keys, and channels to prevent data accumulation on deleted teams - Extract deleteTeamCore() to deduplicate shared logic across DeleteTeam, AdminDeleteTeam, and DeleteTeamInternal - Fix ListAPIKeysByTeamWithCreator to use LEFT JOIN after created_by became nullable, and update handler to read pgtype.Text.String for creator_email
2026-04-16 04:26:48 +06:00
parent e1b23f3d79
commit 43e838c55c
15 changed files with 223 additions and 44 deletions
--- a/pkg/db/api_keys.sql.go
+++ b/pkg/db/api_keys.sql.go
@ -25,6 +25,15 @@ func (q *Queries) DeleteAPIKey(ctx context.Context, arg DeleteAPIKeyParams) erro
 	return err
 }

+const deleteAPIKeysByTeam = `-- name: DeleteAPIKeysByTeam :exec
+DELETE FROM team_api_keys WHERE team_id = $1
+`
+
+func (q *Queries) DeleteAPIKeysByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteAPIKeysByTeam, teamID)
+	return err
+}
+
 const getAPIKeyByHash = `-- name: GetAPIKeyByHash :one
 SELECT id, team_id, name, key_hash, key_prefix, created_by, created_at, last_used FROM team_api_keys WHERE key_hash = $1
 `
@ -120,7 +129,7 @@ const listAPIKeysByTeamWithCreator = `-- name: ListAPIKeysByTeamWithCreator :man
 SELECT k.id, k.team_id, k.name, k.key_hash, k.key_prefix, k.created_by, k.created_at, k.last_used,
       u.email AS creator_email
 FROM team_api_keys k
-JOIN users u ON u.id = k.created_by
+LEFT JOIN users u ON u.id = k.created_by
 WHERE k.team_id = $1
 ORDER BY k.created_at DESC
 `
@ -134,7 +143,7 @@ type ListAPIKeysByTeamWithCreatorRow struct {
 	CreatedBy    pgtype.UUID        `json:"created_by"`
 	CreatedAt    pgtype.Timestamptz `json:"created_at"`
 	LastUsed     pgtype.Timestamptz `json:"last_used"`
-	CreatorEmail string             `json:"creator_email"`
+	CreatorEmail pgtype.Text        `json:"creator_email"`
 }

 func (q *Queries) ListAPIKeysByTeamWithCreator(ctx context.Context, teamID pgtype.UUID) ([]ListAPIKeysByTeamWithCreatorRow, error) {
--- a/pkg/db/channels.sql.go
+++ b/pkg/db/channels.sql.go
@ -11,6 +11,15 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )

+const deleteAllChannelsByTeam = `-- name: DeleteAllChannelsByTeam :exec
+DELETE FROM channels WHERE team_id = $1
+`
+
+func (q *Queries) DeleteAllChannelsByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteAllChannelsByTeam, teamID)
+	return err
+}
+
 const deleteChannelByTeam = `-- name: DeleteChannelByTeam :exec
 DELETE FROM channels WHERE id = $1 AND team_id = $2
 `
--- a/pkg/db/metrics.sql.go
+++ b/pkg/db/metrics.sql.go
@ -11,6 +11,25 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )

+const deleteMetricPointsByTeam = `-- name: DeleteMetricPointsByTeam :exec
+DELETE FROM sandbox_metric_points
+WHERE sandbox_id IN (SELECT id FROM sandboxes WHERE team_id = $1)
+`
+
+func (q *Queries) DeleteMetricPointsByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteMetricPointsByTeam, teamID)
+	return err
+}
+
+const deleteMetricsSnapshotsByTeam = `-- name: DeleteMetricsSnapshotsByTeam :exec
+DELETE FROM sandbox_metrics_snapshots WHERE team_id = $1
+`
+
+func (q *Queries) DeleteMetricsSnapshotsByTeam(ctx context.Context, teamID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteMetricsSnapshotsByTeam, teamID)
+	return err
+}
+
 const deleteSandboxMetricPoints = `-- name: DeleteSandboxMetricPoints :exec
 DELETE FROM sandbox_metric_points
 WHERE sandbox_id = $1
--- a/pkg/db/sandboxes.sql.go
+++ b/pkg/db/sandboxes.sql.go
@ -190,7 +190,7 @@ func (q *Queries) InsertSandbox(ctx context.Context, arg InsertSandboxParams) (S

 const listActiveSandboxesByTeam = `-- name: ListActiveSandboxesByTeam :many
 SELECT id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec, disk_size_mb, guest_ip, host_ip, created_at, started_at, last_active_at, last_updated, template_id, template_team_id, metadata FROM sandboxes
-WHERE team_id = $1 AND status IN ('running', 'paused', 'starting')
+WHERE team_id = $1 AND status IN ('running', 'paused', 'starting', 'hibernated')
 ORDER BY created_at DESC
 `

--- a/pkg/db/teams.sql.go
+++ b/pkg/db/teams.sql.go
@ -284,6 +284,39 @@ func (q *Queries) InsertTeamMember(ctx context.Context, arg InsertTeamMemberPara
 	return err
 }

+const listSoleOwnedTeams = `-- name: ListSoleOwnedTeams :many
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL
+  AND NOT EXISTS (
+      SELECT 1 FROM users_teams ut2
+      WHERE ut2.team_id = t.id AND ut2.user_id <> $1
+  )
+`
+
+// Returns teams where the user is the owner and no other members exist.
+func (q *Queries) ListSoleOwnedTeams(ctx context.Context, userID pgtype.UUID) ([]pgtype.UUID, error) {
+	rows, err := q.db.Query(ctx, listSoleOwnedTeams, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []pgtype.UUID
+	for rows.Next() {
+		var id pgtype.UUID
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		items = append(items, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const listTeamsAdmin = `-- name: ListTeamsAdmin :many
 SELECT
    t.id,
--- a/pkg/service/team.go
+++ b/pkg/service/team.go
@ -169,6 +169,12 @@ func (s *TeamService) DeleteTeam(ctx context.Context, teamID, callerUserID pgtyp
 		return fmt.Errorf("forbidden: only the owner can delete a team")
 	}

+	return s.deleteTeamCore(ctx, teamID)
+}
+
+// deleteTeamCore contains the shared team deletion logic:
+// destroy active sandboxes, clean up templates, soft-delete the team.
+func (s *TeamService) deleteTeamCore(ctx context.Context, teamID pgtype.UUID) error {
 	// Collect active sandboxes and stop them.
 	sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
 	if err != nil {
@ -202,6 +208,24 @@ func (s *TeamService) DeleteTeam(ctx context.Context, teamID, callerUserID pgtyp
 		}
 	}

+	// Delete sandbox metrics for this team.
+	if err := s.DB.DeleteMetricPointsByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete metric points", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+	if err := s.DB.DeleteMetricsSnapshotsByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete metrics snapshots", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+
+	// Delete all API keys for this team.
+	if err := s.DB.DeleteAPIKeysByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete API keys", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+
+	// Delete all channels for this team.
+	if err := s.DB.DeleteAllChannelsByTeam(ctx, teamID); err != nil {
+		slog.Warn("team delete: failed to delete channels", "team_id", id.FormatTeamID(teamID), "error", err)
+	}
+
 	// Clean up team-owned templates from all hosts in the background.
 	go s.cleanupTeamTemplates(context.Background(), teamID)

@ -497,6 +521,13 @@ func (s *TeamService) AdminListTeams(ctx context.Context, limit, offset int32) (
 	return rows, total, nil
 }

+// DeleteTeamInternal soft-deletes a team and destroys all its active sandboxes.
+// Used for system-initiated deletions (e.g. cascading from user account deletion)
+// where no caller role check is needed.
+func (s *TeamService) DeleteTeamInternal(ctx context.Context, teamID pgtype.UUID) error {
+	return s.deleteTeamCore(ctx, teamID)
+}
+
 // AdminDeleteTeam soft-deletes a team and destroys all its active sandboxes.
 // Unlike DeleteTeam, this does not require the caller to be the team owner —
 // it is admin-only (caller must verify admin status).
@ -509,41 +540,5 @@ func (s *TeamService) AdminDeleteTeam(ctx context.Context, teamID pgtype.UUID) e
 		return fmt.Errorf("team not found")
 	}

-	// Destroy active sandboxes (same logic as DeleteTeam).
-	sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
-	if err != nil {
-		return fmt.Errorf("list active sandboxes: %w", err)
-	}
-
-	var stopIDs []pgtype.UUID
-	for _, sb := range sandboxes {
-		host, hostErr := s.DB.GetHost(ctx, sb.HostID)
-		if hostErr == nil {
-			agent, agentErr := s.HostPool.GetForHost(host)
-			if agentErr == nil {
-				if _, err := agent.DestroySandbox(ctx, connect.NewRequest(&pb.DestroySandboxRequest{
-					SandboxId: id.FormatSandboxID(sb.ID),
-				})); err != nil && connect.CodeOf(err) != connect.CodeNotFound {
-					slog.Warn("admin team delete: failed to destroy sandbox", "sandbox_id", id.FormatSandboxID(sb.ID), "error", err)
-				}
-			}
-		}
-		stopIDs = append(stopIDs, sb.ID)
-	}
-
-	if len(stopIDs) > 0 {
-		if err := s.DB.BulkUpdateStatusByIDs(ctx, db.BulkUpdateStatusByIDsParams{
-			Column1: stopIDs,
-			Status:  "stopped",
-		}); err != nil {
-			return fmt.Errorf("update sandbox statuses: %w", err)
-		}
-	}
-
-	go s.cleanupTeamTemplates(context.Background(), teamID)
-
-	if err := s.DB.SoftDeleteTeam(ctx, teamID); err != nil {
-		return fmt.Errorf("soft delete team: %w", err)
-	}
-	return nil
+	return s.deleteTeamCore(ctx, teamID)
 }